Careers   |   Store   |   Bestsellers
ECPA Wire: Industry Issues

Data Breaches: It Can Happen To You

Tuesday, December 18, 2012   (0 Comments)
Posted by: Sheri Toomb
Share |

By Martin Eisenstein

You may have read about some high profile data breaches, such as the one last month involving credit card information taken from many Barnes & Noble retail stores. Or you may have heard of the huge class action law suits against Sony as a result of its handling of a 2011 incident involving hackers into the Sony Playstation network, a case in which the hackers had access to personal information including names, addresses, user names, passwords, and other personal information from about 77 million user accounts. And you may have read about the breach involving Epsilon, a company which manages e-mail communications for financial companies and online and other retailers. While these are the high profile data breaches involving large corporations, recent studies have shown that data breaches can happen to any company.

This article is designed to correct some of the myths regarding data breaches. We address ten basic misunderstandings regarding data breaches.

Myth 1: There is no law that requires action in the event of a data breach.

Fact 1: There is no federal law (aside from laws regarding specialized industries such as banking and health care) that requires a response. However, 46 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands require certain actions be taken in the event of a data breach regarding personal information, and each of these laws are different.

Myth 2: My company only needs to comply with the data breach laws of the states in which my company has an office or other physical presence.

Fact 2: A company that does business as a catalog or online retailer is subject to the data breach laws of not only the states in which it has a physical presence but also the states in which it has customers. The sales tax nexus standard—requiring a physical presence in a state—does not control regarding state laws such as data breach, privacy, and other consumer protection laws.

Myth 3: I need only look at one state’s laws if there has been a data breach.

Fact 3: In the unfortunate event of a data breach, you need to follow the laws of each state where the affected persons reside, and not just the law where their information is maintained or the breach has occurred.

Myth 4: My company can have a uniform response to a data breach.

Fact 4: State laws require notifications to affected consumers and state agencies in the event of a breach. Some also require notifications to credit reporting agencies. The laws are not uniform with regard to what constitutes a data breach, the government agencies to be notified, the credit reporting agencies, if any, that need to be contacted, and the contents of the notice to individuals whose information was compromised. For example, the requirements of Massachusetts law differ significantly from those of the New York law. In fact, giving the notice that is required under New York law to Massachusetts consumers would violate the Massachusetts law.

Myth 5: My company is not required to have a data breach response plan in the event of a data breach.

Fact 5: If the company makes sales to residents of Massachusetts, then the company must have a written plan to disclose how it intends to respond to data breaches. This is part of a so-called WISP, as required by a 2010 Massachusetts law. Moreover, a data breach response plan can provide a critical defense to class action lawsuits claiming that your company failed in its duty to protect customers against harm resulting from data breaches.

Myth 6: My company can play it by ear when there is a data breach, so it is of little value to plan.

Fact 6: A company must and should tailor its response to a data breach to the facts and circumstances of the breach—and so there is a need "to call audibles at the line of scrimmage.” However, data breaches are dynamic events that require immediate, consistent action to: investigate what happened, determine the appropriate responses to stop the security breach, shape the correspondence with individuals whose information is compromised, and decide on notification to the appropriate federal and state authorities. Most of the actions require approval at the highest levels of a business. There needs to be a signal caller for the plays based on a play book developed before the game and the play takes place.

Myth 7: There is no requirement that my company need to respond quickly to a data breach, and we certainly do not want our actions to take away from our company’s efforts to operate the business.

Fact 7: No state law requires a fixed period of time to respond to a data breach. Many of the laws require prompt responses, however. And every day of delay for serious data breaches increases the potential exposure to real damage done to persons whose information has been compromised. Sony has oftentimes been criticized, and has been hit with a number of class action law suits, because of the one week delay in notifying appropriate federal and state officials and the users whose information was compromised. A data breach response plan permits companies to continue to operate their businesses at times of a data breach, yet take the necessary action in as short a time possible under the circumstances. Finally, many state laws require notice to consumers before a data breach has been confirmed where there a reasonable likelihood of such a breach. As a result, waiting until a full investigation has been completed can violate applicable laws.

Myth 8: The data breach does not affect credit card numbers. Therefore, there is no required response.

Fact 8: Each of the data breach laws require notification of consumers and state agencies if the information compromised involves personal information, which is generally defined as a combination of a name and a data element, which may be a credit card number, but may also be a social security number, driver’s license number, bank account number. or other state-issued identification number. In addition, data breach notification requirements can be triggered even if the data involved is encrypted, since the laws of some states provide no exceptions for encrypted information.

Myth 9: The information was compromised when possessed by a third party, so my company need not make any notification to our customers.

Fact 9: The state data breach notification laws generally apply to any company that stores or maintains personal information or owns or licenses personal information of an individual. Thus, if a retailer submits personal information to a third party for processing—e.g., to a company to do a merge purge or to send emails—it has a duty to notify the consumer whose information was compromised. All retailers should make sure that their contracts with outside contractors have suitable provisions addressing the confidentiality of personal information of their customers and employees as well as required notifications to the retailers in the event of a breach.

Myth 10: Data breaches occur only for large companies and my company is too small to be subject to either a data breach or the required response to a data breach.

Fact 10: In a recent survey, PricewaterhouseCoopers found that 70 percent of companies responding to the survey had experienced a data breach in the prior year. Other studies have found that data breaches are episodic and can occur to companies regardless of size. None of the data breach laws maintain a small business exception.


Inappropriate responses to data breaches can expose a company to significant liability and unfavorable publicity. Developing and implementing a sound data breach plan can reduce these adverse consequences.

Martin EisensteinMartin I. Eisenstein provides advice and counsel to a wide variety of clients regarding interstate and international business legal issues, including direct marketers and other multi-state businesses. These issues include tax law, commercial transactions law, financing issues, strategic liaisons and partnerships, and promotional and other trade regulation issues. He also handles litigation regarding tax and trade regulation matters, including representation of amici curiae in the U.S. Supreme Court in important cases such as Quill v. North Dakota, 504 U.S. 298 (1992). Martin has spoken before various trade groups and the Maine State Bar Association, the New York Society of Certified Public Accountants, the International Mass Retailing Association, the Committee on State Taxation, the Promotional Marketing Association and the Direct Marketing Association. He is also the author of several publications regarding various tax topics that have appeared in State Tax Notes and the Journal of Multistate Taxation. Martin was selected by his peers for inclusion in New England Super Lawyers® (2007 - 2012) and in The Best Lawyers in America® (2007 - 2012) in the fields of Litigation & Controversy—Tax and Tax Law, and identified by Benchmark Litigation as a local litigation star in the field of Tax Litigation. Martin is a co-author of 'Eyes on eCom Law,' a blog that reports on legal developments of interest to direct marketers and online sellers. He also co-writes a blog for members of the American Catalog Mailers Association on tax and privacy issues.


Association Management Software Powered by®  ::  Legal