Catherine D. Meyer
Catherine D. Meyer is senior counsel at Pillsbury Winthrop Shaw Pittman LLP in Los Angeles.
Every state and the District of Columbia has a data breach notification law with its own specific requirements. If your association is targeted, you’ll need to determine which ones apply to your incident.
Data breach notification laws, in all their variety, reflect the patchwork of privacy laws across the United States. All 50 states and the District of Columbia now have a breach notification law, and while the measures have common elements, each state has adopted nuances that protect its own residents.
As a practical matter, organizations—including associations—that operate on a national scale must be familiar with them all, especially since a few (Alabama, Florida, Michigan, and New Mexico) impose financial penalties for noncompliance.
Every state requires notification when an individual’s name, Social Security number, driver’s license number, or financial account number is lost in a breach. Some states include additional data categories, such as biometric data, user names and passwords, passport or immigration information, or medical information.
All states protect computerized data, but five protect information in any format, including paper and video. And while all states agree that notice should be “prompt” or “without undue delay,” some are more specific, requiring notice within 30 or 45 days of discovery of a breach.
All of these measures require written notification to everyone affected. Where contact information is lacking, or in cases where the cost of written notification or the number of people involved exceeds certain thresholds, most states allow some form of “substitute notice.” Twenty-six states allow for telephone notification, with varying degrees of script and documentation required.
Forty-nine states and the District of Columbia require that notices include certain particulars about the breach or the individual’s rights. Massachusetts strictly prohibits describing the incident to its residents, instead adopting a form detailing the rights of the people affected (a notice to the attorney general is required to describe the breach). California requires a question-and-answer format for notifications, and in a growing trend, California, Connecticut, and Delaware require credit monitoring services to be provided where Social Security numbers have been exposed.
Half of the states require notification to the state attorney general or a state agency when state residents have been affected, and 30 require that the three major consumer reporting agencies also be notified where minimum thresholds are met.
An organization that experiences a data breach must comply with the notification laws of the states where affected individuals reside. Given the patchwork of statutes, it’s wise to be aware of their varying requirements.