Data Breach Notifications: Your Obligations Will Vary from State to State

Today, unfortunately, it seems that data breaches are more of a “when it happens to your company,” and not a question of “if it happens to your company.”  And it’s a virtual certainty that your business possesses personally-identifiable information of individual residents of different states – whether customers, employees, or third parties – that could be compromised if your business suffers a data breach.  Consequently, if your company finds itself as the victim of a data breach, a swift response will likely be required – including a quick assessment of your obligations under the data breach laws of various jurisdictions.

For the first time since states began enacting their own data breach notification laws, all 50 states have now enacted some form of legislation requiring private or governmental entities to notify individuals in such states of security breaches involving their personally identifiable information.  Alabama and South Dakota, the last holdouts, enacted their own data breach notification laws to go into effect June 2018 and July 2018, respectively.

In light of this milestone, we thought it would be helpful to re-familiarize our clients and friends with a few of the common elements of state data breach notification statutes, their differences, and why companies should constantly remain vigilant as states consider measures that would amend their existing data breach laws.  Here is what you need to be aware of if you collect, process, or store personally-identifiable information about residents of various states.

State data breach laws generally affect businesses that collect personal information from consumers in a particular state; however, each state may have a slightly (or substantially) different definition of what “personal information” or “personally identifiable information” is covered by that state’s data breach laws. (Since the various state statutes employ differing terminology to describe this personal information, this article will use the term “PII” as shorthand for protected personal information that is covered by a given state’s data breach laws.)

The variations in the state data breach statutes extend not only to the definition of what constitutes PII, but can also vary in: (1) what circumstances trigger obligations to notify that a data breach has occurred; (2) parties to whom notification is required; (3) what information should be included in the notification; and (4) enforcement rights afforded to the state and to individuals affected by the data breach.  These distinctions can make multi-state notifications of a data breach difficult, especially since no “generally-applicable” data breach notification law has been enacted at the federal level.

Also, be aware that, depending on the industry in which you operate, and also the types, sources, and location of the data involved in a breach, a data breach may also trigger specific obligations under U.S. federal law and perhaps even under the laws of other countries. A discussion of these federal and international data breach obligations is outside the scope of this article – but you should nonetheless keep them in mind and consult with your attorneys to determine whether they are applicable to your business.

State Data Breach Notification Statutes – What To Look Out For

1.  Notification Trigger: Determining whether you are obligated by a given state’s law to give notification of a data breach – whether to the affected individuals, to governmental authorities, or perhaps even to other third parties – depends on a careful comparison of the facts of the breach to the precise wording of the applicable statute. In short, you will need to ascertain – likely, very quickly – first, whether the breach is covered by the laws of the given state and, if so, whether the breach itself rises to the level that triggers notification obligations under the applicable statute.

a. Is the information that was breached covered by the laws of a given state? Coverage of such state laws usually applies to the PII of a resident of the subject state. Thus, if you have a data breach, one of the first steps you must take to understand your possible obligations under state data breach laws is to inventory the data to determine (1) to whom the data relates (i.e., which state’s laws may apply to a given individual whose data was breached), and (2) the types of data affected.  These are generally the two critical components in determining whether a given state’s data breach laws are implicated in a breach incident.

Once you have identified that a breach affects an individual resident of a given state, you must then assess whether the data that was breached is “PII” within the meaning of the relevant state statute. This second step can be tricky due to the statutes’ varying – and often broad – definitions for what constitutes PII.  All of the states, for example, define PII to include the combination of an individual’s name with some type of financial account information such as credit and debit card numbers.  However, some states – including Georgia – go farther, extending the scope of their data breach laws to include information that could be used to perform identity theft, even if the individual’s name was not part of the information that was breached.  Colorado, for example, recently enacted legislation that expands the current statute’s definition of PII to include: (1) usernames or email addresses, in combination with a password or security questions that would grant access to an online account; and (2) account numbers, or credit or debit card numbers, in combination with any required security code, access code, or password that would permit access to the associated account.

b. Does the breach trigger notification obligations under the applicable statute? State statutes differ as to the criteria for determining whether a company must notify an individual of a data breach. Some states’ laws apply to all businesses equally, while others only apply to certain specified industries.  Furthermore, a given statute may specify that the breach must rise to a certain level of severity – based on, for example, number of individuals affected, or likelihood of harm to affected individuals – before there is an obligation to notify others of the breach.  Some laws, such as South Dakota’s data breach statute, require reasonable belief that an individual’s PII has been actually acquired in order to trigger the statutory disclosure requirements, while other states, like Connecticut, require notification if there is reasonable belief of unauthorized access to an individual’s PII, even if it is not yet known whether a third party actually acquired the information or gained control of it.  In still other states, notification of a breach may not be required unless there is a finding that the breach creates a risk of misuse or harm to the individual.

2. Parties to Whom Notification is Required: If the facts of the data breach trigger notification obligations under a given state’s data breach laws, then you must pay close attention to the statute’s specific requirements regarding to whom notification must be given under the circumstances.  In addition to notifying affected individuals, some states require disclosure to the state attorney general and/or to the credit reporting agencies.  For example, Alabama’s statute requires providing written notice of the breach to the state Attorney General if the number of Alabama individuals affected by the breach exceeds 1,000.  Arizona recently amended its data breach statute to also require notification in writing to the “three largest nationwide consumer reporting agencies” and the attorney general if the breach requires notification to more than 1,000 individuals.  South Dakota, however, does not set a threshold for notification and requires that all national credit reporting agencies be notified “without unreasonable delay” if a company is obligated to notify any individuals (even just one) of a data breach.

3. Notification Requirements – Content and Timing: Some states require that certain specific information be provided to the affected individual. Alabama, for example, requires that each notice include, at a minimum: (a) the date, estimated date, or estimated date range of the breach; (b) a description of the PII that was acquired by an unauthorized person as part of the breach; (c) a general description of the actions taken by the company to restore the security and confidentiality of the PII involved in the breach; (d) information as to how a consumer can protect herself from identity theft; and (e) the company’s contact information so that an individual may contact the company to inquire about the breach.

State laws also vary in the timing required for disclosing the breach to affected individuals.  Arizona recently amended its data breach statute to require disclosure to affected individuals within 45 days after determination that there was a security system breach, while Colorado recently amended its statute to require notice within 30 days. However, many states do not provide a specific timeframe for notification, which means that determining whether your notification of a breach is “prompt enough” may be at your own peril. Texas, for example, requires disclosure to be made “as quickly as possible” after discovery, while numerous other states impose a uniform – but vague – requirement that notification be given “in the most expedient time possible and without unreasonable delay.”

4. Parties’ Enforcement Rights: In the majority of states, only a state official can enforce the data breach notification laws. However, a small number of states provide affected individuals with a private right of action.  In such states, private parties can sue for violations of the state data breach notification laws.  California, for example, allows any person injured due to a violation of its data breach notification law to institute a civil action to recover damages, and allows affected individuals to recover a civil penalty of up to $3,000 per violation for any willful, intentional, or reckless violation of the statute.

Despite the fact that only a minority of states currently provide affected individuals with a private right of action, companies should nonetheless work to comply with such state statutes in a timely manner to avoid the risk of an enforcement action by not only the state attorney general, but also by the Federal Trade Commission (“FTC”).   Failure to comply with applicable state law – and the publicity associated with an enforcement action by the state – increases the likelihood that the FTC will take notice of the data breach.  The FTC has brought numerous enforcement actions against companies concerning poor security practices, alleging that such companies failed to adequately protect the security of individuals’ PII.  Such enforcement actions can result in civil penalties and onerous reporting requirements.

In summary: if your company finds that it has suffered a data breach, you will need to move quickly to determine the scope of your legal obligations under various state data breach laws.  The first line of attack to determine which states’ breach notification laws apply should be to analyze to whom the affected data relates and what type(s) of data was involved – and then work with your attorneys to ascertain whether a given state’s data breach laws apply and, if so, what your company will need to do to comply with them.  The facts and circumstances of every data breach are different, and not every breach will necessitate a multi-state response, however, we hope this article heightens your awareness of the issues you will need to consider, and the inquiries you will need to quickly undertake, in the unfortunate event that your company experiences a data breach.

If you have questions regarding state breach notification laws that may apply to your company, please contact Laura Arredondo-Santisteban at LArredondo@fh2.com.

The Consumer Review Fairness Act – Outlawing Consumer Gag Clauses In Your Customer Contracts

Does your company use form service agreements, purchase contracts, or online terms to conduct its business with customers? If so, you should review those documents immediately to make sure you are compliant with the new Consumer Review Fairness Act of 2016 (CRFA), which makes it unlawful in many cases to use your “standard terms” to control what your customer says about you, your products, or services.

The rise of social media and online review sites have provided consumers with an expansive ability to obtain instantaneous evaluations (good and bad) from others regarding a product or service.  This feedback can be great for businesses that receive good reviews posted online. But, as often is the case, there is nothing like a disgruntled customer to lead to a poor review being posted online.

As such, some businesses have attempted to restrict customers’ ability to publish negative reviews by inserting non-disparagement or “gag” clauses in their form contracts and online terms of service. These gag clauses limit consumers’ ability to post negative reviews by giving the company an express right to take legal action (and sometimes to recover money damages or specified penalties) against customers who post negative reviews or who complain to the Better Business Bureau. Some companies even attempted to exert control over consumer commentary by requiring that the consumers transfer copyrights in their reviews or other “feedback” about the products and services to the company.

The inclusion of these clauses, and companies’ attempts to enforce them, not only gained media attention, but also caught the attention of regulators at the state and federal levels.  In 2015, the Federal Trade Commission (FTC) filed a complaint against Roca Labs, Inc. and its principals for taking or threatening to take legal action against consumers who purportedly violated certain non-disparagement provisions that were included in their website’s “Terms and Conditions.” Under Roca Labs’ terms, purchasers allegedly agreed to not “speak, publish, cause to be published, print, review, blog, or otherwise write negatively about [Roca Labs], or its products or employees in any way.” These efforts by Roca Labs, the FTC alleged, constituted unfair acts or practices in violation of Section 5 of the Federal Trade Commission Act.

The Consumer Review Fairness Act of 2016 – Things to Do Now

As of March 2017, the CRFA makes certain clauses in “form contracts” void and unenforceable if the clause: prohibits or restricts an individual from sharing reviews of a seller’s goods, services, or conduct; imposes a penalty or fee against an individual who writes a review; or purports to transfer intellectual property in review or feedback content.  Furthermore, the CRFA makes it unlawful to even offer a form contract containing such a gag clause (meaning that it may be an illegal “unfair or deceptive trade practice” to continue to have such provisions in your contracts, even if you have no intention of enforcing them).

The CRFA broadly defines “form contracts” as any contract “imposed on an individual without a meaningful opportunity for such individual to negotiate the standardized terms,” and includes a website’s terms and conditions, as well as a company’s “standard terms” for purchasing products or services (whether in paper or electronic form). (The term “form contract” does not, however, include employer-employee or independent contractor contracts.)

More specifics about the CRFA are provided below – but your company should be taking steps immediately to review its form contracts – including any online terms and conditions – and to remove provisions that:

  • restrict individuals from sharing their honest reviews about you, your products, or services, or penalizes those who do; or
  • claim copyright in an individual’s reviews or feedback about you, your products, or services.

What Specific Conduct Does the CRFA Prohibit?

Specifically, under the CRFA a provision in a form contract is void if it:

  • prohibits or restricts an individual who is a party to such a contract from engaging in written, oral, or pictorial reviews, or performance assessments or analysis of, including by electronic means, the goods, services, or conduct of a person by an individual who is a party to a form contract;
  • imposes penalties or fees against individuals who engage in such communications; or
  • transfers or requires the individual to transfer intellectual property rights in review or feedback content.

Furthermore, the mere presence of one of these prohibited terms in a form contract constitutes a violation of the CRFA – even if you never try to enforce the provision.

There Are Limits to the CRFA – Not All Customer Commentary is Protected.

The CRFA does not require businesses to permit people to post reviews on their company’s website. However, if a business does solicit and allow consumers to provide feedback on its website, then it should keep in mind that the CRFA does not safeguard all content contained in consumers’ reviews.

In essence, the CRFA seeks to prevent companies from including provisions in their form contracts that threaten or penalize people for posting honest reviews about a company’s products, services, or conduct.  However, the CRFA does not protect defamatory or obscene posts. In addition, a business may still include provisions in its form contracts that prohibit postings that: breach confidentiality obligations imposed by law; reveal confidential information or trade secrets; contain personnel, medical, or law enforcement information; or contain computer viruses or malware.

Websites that permit consumer reviews also retain the right to remove or refuse to display content if it is unrelated to the goods or services offered, or is clearly false or misleading. However, the FTC cautions businesses that it is “unlikely that a consumer’s assessment or opinion with which you disagree meets the ‘clearly false or misleading’ standard.” Finally, businesses may also continue including “feedback clauses” in their agreements with consumers, which give the company certain rights to use feedback provided by customers, as long as such clauses take the form of a non-exclusive license (rather than requiring the consumer to transfer ownership of the feedback).

What Are the Penalties for Violating the Consumer Review Fairness Act?

Violations of the CRFA will be treated the same as violating a FTC rule that defines an unfair or deceptive trade practice. The FTC and state attorneys general have authority to enforce the CRFA. Enforcement will begin on December 14, 2017, and will apply to contracts with clauses in effect on or after that date.

Companies that violate the act by including prohibited gag clauses in their form contracts could be subject to steep financial penalties, as well as a federal court order. While the CRFA does not include a private right of action, individuals may still be able to sue under various states’ deceptive trade practice statutes (or “mini-FTC acts”), if those statutes provide for a private right of action. The CRFA specifically states that it shall not “be construed to affect any cause of action brought by a person that exists or may exist under State law.”

For Further Guidance:

If you have questions regarding complying with the CRFA or how to effectively respond to a negative review left for your business, contact Laura Arredondo-Santisteban at LArredondo@fh2.com or (770) 399-9500 for more guidance.