IAPP updates its US state breach notice resource

The IAPP just updated its chart outlining the state data breach notification laws in the United States. Some interesting comparisons and observations emerge.

Sending notices to consumers when their personal data has been compromised in a cyber incident is probably the most familiar aspect of cybersecurity law, both to data governance professionals and consumers. In the U.S., the first state law requiring notice was enacted by California in 2002 and became effective in 2003. Alabama was last, adopting its law in 2018. Now all 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have breach notice laws. In effect, these laws constitute a nationwide rule — but with variations.

The first thing to note about state breach notice laws is their relatively narrow definition of personal information — certainly narrower than the definition of personal information in the more recent comprehensive state privacy laws. This reflects the origins of the concept of breach notification: The laws mainly arose to alert consumers that they needed to be vigilant for identity theft and financial fraud following a data breach. Therefore, definitions of personal information for breach notification purposes focus on the building blocks of identity theft and financial fraud. 

The breach law with the narrowest scope may be Hawaii's Revised Statutes Chapter 487N, which defines personal information as an individual's first name or first initial and last name in combination with Social Security number, driver's license number or Hawaii identification card number, or "account number, credit or debit card number, access code, or password that would permit access to an individual's financial account." The Hawaii law is rare in covering paper records; most of the breach notice laws apply only to computerized data.

However, even the broadest breach notice laws leave a lot out. Illinois' Personal Information Protection Act, for example, covers everything in the Hawaii law plus an individual's first name or first initial andlast name in combination with any medical information, health insurance information or unique biometric data, plus a user name or email address in combination with apassword or security question and answer that would permit access to an online account. California'sCivil Code has one of the broadest definitions, which includes all of that plus genetic data and information collected through an automated license plate recognition system.

Strictly read, even these broader definitions would not cover a breach of a person's entire search history or location history, even if linked to their real name. Geolocation is covered under the laws of Connecticut and Florida, but those seem to be the only two states that do so. The state laws do not address cookie data, IP addresses or cell phone numbers. They don’t cover browsing history, purchasing records or any of the myriad other kinds of digital data now used to track behavior and profile individuals — data that might be quite useful in phishing and social engineering attacks. The laws don’t even cover a full record of one's financial transactions or the holdings in one's retirement account, so long as the account password is not compromised.

Contrast this with the definition of personal information in the modern generation of comprehensive state privacy laws. For example, the Virginia Consumer Data Protection Act defines personal information as "any information that is linked or reasonably linkable to an identified or identifiable natural person." On the other hand, the Virginia privacy law has exemptions for 14 categories of data, including data collected by employers on their employees, and five categories of data custodian, including all non-profit organizations and all institutions of higher learning. 

The breach notice laws have few exemptions or exclusions. Like Alabama's Data Breach Notification Act, most cover any person, sole proprietorship, partnership, corporation, nonprofit or other business entity that acquires or uses covered personal information. Also, in many states, the breach notice law covers state and local government entities or, as in California, there is a separate breach notice statute for such governmental bodies. The IAPP resource focuses on laws applicable to the private sector.

All the breach notice laws include a provision specifying notification is not required if the compromised data was encrypted. Some, like Iowa's Chapter 715C, further specify that the encryption safe harbor only applies if the means of decrypting the data was not compromised. That would seem implicit in all the laws. Most also excuse notice if the information was "redacted" and some, like Maryland, exclude data "otherwise protected by another method that renders the information unreadable or unusable."

Thirty-four of the laws also require notice to the state attorney general, usually if the size of the breach crosses a certain threshold. This threshold is set at 250 in North Dakota and Oregon; 500 in California, Pennsylvania and Rhode Island; and 1,000 in many other states. About 13 states, including Connecticut and New York, require notice to the state attorney general regardless of the number of residents affected. Alaska requires notice to the attorney general only if the covered entity intends to rely on the exception from disclosure based on determining that there is not a reasonable likelihood of harm. Most state laws also require notice to the major consumer reporting agencies, although most of those laws make clear that individualized data is not to be disclosed to the CRAs.

About 30 of the laws have a harm standard, meaning notification is not required unless the breach has caused or is likely to cause harm to the individuals to whom the information relates. There is considerable variation, however, in how the harms standard is expressed. Some laws, like Arkansas', provide that state notice is not required if the covered entity determines, after a reasonable investigation, that no harm has resulted and there is "no reasonable likelihood" of harm. In a similar vein, Oregon law says notice is not required if the covered person reasonably determines that consumers are "unlikely" to suffer harm. Vermont requires notice unless the covered entity "establishes" that misuse of the data is "not reasonably possible." Louisiana says notice is not required if the covered entity determines that there is no "reasonable likelihood" of harm. 

Others, like Alabama and Idaho, flip the test and require notice only if it is determined that the breach is "reasonably likely" to cause harm. Indiana's law says notice is required if the database owner "knows, should know, or should have known" that the breach "has resulted or could result in" harm. Under the New Hampshire statute, notice is required upon a determination that misuse has occurred or is reasonably likely to occur, but if no determination can be made, then notice must be given. Hawaii refers not to the likelihood of harm but rather "risk of harm," while notice under New Mexico law hinges on whether there is "a significant risk" of identity theft or fraud. Under North Carolina law, the test is "material risk." 

Some states, like Alaska and Connecticut, refer to "harm" in general, without any qualifiers, while others require notice only in cases involving specific kinds of harm. Arizona has one of the narrowest tests, excusing compliance if the covered entity determine that the breach has not resulted or is not reasonably likely to result in "substantial economic loss." Alabama says "substantial harm," while Michigan uses the phrase "substantial loss or injury." Florida law says that notice is not required if the breach will not likely result in "identity theft or other financial harm," while the Kentucky law refers to "identity theft or fraud." Iowa law references just "financial harm," while Indiana law refers to identity deception, identity theft or fraud. Yet others, such as Colorado, Kansas and Maine, pin notice to "misuse" of the data, while Nebraska uses the phrase "use … for an unauthorized purpose." Critically, however, some states require no harm, including California, Georgia, Illinois, Massachusetts, Minnesota, North Dakota and Texas. 

The multiple differences among these state laws place a burden on any covered entity that holds data about persons from more than one state. Reconciling the various formulations of the harm standard is essentially impossible, and even if one could do so, notice would be required to residents of 12 states that have no harm standard. The data elements in a record related to a customer from one state may trigger breach notification, while the same data elements in a record about another customer residing in a different state may not trigger notice. To cope with these complications, I suspect there are different approaches: Some entities confronting a breach may decide, if in doubt, to notify, while others may take the opposite approach and give notice only if clearly required. I'm sure there are different practitioners and general counsels who make differing risk assessments in deciding whether to notify or not. Factoring into that judgment: Most of the breach notice laws do not have a private right of action, but all are enforceable by state attorneys general.

There are commercial services that handle breach notification, and they presumably adopt some middle ground between harmonization and customization for entities with customers across multiple states. In the absence of a preemptive federal breach notice law, it would be useful if state attorneys general could provide some guidance on how they view the dilemma of an entity subject to multiple conflicting laws.

Bottom line: Data breach notification laws are in effect across the U.S. Though there is some overlap, there are plenty of divergences that require attention from practitioners. The IAPP's updated State Breach Notification Chart aims to help build that awareness.