term a bit further by including “unique
biometric data, such as fingerprint,
retina, or iris image, or another unique
physical representation or digital representation of biometric data” in its definition. Wisconsin has added an individual’s
DNA profile to what it considers sensitive
personal information for which a company could be held liable in the event of
a breach. Finally, my favorite addition
comes from Nebraska, which has added
voiceprints to their statutory definition.
There is a growing trend to expand,
rather than narrow those identifiers
which constitute personal information.
This means that companies need to air on
the side of caution with all data that could
be considered, now or in the future, sensitive consumer information.
Can the Notification
Obligation Be Waived?
I hate to use a lawyer’s favorite answer,
but “it depends.” Alaska, California, the
District of Columbia, Hawaii, Illinois,
Maryland, Minnesota, Nebraska, Nevada, New Hampshire, North Carolina,
Rhode Island, Utah, Vermont, and Washington have all held that a consumer’s
contractual waiver of their right to be
notified when a breach has occurred is
against public policy and thus unenforceable. If your state’s data breach notification statute permits waivers or is silent
on the matter, your company should still
proceed with caution. Just because a statute doesn’t say it’s not permitted, doesn’t
mean that a court will rule that it is permitted. These provisions are increasingly
losing favor with the courts and should
not be relied upon.
Who Must Be Notified?
The majority of states require only that
the affected customers be notified. How-
ever, a number of states require that
the Attorney General also be notified,
usually depending upon the number of
customers affected. Those states include
California, Hawaii, Indiana, Louisiana,
Maine, Maryland, Massachusetts, Mis-
souri, New Hampshire, New Jersey, New
York, North Carolina, South Carolina,
and Virginia. Some states, like New Jer-
sey, even require that disclosure of the
breach and any information pertaining
thereto be made to the Attorney General
and State Police prior to notifying the af-
fected customer. A growing number of
states, including Georgia and Hawaii,
also require companies to notify the ma-
jor national credit unions.
When Must Notification
The majority of states use a “
reasonable standard” for timing notification
and most read like this provision from
Colorado: “Notice shall be made in the
most expedient time possible and without unreasonable delay, consistent with
any measures necessary to determine
the scope of the breach and to restore the
reasonable integrity of the computerized
data system.” However, a handful of states
require that notification is made within a
specific timeframe. If your company is a
clinic, health facility, home health agency
or hospice licensed in California, hurry,
you have five days. If you are a licensee or
registrant of the Connecticut Insurance
Department, you also have five days from
the time the incident is first identified to
issue notice to the appropriate persons
and agencies. Entities within Florida,
Ohio, Vermont, and Wisconsin shall provide notice within 45 days. And, finally,
in Maine, notification must be given
within 7 days following an investigation
determining that notification is required.
Remember, time is money. If your
company does business or owns or licenses personal information in a number of
states, it is critical to maintain a comprehensive data breach response plan which
includes notification time frames for
each of those states. Update it regularly.
It is time-consuming, but in the event of
a breach, your company will have more
time to focus on mitigating damages.
How Must Notification
The majority of states hold that notice
may be provided by one of the following
methods: written notice; telephonic no-
tice; or electronic notice, if the company’s
primary means of communication with
the consumer is by electronic means.
Ergo, don’t give your email address to
the cashier at _________ if you prefer
to find out your identity has been stolen
from somewhere other than your spam
folder. And remember, credit is money.
How your company responds to a data
breach crisis has direct implications on
your brand and reputation.
Are Alternative Methods of
Yes, in virtually all states, save Utah, substitute notification is available under certain, expressed circumstances. However,
the prerequisites to issuing alternative
notice differ among the states. For example, in Arizona, if a company can demonstrate that the cost of providing notification will exceed $50,000 or demonstrate
that the affected number of persons to be
notified exceeds 100,000, then substitute
notice is available. On the other hand,
in Arkansas and California, alternative
When lightning disables HVAC
systems or well pumps, you
need answers immediately so
A/C or water service can be
IN A flaSh
T (888) 873–6752 F (888) 436–3092
JuSt the factS. JuSt like that.
SO WHEN YOU NEED ASSISTANCE,
CALL U.S. FORENSIC.