Data Breaches: It Can Happen To You
Tuesday, December 18, 2012
Posted by: Sheri Toomb
By Martin Eisenstein
You may have read about some high profile data
breaches, such as the one last month involving credit card information taken
from many Barnes & Noble retail stores. Or you may have heard of the huge class action law suits
against Sony as a result of its handling of a 2011 incident involving hackers into the Sony
Playstation network, a case in which the hackers had access to personal
information including names, addresses, user names, passwords, and other
personal information from about 77 million user accounts. And you may have read about the breach involving
Epsilon, a company which manages e-mail communications for financial companies
and online and other retailers. While these are the high profile data breaches
involving large corporations, recent studies have shown that data breaches can
happen to any company.
This article is designed to correct some of the
myths regarding data breaches. We address
ten basic misunderstandings regarding data breaches.
Myth 1: There is no law that requires action in the event of a
Fact 1: There is no federal law (aside from
laws regarding specialized industries such as banking and health care) that
requires a response. However, 46
states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands
require certain actions be taken in the event of a data breach regarding
personal information, and each of these laws are different.
My company only needs to comply with the data breach laws of the states
in which my company has an office or other physical presence.
A company that does business as a catalog or online retailer is subject
to the data breach laws of not only the states in which it has a physical presence
but also the states in which it has customers. The sales tax nexus standard—requiring a physical presence
in a state—does not control regarding state laws such as data breach, privacy,
and other consumer protection laws.
I need only look at one state’s laws if there has been a data breach.
In the unfortunate event of a data breach, you need to follow the laws
of each state where the affected persons reside, and not just the law where
their information is maintained or the breach has occurred.
My company can have a uniform response to a data breach.
State laws require notifications to affected consumers and state
agencies in the event of a breach. Some also require notifications to credit
reporting agencies. The laws are not uniform with regard to what constitutes a
data breach, the government agencies to be notified, the credit reporting
agencies, if any, that need to be contacted, and the contents of the notice to
individuals whose information was compromised. For example, the requirements of Massachusetts law differ
significantly from those of the New York law. In fact, giving the notice that is required under New
York law to Massachusetts consumers would violate the Massachusetts law.
My company is not required to have a data breach response plan in the
event of a data breach.
If the company makes sales to residents of Massachusetts, then the
company must have a written plan to disclose how it intends to respond to data breaches. This is part of a so-called WISP, as
required by a 2010 Massachusetts law.
Moreover, a data breach response plan can provide a critical defense to
class action lawsuits claiming that your company failed in its duty to protect
customers against harm resulting from data breaches.
My company can play it by ear when there is a data breach, so it is of
little value to plan.
A company must and should tailor its response to a data breach to the
facts and circumstances of the breach—and so there is a need "to call audibles
at the line of scrimmage.”
However, data breaches are dynamic events that require immediate,
consistent action to:
investigate what happened, determine the appropriate responses to stop
the security breach, shape the correspondence with individuals whose
information is compromised, and decide on notification to the appropriate
federal and state authorities.
Most of the actions require approval at the highest levels of a
business. There needs to be a signal caller for the plays based on a play book
developed before the game and the play takes place.
There is no requirement that my company need to respond quickly to a
data breach, and we certainly do not want our actions to take away from our
company’s efforts to operate the business.
No state law requires a fixed period of time to respond to a data
breach. Many of the laws require
prompt responses, however. And
every day of delay for serious data breaches increases the potential exposure
to real damage done to persons whose information has been compromised. Sony has oftentimes been criticized,
and has been hit with a number of class action law suits, because of the one
week delay in notifying appropriate federal and state officials and the users
whose information was compromised.
A data breach response plan permits companies to continue to operate
their businesses at times of a data breach, yet take the necessary action in as
short a time possible under the circumstances. Finally, many state laws require notice to consumers before
a data breach has been confirmed where there a reasonable likelihood of such a
breach. As a result, waiting until
a full investigation has been completed can violate applicable laws.
The data breach does not affect credit card numbers. Therefore, there is no required
Each of the data breach laws require notification of consumers and state
agencies if the information compromised involves personal information, which is
generally defined as a combination of a name and a data element, which may be a
credit card number, but may also be a social security number, driver’s license
number, bank account number. or other state-issued identification number. In addition, data breach notification
requirements can be triggered even if the data involved is encrypted, since the
laws of some states provide no exceptions for encrypted information.
The information was compromised when possessed by a third party, so my
company need not make any notification to our customers.
The state data breach notification laws generally apply to any company
that stores or maintains personal
information or owns or licenses personal information of an individual. Thus, if a retailer submits personal
information to a third party for processing—e.g.,
to a company to do a merge purge or to send emails—it has a duty to notify
the consumer whose information was compromised. All retailers should make sure that their contracts with
outside contractors have suitable provisions addressing the confidentiality of
personal information of their customers and employees as well as required
notifications to the retailers in the event of a breach.
Data breaches occur only for large companies and my company is too small
to be subject to either a data breach or the required response to a data
Fact 10: In a recent survey, PricewaterhouseCoopers found that 70
percent of companies responding to the survey had experienced a data breach in
the prior year. Other studies have
found that data breaches are episodic and can occur to companies regardless of
size. None of the data breach laws
maintain a small business exception.
Inappropriate responses to data breaches can expose
a company to significant liability and unfavorable publicity. Developing and implementing a sound
data breach plan can reduce these adverse consequences.
Martin I. Eisenstein provides
advice and counsel to a wide variety of clients regarding interstate
and international business legal issues, including direct marketers and
other multi-state businesses. These issues include tax law, commercial
transactions law, financing issues, strategic liaisons and partnerships,
and promotional and other trade regulation issues. He also handles
litigation regarding tax and trade regulation matters, including
representation of amici curiae in the U.S. Supreme Court in important
cases such as Quill v. North Dakota, 504 U.S. 298 (1992). Martin has
spoken before various trade groups and the Maine State Bar Association,
the New York Society of Certified Public Accountants, the International
Mass Retailing Association, the Committee on State Taxation, the
Promotional Marketing Association and the Direct Marketing Association.
He is also the author of several publications regarding various tax
topics that have appeared in State Tax Notes and the Journal of
Multistate Taxation. Martin was selected by his peers for inclusion in
New England Super Lawyers® (2007 - 2012) and in The Best Lawyers in
America® (2007 - 2012) in the fields of Litigation & Controversy—Tax
and Tax Law, and identified by Benchmark Litigation as a local
litigation star in the field of Tax Litigation. Martin is a co-author of
'Eyes on eCom Law,' a blog that reports on legal developments of
interest to direct marketers and online sellers. He also co-writes a
blog for members of the American Catalog Mailers Association on tax and