The term “Data Security” has become increasingly common across industries and news cycles. It seems as though every week a significant data breach occurs where customer and/or company information is improperly exposed or accessed. The United States does not have a national law that explicitly speaks to Federal data security standards regardless of industry classification. Certainty, some laws exist depending upon industry—such as financial data or healthcare data. However, customers and vendors alike seek assurances that their confidential information is properly stored and secured. Consequently, such sought after assurances have resulted in various legislative enactments on a State-by-State basis. Unfortunately, each State varies in their approach and what constitutes proper handling of sensitive data.
By way of example, the following two examples demonstrate a stark contrast in two States and their respective Data Breach Notification laws.
Arkansas Ark. Code § 4‐110‐103 et seq
Categories of covered personal information: First name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license or state ID number; (3) financial account number, credit card number or debit card number in combination with any code or password necessary to access financial account; or (4) medical information.
Exceptions to notice requirement: (1) If personal information is encrypted or redacted; (2) if after a reasonable investigation the company determines there is not a “reasonable likelihood of harm” to customers; (3) if the business “is regulated by a state or federal law that provides greater protection to personal information and at least as thorough disclosure requirements for breaches of the security of personal information than that provided” under the Arkansas breach notice law; or (4) if the business “maintains its own notification procedures as part of an information security policy” and is otherwise consistent with the law’s timing requirements, provided that the company follows its internal policies.
Timing of notice to individuals: Individual notice must be made “in the most expedient time and manner possible and without unreasonable delay,” consistent with the needs of law enforcement and to determine the scope of the breach and restore system integrity.
Requirements for notice to individual (form and content): (1) Written notice; (2) email notice; or (3) substitute notice if the cost of notifying would exceed $250,000, the “affected class of persons to be notified” is greater than 500,000, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company’s website, and notification by statewide media.
Notice to state regulators or consumer reporting agencies/credit bureaus: Not required.
New Mexico H.B. 15 (2017)
Categories of covered personal information: First name or first initial and last name in combination with one or more of the following: (1) Social Security number; (2) driver’s license or government ID number; (3) financial account number, credit card number, or debit card number in combination with any code or password necessary to access financial account; or (4) biometric data.
Exceptions to notice requirement: (1) If personal information is encrypted or redacted, provided that the key was not acquired; (2) if “after an appropriate investigation,” the company “determines that the security breach does not give rise to a significant risk of identity theft or fraud;” (3) if the business follows “its own notice procedures as part of an information security policy for the treatment of personal identifying information” and its procedures are consistent with the New Mexico statute’s timing requirements and is otherwise consistent with the timing requirements of that law.
Timing of notice to individuals: Within 45 calendar days of discovering the breach, and in “the most expedient time possible,” unless a delay is necessary to “determine the scope of the security breach and restore the integrity, security and confidentiality of the data system” or is requested by law enforcement. Requirements for notice to individual (form and content): (1) Written notice; (2) email notice; or (3) substitute notice if the cost of notifying would exceed $100,000, more than 50,000 residents of New Mexico would have to be notified, or the company does not have sufficient contact information. Substitute notice consists of email notice when an address is available, conspicuous posting of the notice on the company’s website, and notification to statewide media and the state Attorney General.
Notice must include: The company’s contact information; Categories of personal information suspected to have been breached; Date of the breach; A “general description” of the breach; Toll‐free phone numbers for the credit bureaus; “advice that directs the recipient to review personal account statements and credit reports, as applicable, to detect errors resulting from the security breach” and Advice about the individual’s rights under the federal Fair Credit Reporting Act.
Notice to state regulators or consumer reporting agencies/credit bureaus: If a single data breach results in notice to more than 1,000 New Mexico residents, the company must notify the state Attorney General and major credit bureaus within 45 days, unless a delay is permitted. The notification must include the number of notified New Mexico residents and a copy of the notice to individuals.
Let us note the stark contrasts between the two examples. First, in New Mexico, individual’s biometric data is considered “Personal Information” whereas Arkansas makes no such distinction. Moreover, in New Mexico, notice must be given within 45 calendar days of the discovered breach. This is contrasted with Arkansas’s “without unreasonable delay” requirement. Lastly, in the event of a data breach, New Mexico companies are required to properly notify State regulators or consumer reporting agencies (if applicable). In Arkansas, however, no such notice is required in the event of a data breach.
The above are only minor examples of contrasts between two State’s data breach notification laws. However, as businesses integrate cybersecurity practices into their day-to-day operations, such considerations should properly be evaluated.
At KC & Associates, we are well equipped in relevant (and upcoming) cybersecurity legislation to ensure your company understands its obligations in the event of a data breach. Moreover, KC & Associates can assist you and your organization with integrating the appropriate cybersecurity measures to minimize instances of data breaches in addition to integrating a comprehensive response plan.
Contact us today for a no cost consultation.
Copyright © 2023 KC & Associates LLC – All Rights Reserved.
