Data Security: What the Law Requires of IT
The Duty to Disclose Security Breaches
In addition to the legal duty to implement security measures to protect data, you are also required -- in many instances -- to disclose security breaches that do occur to the persons affected by the breach. Laws that require notification seek to provide individuals not only with a warning that their personal information has been compromised, but also an opportunity to take steps to protect themselves against the consequences of identity theft and unauthorized account access.
A total of 44 states, plus the District of Columbia, Puerto Rico, and the Virgin Islands have enacted breach notification laws as of August 2008. The key requirements, which can vary significantly from state to state, include the following:
What type of information is covered? The statutes generally apply to unencrypted sensitive personal information -- for example, information consisting of first name or initial and last name, plus one of the following: Social Security number; driver's license or other state ID number; or financial, credit card, or debit card account number. Some states cover additional data categories as well.
What triggers the duty to give notice? Generally, the statutes require notice to individuals following the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of such personal information. In some states, however, notice is not required unless there is a reasonable basis to believe that the breach will result in substantial harm or inconvenience to the individual.
Who must be notified? Notice must be given to any residents of the state whose unencrypted personal information was the subject of the breach. Some states also require notice to the attorney general, and several states require notice to the credit agencies.
When notice must be provided
Generally, persons must be notified in the most expedient time possible and without unreasonable delay; however, in most states, the time for notice may be extended to accommodate the legitimate needs of law enforcement, if notification would impede a criminal investigation, and to give the company time to take necessary measures to determine the scope of the breach and restore reasonable integrity to the system.
Form of notice
Notice may be provided in writing (such as on paper and sent by mail), in electronic form (such as by e-mail, but only in very limited circumstances), or by substitute notice (such as by publication in statewide newspapers and on the company's Web site).
When it comes to notifying individuals, the nature of the triggering event is of tantamount importance. In several states, for example, notification is required whenever there has been an unauthorized acquisition of covered electronic personal data. In other states, however, unauthorized acquisition of such data does not trigger the notification requirement unless there is a reasonable likelihood of harm to the individuals whose personal information is involved.
Taken as a group, these security breach notification laws suggest a key new addition to the law on corporate information security obligations -- one that goes well beyond the duty of a company to provide security for its information, by adding a duty to warn those who might be adversely impacted by a failure -- or a lack -- of corporate security.
Implicit in both the laws imposing a duty to provide security and those imposing a duty to notify individuals of breaches is recognition of the wide-ranging impact of a company's electronic activities, and the fact that security vulnerabilities in a company can have a significant adverse affect on a wide variety of stakeholders.