In today’s blog, we’ll continue to take a look at what constitutes a “data breach” and what your obligations are under the applicable law.
If someone breaks through a locked office door and steals a server or a stack of closing files, most would agree such an event probably would meet the definition of a data breach, when non-public personal information (NPI) is accessed via fraudulent means. However, has a breach occurred if you lose a phone or laptop? Believe it or not, these latter two events happen far more often than the “break-in-and-steal” events. Does the law require you to issue a data breach notification when you misplace your phone or laptop? Does it make any difference if the phone required a passcode or if the laptop was encrypted?
Frustratingly, “it depends.” That’s because your obligations are almost never governed solely by the law of a single state. In many cases, your obligations also may be determined by various federal laws. Your ultimate obligations only can be determined after a careful appraisal of (1) the laws in the state where you reside, (2) the laws in the states where each of your affected customers live, and (3) depending on your type of business, the federal laws and regulations such as those imposed by the Gramm-Leach-Bliley Act (GLBA) and regulated by the Consumer Financial Protection Bureau (CFPB) and Federal Trade Commission (FTC).
Remarkably, the same event (lost phone/laptop, hacking attempt, etc.) may be deemed a data breach in some states, but not in others. Therefore, knowing which law applies is a critical first step in determining your obligations, as one type of event can result in different obligations depending on the state in which it occurred.
Which state laws may apply
In 2014, the Clausen Miller, PC, law firm compiled a list of individual state data breach laws. Another law firm, Baker Hostetler, also has published a state-by-state data breach law listing in a slightly different format. These online compilations can be excellent resources, but care must be taken to verify the cited statutes have not been recently modified. These resources provide valuable insight into state-mandated procedures and customer notification obligations that can be imposed in the event of an NPI-related incident.
As you assess these state law compilations, you will find that most states have specific, and often similar, definitions of what constitutes a data breach. A recent article indicated that until recently, 41 states agreed that the loss or unauthorized access of a device containing encrypted data would not constitute a data breach, and therefore no customer notifications would be required. This commonly is referred to as an “encrypted data safe harbor” statute.
As a result, at the state level, there is widespread consensus that encryption of your devices is the best available preventive tool, and implementing that process should be sufficient to eliminate the need for customer notification obligations. However, at least one state recently has eliminated this well-established safe harbor. As of July 1, 2016, Tennessee amended T. C. A. § 47-18-2101, et seq. This recent amendment provides that customer notification obligations are triggered when a Tennessean’s NPI is lost or improperly accessed, even if the compromised data was encrypted. While Tennessee may be the first state to eliminate the “encrypted data safe harbor,” as we will discuss later, federal laws and regulations have never reduced your obligations just because the device containing your data was encrypted.
Of equal significance, this Tennessee amendment also changes the definition of “unauthorized person” in a way that varies significantly from most other states. According to the newly amended Tennessee law, the term “unauthorized person” now includes “an employee of the information holder who is discovered by the information holder to have obtained personal information and intentionally used it for an unlawful purpose.” As such, a data breach under Tennessee law will have occurred, and customer notification obligations are triggered, if someone inside your firm accesses customer NPI for “unlawful” purposes. The significance of these changes is further discussed in an excellent blog by Baker Hostetler entitled, “Tennessee Revamps Its State Data Breach Notification Statute.”
As a result, determining the applicable state law requirements entails initial analysis of your state’s laws, immediately followed by an analysis of your customers’ states of residence. Once a customer’s residence is established, you will need to read and follow the state law associated with that residence. For an active title agency, handling transactions for buyers and sellers nationwide, this approach may force you to read and comply with dozens of state laws.
Consider whether you are exempt in particular state statutes
In reading those applicable state laws, you need to check for any provision that exempts your company from compliance with the specifics of that particular state law. For example, some states, like Tennessee, provide that the statute defining the notice obligations “does not apply to any person or entity subject to Title V of the Gramm-Leach-Bliley Act of 1999.” If you run a shoe repair company or other entity not governed by GLBA, this provision would not have any impact on your state-mandated obligations. However, if you are a title and/or settlement agency, which GLBA defines as a “financial institution,” this type of provision may exempt you from the specific customer notification obligations requirement under state laws that contain such a provision. In that case, a title/settlement agency then must look at the federal laws and regulations to determine what course of action to employ.
Obligations arising under federal laws and regulations
There is a clear argument that title and settlement agencies always are covered by the obligations imposed under various federal laws. GLBA, codified at 15 U.S.C. § 6801 et seq., is an all-encompassing piece of federal legislation passed in 1999 that imposes strict obligations on financial institutions to protect the NPI of their customers and consumers. By definition, title and settlement agents are deemed to be financial institutions and therefore subject to those same obligations and penalties for breach thereof. Additionally, Section 5 of the FTC Act, 15 U.S.C. § 45, grants the FTC power to investigate and prevent deceptive trade practices and deems it the primary government enforcement agency with powers to impose penalties for financial institution data breaches. For that reason, the federal definition of a data breach must be considered.
The FTC defines a data breach as “any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business.” GLBA has a similar, but slightly different, definition: “Any unauthorized disclosure of personally identifiable financial information that was given by a consumer to a financial institution resulting from any transaction with the consumer or any service performed for the consumer or otherwise obtained by the financial institution.” Note that neither of these definitions provides any safe harbor for the loss of data that has been encrypted. So, if you determine that your customer notification obligations are governed by adherence to federal laws, although encryption is highly recommended as a defense to unauthorized access, it will not lessen your notification obligations if a device is lost, stolen, or compromised.
Window for compliance once a breach occurs
Once you have determined which law(s) apply, you then have the obligation to dig deeper and identify the specific steps you must take. It is recommended that you have access to the laws that apply to your organization to expedite your ability to react timely. Failing to act within the specific time frame could subject you to significant fines and penalties. While most statutes describe the time frames for your next actions in general terms, such as “without reasonable delay,” other states have specific timing deadlines to which you must adhere. Tennessee, Ohio, Rhode Island, Vermont, Washington, and Wisconsin require that notices be given in 45 days. Other states require even shorter deadlines (Florida’s is 30 days), while Connecticut currently has a 90-day deadline. This may seem like a workable time period, but there are numerous actions that must be taken within this period, and acting promptly will minimize your eventual financial and reputational losses.
Do you find all this overwhelmingly confusing? While a complicated subject, it is essential to understand to prepare yourself for the possibility of a data breach. Hopefully, by realizing the complexity inherent in developing a post-breach plan of action, you will be even more focused on the importance of taking every step necessary to avoid a data breach event.
In case you missed the earlier blog on this topic, I once again urge you to read a helpful article entitled, “Data Breach Experts Share the Most Important Next Step You Should Take After a Data Breach in 2014 – 2015 & Beyond,” updated as of May 18, 2016. This article provides insight from 30 data security experts who were asked the same question, “What is the first step you need to take in the event a breach occurs?” Each expert consistently advises you to react immediately by taking a set of steps as required under applicable state and federal regulations.