No two state data breach notification laws are alike - and this can create a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions. Think about it: as of this article's publication date, 47 states, the District of Columbia, and three territories each have their own unique triggers, definitions, and requirements when it comes to assessing a privacy incident, determining if the incident is a data breach requiring notification, and then providing notification in a specified format to regulators and impacted individuals–and all within an increasingly specific time frame.
Then, if for some reason you are not able to follow the above process in compliance within the nuanced requirements of each state or territory, the potential penalties vary widely by state as well.
Finding Similarities–And Many Differences–in State Breach Notification Penalties
Organizations in highly regulated industries, with access to sensitive data, typically know the federal regulations that pertain to them inside and out. If you’re a privacy professional in a healthcare organization, understanding the HIPAA Data Breach Notification Rule is part of your job. Likewise for someone who deals with privacy incidents in the financial institution - you are typically well aware of requirements to notify in the event of a breach under the Gramm–Leach–Bliley Act.
But if you’re part of an organization working with sensitive data across multiple jurisdictions in the United States, staying on top of changing legislation and the requirements for compliance can be challenging. Part of that challenge is the many ways state penalties can vary from one to another. For example, in Alaska and Nebraska, civil penalties are based upon the number of residents affected, while in the majority of states and territories, the penalty may be assessed per violation, per breach, or per series of breaches.
Part of my role as senior counsel and global privacy officer at RADAR includes performing audits of state data breach notification laws. A recent project auditing the potential monetary and legal consequences of noncompliance surfaced a few examples of the many, many ways states can differ when it comes to penalties.
Below are a few major differences in how states penalize lack of compliance with breach notification laws:
- Penalty issued per violation, per series of breaches or violations, per resident, or per another manner of calculation: The penalty may be defined as a certain amount per violation, per series of breaches, or per resident. In Rhode Island, the penalties are assessed per “record,” while Oklahoma structures its penalty to explicitly allow for a “series of breaches of a similar nature, discovered in a single investigation” to be counted as one singular breach.
- Able to enforce an injunction, or not: Certain states, including Pennsylvania, South Carolina, and Tennessee, allow for the possibility of an injunction, which restrains the business from conducting business and could result in a loss of revenue in addition to fines imposed. Loss of revenue, depending upon the size of an organization, or the loss or reputation that might occur, may be even more costly to an organization than any money penalties.
- Enforcement by the attorney general or other: Attorneys general are increasingly requiring notice of a data breach impacting a certain threshold of individuals within their state. In states such as Maryland, the Attorney General is also able to enforce penalties as unfair or deceptive and pursue additional relief, including monetary fines and the possibility of an injunction (not to mention private rights of action based upon same).
- Private right of action is statutorily authorized: In a state which allows private right of action, like California, impacted individuals are able to institute a civil action to recover damages in addition to any any penalties from regulatory authorities, while other states, like Colorado, do not explicitly provide for a private right of action. Other states, like Arizona, explicitly preclude a private right of action based upon the breach law.
- Restitution explicitly allowed or not: Arkansas, Illinois, Nevada, Pennsylvania, and the District of Columbia, are the only states that give the attorney general explicit right to seek restitution.
This list of differences can go on and on – in Florida, delays in notification can increase statutory damages. The Arkansas breach statute authorizes misdemeanor charges, while the Idaho statute specifies a misdemeanor charge for government employees. The nuances of state penalties for noncompliance with data breach laws can have very real impacts on a privacy team already spread thin dealing with a data breach.
Tips for Privacy Professionals Dealing with Noncompliance Issues Across Multiple Jurisdictions
How can privacy teams stay abreast of the intricacies of ever-changing state breach notification laws, and stay compliant with the jurisdictional requirements? If you're a current RADAR user, you have access to the RADAR Law Overviews, which provide detailed and always up-to-date summaries of data breach laws across state and federal jurisdictions. This information is critical in providing the decision support guidance and incident assessment results when you enter an incident into the RADAR Breach Guidance Engine™.
If you do not have a way to automate your incident risk assessments in this way, here’s a good way to begin covering your bases when it comes to staying compliant with constantly changing regulations:
1. Continuously track pending and proposed legislation.
As of this article’s publication date, the RADAR regulatory team is actively tracking over 25 state bills and proposed regulations that, if passed or put into effect, could amend or impact breach notification obligations. Keeping on top of the movement of these proposed regulations requires frequent research and continuous monitoring, but it also allows our team to stay on top of the pending changes and prepare for an effective date, should it be signed into law.
2. Maintain a “cheat sheet” of each state’s specific triggers, definitions of breach and protected health information, notification requirements and penalties.
For example, within the RADAR application, we maintain law overviews for federal, state, and international privacy laws that include summaries for each jurisdiction, including how a breach or personal information is defined, if there are exceptions, when and how to notify affected individuals, and what penalties may apply if noncompliance occurs.
3. Automate your incident response process.
Streamline assessment and give your team a head start while racing the clock to comply. Since no two incidents are alike and breach laws often change in scope, an incident response management solution brings efficiency and accuracy to incident response, cutting down the time required for regulatory research and reducing the risk of missing pertinent information in the process.