Breach Blankets: Statutes in NY, NJ, CT Prescribe Notification Rules for Data Breaches
Survey of Data Breach Notification Statutes
By James Westerlind, Arent Fox LLP
INTRODUCTION
Connecticut, the District of Columbia, Florida, New Jersey, New York, and Pennsylvania have enacted data breach notification statutes which apply to any business (including any insurance company or insurance producer) that acquires, owns or licenses computerized data that includes personal information of individuals who reside within the state. Personal information is typically defined to include the residents name (e.g., first name or initial and last name) in combination with any one or more of the following non-public data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (1) social security number; (2) drivers license number or state identification number; and (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a residents financial account.
A data breach is typically defined as the unauthorized acquisition, or reasonable belief of unauthorized acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the entity. Most statutes exclude from the definition of data breach data that: (1) was encrypted or substantially redacted; (2) is already publicly available through lawful means; or (3) was improperly acquired in good faith by an employee or agent of the entity for legitimate purposes and is not otherwise used or subject to further unauthorized disclosure.
The statutes generally require notification to be provided to those individuals residing within the state whose personal information has been, or may have been, compromised. In addition, some states require notice to be provided to the Attorney General of the state, other state agencies (including, in many instances, law enforcement), or credit reporting agencies (or all of these institutions), depending on the number of residents within the state to whom notice must be sent. Notice typically must be sent in the most expeditious time possible and without unreasonable delay, and may only be delayed in some jurisdictions if law enforcement determines that notice should be delayed for purposes of its investigation of the matter, or if necessary to determine the scope of the data breach and to regain the integrity of the system.
Generally, notice must be provided in one of the following ways: (1) in writing; (2) electronically (subject to certain specific rules that vary by state); (3) by telephone;[1] or (4) by substitute notice. Substitute notice is usually permitted only if the entity demonstrates that the cost of providing notice through the other permissible manners would exceed a certain dollar threshold (which amount varies by jurisdiction), or that the affected class of subject individuals to be notified exceeds a certain number (which number also varies by jurisdiction), or the entity does not have sufficient contact information. If substitute notice is permitted, it typically must be sent in all of the following manners: (a) email, if the entity has an email address for the resident; (b) conspicuously posting the disclosure on the website of the entity, if the entity maintains a website; and (c) providing a notice to major statewide media.
Many jurisdictions do not specify what the notice must say to affected residents or regulators (e.g., Connecticut, District of Columbia, and New Jersey). Those jurisdictions that do have specificity in this regard generally require the notice to provide: (1) a description of the categories of information that were, or are reasonably believed to have been, acquired by an unauthorized person, including which of the elements of personal information were, or are reasonably believed to have been, acquired; and (2) contact information for the entity making the notification. See N.Y. Gen. Bus. Law § 899-aa(7). Florida, for example, also requires that specific notice be provided to the Florida Department of Legal Affairs, which must include: (1) a synopsis of the events surrounding the breach at the time notice is provided; (2) the number of individuals in the state who were, or potentially have been, affected by the breach; (3) any services related to the breach being offered or scheduled to be offered, without charge, by the entity to affected individuals; (4) a copy of the notice to be provided to state residents; and (5) the name, address, telephone number, and email address of the employee or agent of the entity from whom additional information may be obtained about the breach. See Fla. Stat. § 501.171(4)(e).
Most state breach notification statutes are only enforceable by the Attorney General. And most such statutes impose specific statutory penalties for violations thereof.
None of the statutes that are the subject of this survey have industry-specific requirements.
CONNECTICUT
STATUTE: Conn. Gen. Stat. § 36a-701b,[2] 2015 S.B. 949, Public Act 15-142.[3]
WHO MUST COMPLY?
Under § 36a-701b(b)(1), any person who conducts business in Connecticut, and who, in the ordinary course of such persons business, owns, licenses or maintains computerized data that includes personal information must comply.
WHAT DATA IS COVERED?
Under § 36a-701b(a), personal information is covered. Personal information means an individuals name in combination with any one or more of the following data:
- social security number;
- drivers license number or state identification card number; or
- account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individuals financial account.
WHAT CONSTITUTES A DATA BREACH?
Under § 36a-701b(a), a data breach means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other methods or technology that renders the personal information unreadable or unusable.
WHO MUST BE NOTIFIED?
Under § 36a-701b(b)(1), any resident of Connecticut whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person through such breach of security must be notified.
Under § 36a-701b(b)(2), the Attorney General must be notified.
Under § 36a-701b(c), the owner or licensee of the information of any breach of security of the data must be notified.
WHEN MUST NOTICE BE SENT?
Under § 36a-701b(b)(1), notice shall be made without unreasonable delay, subject to the provisions of subsection (d) of this section and the completion of an investigation by such person to determine the nature and scope of the incident, to identify the individuals affected, or to restore the reasonable integrity of the data system.
IN WHAT FORM AND MANNER MUST NOTICE BE SENT?
Under § 36a-701b(e), notice may be provided by one of the following methods:
- written notice;
- telephone notice;
- electronic notice, provided such notice is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001; or
- substitute notice, provided such person demonstrates that the cost of providing notice in accordance with subdivision (1), (2) or (3) of this subsection would exceed $250,000, that the affected class of subject persons to be notified exceeds 500,000 persons, or that the person does not have sufficient contact information.
Substitute notice shall consist of the following:
- electronic mail notice when the person has an electronic mail address of the affected persons;
- conspicuous posting of the notice on the web site [sic] of the person if the person maintains one; and
- notification to major state-wide media, including newspapers, radio and television.
WHAT MUST THE NOTICE SAY?
No specific requirements. The notice must simply carry out its purpose of notifying affected individuals of the breach.
ARE THERE ANY EXEMPTIONS?
Under § 36a-701b(d), any notification required by this section shall be delayed for a reasonable period of time if a law enforcement agency determines that the notification will impede a criminal investigation and such law enforcement agency has made a request that the notification be delayed. Any such delayed notification shall be made after such law enforcement agency determines that notification will not compromise the criminal investigation and so notifies the person of such determination.
WHO MAY ENFORCE AND WHAT PENALTIES MAY BE IMPOSED?
The Attorney General may investigate any violation of this section. If the Attorney General finds that a contractor has violated or is violating any provision of this section, the Attorney General may bring a civil action in the Superior Court for the Judicial District of Hartford under this section in the name of the State against such contractor. Nothing in this section shall be construed to create a private right of action.
ARE THERE ANY INDUSTRY-SPECIFIC REQUIREMENTS?
NEW JERSEY
STATUTE: N.J. Stat. §§ 56:8-161, 163.[4]
WHO MUST COMPLY?
Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information of residents of the State, even if done on behalf of another business or public entity. N.J. Stat. § 56:8-161.
WHAT DATA IS COVERED?
An individuals first name or first initial and last name linked with any one or more of the following data elements: (1) social security number; (2) drivers license number or State identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals financial account.
Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data. N.J. Stat. § 56:8-161.
WHAT CONSTITUTES A DATA BREACH?
The unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable. Good faith acquisition of personal information by an employee or agent of the business for a legitimate business purpose is not a breach of security, provided that the personal information is not used for a purpose unrelated to the business or subject to further unauthorized disclosure. N.J. Stat. § 56:8-161.
The statute does not apply if the data subject to the breach is encrypted or has been secured by any other method or technology that renders the personal information unreadable or unusable. The statute does not define encryption.
WHO MUST BE NOTIFIED?
Any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. N.J. Stat. § 56:8-161(a).
If the breach affects a person that maintains or stores covered information, that person must notify the owner or licensee of that information, who shall notify its New Jersey customers. N.J. Stat. § 56:8-163(b).
The Division of State Police in the Department of Law and Public Safety must also be notified before the business or public entity discloses the breach to the customer. N.J. Stat. § 56:8-163(c).
In the event that a business or public entity discovers circumstances requiring notification pursuant to this section of more than 1,000 persons at one time, the business or public entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile or maintain files on consumers on a nationwide basis, as defined by subsection (p) of section 603 of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a), of the timing, distribution and content of the notices. N.J. Stat. § 56:8-163(f).
Disclosure of a breach of security to a customer shall not be required under the statute if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years. N.J. Stat. § 56:8-163(a).
WHEN MUST NOTICE BE SENT?
The disclosure to a customer shall be made in the most expedient time possible and without unreasonable delay, following discovery or notification of the breach, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. N.J. Stat. § 56:8-163(a).
IN WHAT FORM AND MANNER MUST NOTICE BE SENT?
Notice must be provided by one of the following methods:
- written notice;
- electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in § 101 of the federal Electronic Signatures in Global and National Commerce Act (15 U.S.C. § 7001); or
- substitute notice, if the business or public entity demonstrates that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 500,000, or the business or public entity does not have sufficient contact information.
Substitute notice shall consist of all of the following:
- email notice when the business or public entity has an email address;
- conspicuous posting of the notice on the Internet website page of the business or public entity, if the business or public entity maintains one; and
- notification to major statewide media. N.J. Stat. § 56:8-163(d).
WHAT MUST THE NOTICE SAY?
- The statute does not address the contents of the notification.
ARE THERE ANY EXEMPTIONS?
A business or public entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information, and is otherwise consistent with the requirements of the statute, shall be deemed to be in compliance with the notification requirements of the statute if the business or public entity notifies subject customers in accordance with its policies in the event of a breach of security of the system. N.J. Stat. § 56:8-163(e).
WHO MAY ENFORCE AND WHAT PENALTIES MAY BE IMPOSED?
- The statute does not address who may enforce.
ARE THERE ANY INDUSTRY-SPECIFIC REQUIREMENTS?
None.
NEW YORK
STATUTE: N.Y. Gen. Bus. Law § 899-aa,[5] N.Y. State Tech. Law § 208.[6]
WHO MUST COMPLY?
Any person or business which conducts business in New York State, and which owns, licenses, or maintains computerized data which includes private information. Any person or business which maintains computerized data which includes private information that such person or business does not own. N.Y. Gen. Bus. Law §§ 899-aa(2), (3).
WHAT DATA IS COVERED?
Any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired:
- social security number;
- drivers license number or non-driver identification card number; or
- account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individuals financial account.
Private information does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records. N.Y. Gen. Bus. Law §§ 899-aa(1)(a), (b).
The statute does not apply if the data subject to the breach is encrypted. The statute does not define encryption. N.Y. Gen. Bus. Law § 899-aa(1)(b). This exception does not apply if the encryption is compromised.
WHAT CONSTITUTES A DATA BREACH?
The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. N.Y. Gen. Bus. Law § 899-aa(3)(c).
WHO MUST BE NOTIFIED?
If the breach affects a person that maintains or stores covered information, that person must notify the owner or licensee of that information. N.Y. Gen. Bus. Law § 899-aa(3).
Affected persons must be notified, as well as the State Attorney General, the Department of State and the Division of State Police as to the timing and distribution of the notices, and approximate number of affected persons.
In the event that more than 5,000 New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices, and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. N.Y. Gen. Bus. Law §§ 899-aa(8)(a), (b).
WHEN MUST NOTICE BE SENT?
Notice must be sent immediately following discovery, consistent with law enforcement needs. N.Y. Gen. Bus. Law §§ 899-aa(1), (3).
IN WHAT FORM AND MANNER MUST NOTICE BE SENT?
Notice shall be provided by one of the following methods:
- written notice;
- electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting notice in such form as a condition of establishing any business relationship or engaging in any transaction;
- telephone notification, provided that a log of each such notification is kept by the person or business who notifies affected persons; or
- substitute notice, if a business demonstrates to the State Attorney General that the cost of providing notice would exceed $250,000, or that the affected class of subject persons to be notified exceeds 5,000, or such business does not have sufficient contact information.
Substitute notice shall consist of all of the following: (1) email notice when such business has an email address for the subject persons; (2) conspicuous posting of the notice on such business website page, if such business maintains one; and (3) notification to major statewide media. N.Y. Gen. Bus. Law § 899-aa(5).
WHAT MUST THE NOTICE SAY?
Such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. N.Y. Gen. Bus. Law § 899-aa(7).
ARE THERE ANY EXEMPTIONS?
The statute does not address any exemptions.
WHO MAY ENFORCE AND WHAT PENALTIES MAY BE IMPOSED?
The Attorney General may enforce the statute. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action, the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses. Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of $5,000 or up to $10 per instance of failed notification, provided that the latter amount shall not exceed $150,000. N.Y. Gen. Bus. Law § 899-aa(6)(a).
The Attorney General may seek injunctive relief and damages for actual costs or losses incurred as a result of the breach. The Attorney General may also seek a statutory penalty of up to $150,000 if the defendant knowingly or recklessly violated the statute. N.Y. Gen. Bus. Law § 899-aa(6)(a).
There is no private right of action.
New York City Administrative Code § 20-117 contains a notice statute with the same requirements in the event of a data breach. Subsection (h) allows for a fine of up to $500 for a person that violates the statute, as well as a civil penalty of $100 for each violation.
ARE THERE ANY INDUSTRY-SPECIFIC REQUIREMENTS?
PENNSYLVANIA
STATUTE: 73 Pa. Stat. § 2301 et seq.[7]
WHO MUST COMPLY?
Any entity that maintains, stores or manages computerized data that includes personal information regarding a Pennsylvania resident. 73 P.S. § 2303(a), (c).
WHAT DATA IS COVERED?
Covered information includes a Pennsylvania residents first name or first initial and last name, plus: (1) social security number; (2) drivers license or state identification card number; or (3) financial account, credit card or debit card number in combination with any required security or access code or password that would permit access to a residents financial account. 73 P.S. § 2302.
The statute does not apply to information that is encrypted or redacted, so long as the encryption key was not accessed or acquired. 73 P.S. § 2303.
WHAT CONSTITUTES A DATA BREACH?
The unauthorized access or acquisition that materially compromises the security or confidentiality of a database of covered information and that causes, has caused, or will cause loss or injury to any resident of Pennsylvania, excluding certain good-faith acquisitions by employees or agents. 73 P.S. § 2302.
WHO MUST BE NOTIFIED?
Any resident of Pennsylvania whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. 73 P.S. § 2303(a).
A vendor that maintains, stores or manages computerized data on behalf of another entity shall provide notice of any breach of the security system following discovery by the vendor. 73 P.S. § 2303(c).
If more than 1,000 persons are notified, all nationwide CRAs must be notified without unreasonable delay of timing. 73 P.S. § 2305.
WHEN MUST NOTICE BE SENT?
Notification must be made without unreasonable delay, taking any necessary measures to determine the scope of the breach and to reasonably restore the integrity of the system. Notification may be delayed if law enforcement determines and advises the covered entity in writing that notification will impede a criminal or civil investigation. 73 P.S. § 2303(a).
IN WHAT FORM AND MANNER MUST NOTICE BE SENT?
Notice must be provided by any of the following methods:
- written notice to the last known home address for the individual;
- telephonic notice, if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the customer to provide personal information, and the customer is provided with a telephone number to call or provided with an Internet website to visit for further information or assistance;
- email notice, if a prior business relationship exists and the person or entity has a valid email address for the individual; or
- Substitute notice, if the entity demonstrates one of the following:
- the cost of providing notice would exceed $100,000;
- the affected class of subject persons to be notified exceeds 175,000; or
- the entity does not have sufficient contact information.
Substitute notice shall consist of all of the following: (a) email notice when the entity has an email address for the subject persons; (b) conspicuous posting of the notice on the entitys Internet website if the entity maintains one; and (c) notification to major Statewide media. 73 P.S. § 2302.
WHAT MUST THE NOTICE SAY?
Notice must be clear and conspicuous, describe the incident in general terms, verify the covered information (the consumer is not required to provide the covered information to the entity), and provide a telephone number or website for further information or assistance. 73 P.S. § 2302.
ARE THERE ANY EXEMPTIONS?
Yes. An entity that maintains its own notification procedures as part of an information privacy or security policy for the treatment of personal information which is consistent with the notice requirements of the statute shall be deemed to be in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies in the event of a breach of security of the system. 73 P.S. § 2307(a).
In addition, a financial institution that complies with the notification requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is deemed to be in compliance with the statute. 73 P.S. § 2307(b).
Further, an entity that complies with the notification requirements or procedures pursuant to the rules, regulations, procedures or guidelines established by the entitys primary or functional federal regulator shall be in compliance with the statute. 73 P.S. § 2307(b).
WHO MAY ENFORCE AND WHAT PENALTIES MAY BE IMPOSED?
The Office of the Attorney General shall have exclusive authority to bring an action under the Unfair Trade Practices and Consumer Protection Law for a violation of this act. 73 P.S. § 2308. Private rights of action are not permitted. No other penalties are specified in the statute.
ARE THERE ANY INDUSTRY-SPECIFIC REQUIREMENTS?
None.
______________
[1] The District of Columbia does not include telephonic notice as one of the permissible methods of notification. See D.C. Code § 28-3851(2).
[2] Available at: http://law.justia.com/codes/connecticut/2012/title-36a/chapter-669/section-36a-701b.
[3] Available at: https://www.cga.ct.gov/2015/ACT/PA/2015PA-00142-R00SB-00949-PA.htm.
[4] Available at: http://lis.njleg.state.nj.us/cgi-bin/om_isapi.dll?clientID=33831296&depth=2&expandheadings=off&headingswithhits=on&infobase=statutes.nfo&softpage=TOC_Frame_Pg42.
[5] Available at: http://public.leginfo.state.ny.us/navigate.cgi.
[6] Available at: http://public.leginfo.state.ny.us/navigate.cgi.
[7] Available at: https://govt.westlaw.com/pac/index?__lrTS=20160526195352426&transitionType=Default&contextData=(sc.Default).
* * * * * * * * * * *
About the Author
James Westerlind is Counsel in Arent Foxs litigation, insurance, cybersecurity & data protection, and automotive practice groups.
He focuses on cyber risk issues, including insurance coverage and potential data breach liability for companies and their board members. James has also taken the lead in a number of appeals in the New York State Supreme Court, First and Second Judicial Departments, and the Second and Eleventh Circuits of the US Courts of Appeals.
James practice also focuses on resolving insurance and reinsurance disputes, including insurance and reinsurance coverage issues on behalf of policyholders and carriers. He has also represented brokers, agents, and MGAs in disputes with insurance and reinsurance carriers.
James has substantial litigation experience in both state and federal trial courts within and outside of New York, representing plaintiffs and defendants in insurance and noninsurance disputes. In addition to insurance litigation, he has defended a number of prominent US companies in product liability actions. He has also defended toxic tort cases. He has first-chaired applications for emergency relief, evidentiary hearings for emergent relief, and contempt hearings. He tried a major jury trial in the Southern District of Florida, obtaining a jury verdict finding that a life insurance policy was valid and enforceable, despite the jury finding that the trust that owned the policy made material misrepresentations in the policys application and engaged in a civil conspiracy to defraud the insurance company and engage in a stranger-originated life insurance (STOLI) scheme. He has also defended a number of well-known tire manufacturers and large domestic retailers in product liability actions commenced in New York state and federal courts by alleged injured product users.
James has devoted a substantial portion of his time to pro bono matters, including not-for-profit public interest endeavors and family court litigation. In fact, James is a recipient of the Arent Fox Albert E. Arent Award for outstanding pro bono achievement (Fall 2013) and the Commitment to Justice Award (February 2014) from Her Justice, a nonprofit organization devoted to helping women in need. In addition, he is a member of the Insurance Law Committee of the New York City Bar Association, where he assists in shaping New York insurance law and public policy in an effort to help the public and the profession.
Prior to joining Arent Fox, James was an associate in the New York office of a large law firm.