Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices — or lack thereof. This monthly series, "How the c-suite should talk about privacy," is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part four explained how the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity could help companies to protect themselves from legal risk.

This installment looks at what to do if your company has had a data breach: Whom must you notify?                                              

So far, this series has discussed precautions that companies should take to prevent data breaches and other cybersecurity incidents. Unfortunately, even companies that adopt industry-standard safeguards can fall victim to data breaches. 

When your company experiences a data breach, you likely will have a number of priorities, chief among them is preventing further intrusions to your system and minimizing the damage to your company, customers, and employees. However, from a legal perspective, you need to immediately begin assessing your obligations to notify consumers, regulators, and others.

Unfortunately, determining notification obligations requires a bit of legwork. That’s because 47 states and the District of Columbia have each passed their own laws that require notifications in certain circumstances (Alabama, New Mexico, and South Dakota are the only states without breach notification laws). 

The task gets even trickier because the each state law applies to breaches of personal information of residents of that state. So, for example, if your company is based in New York but has customers in all 50 states, then you are subject to all of the state breach-notification laws.

A number of online sources provide information about state data breach notification laws. The National Conference of State Legislatures’ website provides links to the statutes. A number of law firms have publicly released summary charts of the laws. Always keep in mind that online summaries may not be up-to-date, as state legislatures occasionally update their breach notification laws. Accordingly, no online source can substitute for research and analysis by your company’s lawyers.

The good news is that even if you have suffered a data breach, you might not be required to notify customers or regulators. The state laws only apply to breaches of specific types of “personal information.”

Most states define “personal information” to include an individual’s name in conjunction with another crucial piece of data about the individual that could be used for identity theft, such as a Social Security number, government-identification number, or full payment-card information. However, the definition of “personal information” varies by state. Among the broadest definitions is that of North Dakota, which also includes mother’s maiden name, birth dates, employee identification numbers, and other data. Some states also include login username/password combinations, medical information, and passport numbers.

Even if the data qualifies as covered “personal information” under a data breach-notification statute, every state law only applies to breaches of unencrypted personal information. In other words, encrypting all of your data can help you to avoid disclosure requirements in future breaches.

If you suffered a breach of unencrypted personal information, you still might be able to avoid notification requirements in many states. More than half of state breach-notice laws only require notice if, after an investigation, the company reasonably believes that the breach will cause loss or injury to the state’s residents. However, about a dozen states are “strict liability” states that require notice to individuals regardless of whether the company believes that a risk of harm exists.

Companies must pay careful attention to all state breach notification laws. Failure to adhere to the requirements can result in state regulatory investigations and significant fines. And about a dozen states allow customers to bring private lawsuits against companies that fail to provide the required notice.

Assuming that you are required to provide notice, you must examine the specific requirements of each state law to ensure compliance. For instance, the laws specify the form that the notices to individuals must take (i.e., email or snail mail), and how to provide notice if the necessary contact information is unavailable). A number of states also require the notices to contain specific content, such as contact information for the Federal Trade Commission and credit bureaus.

You also must ensure that the individual notice is timely. Most state laws merely state that the notice must be provided “expeditiously” or “without unreasonable delay,” but a handful of states impose specific deadlines. For instance, Florida requires notice within 30 days after a determination that the breach occurred. However, all states allow a delay if notification might impede a law enforcement investigation.

About 20 states require companies to notify state regulators if they have informed customers of a data breach, though some of these states only require regulator notice if a minimum number of individuals have been notified (typically 500 or 1,000). Most states also require companies to notify credit-reporting agencies if a minimum number of individuals have been notified of a breach.

Companies must pay careful attention to all state breach notification laws. Failure to adhere to the requirements can result in state regulatory investigations and significant fines. And about a dozen states allow customers to bring private lawsuits against companies that fail to provide the required notice.

If you’re a publicly traded company, you also must ensure that you meet the Securities and Exchange Commission’s expectations for informing shareholders of material data breaches. 

Next month’s installment will examine the SEC’s guidelines for reporting incidents as well as other cybersecurity risks.