Nearly all states have data breach laws requiring businesses holding certain types of consumer personal data to notify affected persons when there is a breach or suspected breach. As consumers are barraged seemingly on a weekly basis with news reports of yet another breach, what trends have emerged and what does it mean for affected businesses?
Two trends appear to be converging: first, states are amending their laws to bring ever-broader categories of data within the sweep of these laws. As a general matter, most states only require notification when there has been a breach of certain unencrypted “personal data” in combination with a consumer’s first name/last name (or first initial/last name), where “personal data” is defined to mean clearly sensitive items such as credit card numbers or social security numbers. However, so far in 2015, two states, Nevada and Wyoming, have followed the lead of California and North Carolina in making a breach of a consumer’s email address plus password, when combined with the consumer’s first name/last name (or first initial/last name), covered under their breach notification statutes. Other notable expansions in the laws are the inclusion by Nevada of an “electronic signature” and “name or date of birth (or address), in combination with other information that would increase [the likelihood of identify theft],” and Wyoming’s addition of “shared secrets…known to be used for data-based authentication” and “medical information…including mental or physical condition.” These additions are slowly but surely moving the goalposts for breach notifications from relatively unusual data sets to include data held in the ordinary course of business activities by the majority of businesses.
The second trend, which has not fully come to fruition yet, is the continued efforts of the plaintiffs’ bar to allege sufficient injury by victims of data breach to survive defendants’ motions to dismiss for lack of standing or lack of monetary harm. While the courts have not been bending over to assist the plaintiffs in their attempts to recover in class actions, the odd case has made it past summary judgment, especially where there was an actual breach and plaintiffs had out-of-pocket damages as a result.
The result of these trends is that businesses holding all sorts of consumer personal data can expect more and more to fall within the scope of these state breach notification laws when their data has not been encrypted. Even the best defenses can be penetrated, so businesses should have a well-considered breach response plan ready for use in the event of a data breach (including, of course, ensuring that all of the affected consumers’ expenses in obtaining identity protection products are paid by the company). Culhane Meadows’ Data Privacy & Security team is ready to assist you in taking the critical front-end steps that can make all the difference in these situations.
Author Kim Verska is a Certified Information Privacy Professional (US) through the International Association of Privacy Professionals and a Partner in Culhane Meadows’ Atlanta office. She is a frequent speaker regarding evolving legal issues for the technology industry and other businesses and can be reached at kverska@culhanemeadows.com