Security breach notification laws require that when information has been compromised, those who own, collect or license personal information about a state's residents notify these individuals and sometimes other entities. But there is substantial confusion about how to comply with each state's law. Here I address three commonly held myths concerning these laws.
Myth 1: Every security breach requires notification of all consumers whose information was lost.
To the contrary, if certain conditions are met, several of the 33 state laws relax notification requirements. Many, for example, do not require notification if the lost information is encrypted or otherwise inaccessible or if the company determines that the breach is unlikely to cause harm.
Myth 2: A company must comply only with the law of the state where information was lost or where the company is incorporated.
Both the state in which information was lost and the location of a company are irrelevant. The residence of the individuals whose information was lost determines the applicable law, and each state's law applies only to its residents. If the information of residents in Ohio and Tennessee is compromised, a company must comply with Ohio law for affected Ohio residents and Tennessee law for affected Tennessee residents.
Myth 3: If I comply with the California law, I have complied with all state laws.
California's security breach notification law was the first, and perhaps the most well known, but it is not always the most stringent. There is no single state law with which you can comply to comply with all others; no state's law is the most stringent in all respects. So it is critical to comply with each state law applicable to your situation.
Some states, for example, specify the maximum period required to notify individuals (Florida has a maximum of 45 days), while others require only that notice be provided "as quickly as possible" (as in Texas). In addition to notifying residents whose personal information was compromised, some states require notification of law enforcement and consumer-reporting agencies. The New Jersey law, for example, requires notification of the state police prior to consumer notification, and several others require notification of consumer-reporting agencies if a certain number of residents are affected.
Any security breach can jeopardize an individual's identity. To avoid such breaches, consider the following: Review your company's infrastructure to ensure that stored personal information is secure, encrypt personal information that you maintain, determine ahead of time which state laws apply to your company, and develop a detailed action plan to quickly and appropriately comply with each law. These efforts take time and cost money, but your company will be in a more advantageous position if it prepares than if it takes its chances.
Next: Negotiation strategies to gain and maintain leverage.
Matt Karlyn, J.D., M.B.A., is a member of Foley & Lardner LLP's Information Technology & Outsourcing Practice Group in Boston. Write to him at email@example.com.