In this rapid-fire session, information technology lawyer Matt Karlyn delivers 10 tips you can use to better understand and comply with state security breach notification laws. Karlyn discusses several of the more complex elements of some states laws, and presents ways that you can prepare for compliance.
Read the full transcript from this podcast below:
Joyce Chutchian:Hello, and welcome to the CIO Decisions 10 Tips in 10 Minutes podcast. This is Joyce Chutchian, online editorial director for TechTarget's CIO media group. Joining me is Matt Karlyn, an information technology lawyer at Neil, Gerber, and Eisenbergin Chicago. Hello, Matt.
Matt Karlyn: Hi, Joyce.
Joyce Chutchian:Matt has been practicing information technology law for the past nine
years. Today, Matt will be identifying 10 tips with respect to state security breach notification
Matt writes a monthly column for CIO Decisions Magazine, which also discusses this topic in the November and December issues of CIO Decisions Magazine, as well as on CIODecisions.com. Security breach notification laws require those who collect, own, or license personal information about a state's residents to notify those individuals, and in certain circumstances, they must notify other entities when personal information has been compromised.
In this rapid-fire session, Matt Karlyn will deliver 10 tips you can use to better understand and comply with state security breach notification laws. He'll discuss several of the more complex elements of some state laws and explore some of the common elements among those laws. Matt will also present ways that you can prepare for compliance ahead of time.
And now, here's Matt to present the 10 tips.
Matt Karlyn:Thanks, Joyce. Okay, let's dig right in.
Tip number one: Make a plan and update it frequently. Companies of course hope never to compromise the personal information of their employees or customers. However, even if your company takes every protective measure imaginable, it can happen. For example, how do you prevent someone from losing a laptop?
That being said, it is imperative that your company have in-plays
and information security policy and notification policy ready to be implemented swiftly and in
accordance with each of the applicable state laws.
Having such a policy in place can also help in your compliance efforts, since in some states, following your corporate policy puts you in compliance. For example, the Illinois law contains a provision that states, "If a data collector currently maintains a notification procedure as part of its information security policy for the treatment of personal information, and the procedure is otherwise consistent with the timing requirements of the Illinois law, the data collector shall be deemed to be in compliance with the state law if it notifies Illinois residents in accordance with its policies in the event of a breach."
Tip number two: Don't panic. Security breaches can be horrific events, regardless of how many individuals are affected. Any security breach will cost your company time and money, and may, among other things, damage your valuable reputation. Compliance with the 34 different state notification laws is seemingly a daunting and overwhelming task.
However, the laws with respect to notification are generally pretty clear, and with a clear and concise compliance plan, you can comply quickly and efficiently, which will help save you time, money, and hopefully lessen the effect that security breaches have on your valuable reputation.
Tip number three: Know which state laws apply to you. Thirty-four states have security breach notification laws, which generally require your company to notify individuals whose personal information is lost, compromised, or stolen. One of the best ways to ensure swift and efficient compliance in the event your company experiences a security breach is to know, as part of your information security and notification plan, which state laws apply to you.
The easiest way to figure this out is to determine the state residence of the people whose personal information you retain. If you retain the personal information of residents of each of the 34 states with security breach notification laws, then, in the event your company experiences a security breach, you must comply with each of the 34 laws, some of which are similar, but none of which are identical.
Tip number four:Don't rely on the California law. Yes, California was first, and because it was first, it is probably the most well-known. Yes, it is also true that many of the other 33 state laws track closely to the California model. However, there are several key differences among all of the different state laws.
There is no single state law with which you can comply to comply with all others, since no state law is the most stringent in all respects.
Tip number five:Understand the exceptions. There are several key exceptions to many of the state laws that may exempt your company's compliance. For example, some of the state laws only apply to certain data collectors and exempt others. The Georgia law only applies to information brokers, which has a specific definition that may not apply to your company. The Indiana law applies only to state agencies. Other laws, such as the Minnesota law, exempt certain financial institutions and entities that are subject to the health insurance portability and accountability act.
Many state laws also do not apply if the information lost, stolen, or compromised was encrypted, or was otherwise incapable of causing harm, such as identity theft.
Tip number six: Know who you have to notify and who you don't have to notify. As part of your plan, you should also know exactly who you have to notify. Under certain circumstances, many of the state laws require notification to more than just the individual whose personal information was lost, stolen, or compromised. For example, several of the state laws require that your company notify consumer reporting agencies if more than a specified number of that state's residents were affected. In Minnesota, the threshold is 500 residents. In New York, the threshold is 5,000 residents.
New York also requires notification of the attorney general, the consumer protection board, and the state Office of Cyber Security and Critical Infrastructure Coordination. New Jersey requires notification of the state police prior to notification of the affected individuals. The Delaware law requires notice to the consumer protection division of the Delaware Department of Justice.
Tip number seven: Don't wait. Know the time frames. Certain of the state laws have specific notification time frames. In Florida, for example, the law requires that individuals be notified within 45 days. Other states require that the notice be required promptly or timely. For example, the Illinois law requires that the notice be provided in the most expedient time possible and without unreasonable delay. Know the time frames to ensure compliance.
Tip number eight: Understand what terms each notice must contain. Again, sounding a bit like a broken record here, but several of the state laws differ with respect to what your notice to consumers must actually say.
Tip number nine: Understand your options with respect to how notification must be made.
Many state laws include the option of indirect substitute notice in certain circumstances, as
opposed to direct notice to the affected individuals. In California, for example, the law permits
substitute notice if the cost to provide the notice would exceed a certain amount, or if more than
a certain number of individuals are affected.
Substitute notice procedures may include emailing all consumers affected, posting the information on your company's corporate website, and notifying major media outlets.
Tip number ten: And probably most importantly, take the steps now that will protect your company in the future. There are several thing your company can do now to protect it in the event it experiences a security breach. For example, review your company's infrastructure to ensure that stored personal information is secure, and encrypt personal information that you maintain. These are the types of preparations your company can make that will make compliance with the several state security breach notification laws, in the event your company experiences a security breach, easier, cheaper, and less complicated.
As we have already discuss, I can't stress enough the importance
of crafting a detailed information security and notification policy, and updating it frequently to
account for changes in technology and changes in the law.
Finally, if your company does experience a security breach, seek experienced legal assistance to help guide you through compliance with the applicable state security breach notification laws.
Joyce, back to you.
Joyce Chutchian:Thanks, Matt. I could probably take another 10 minutes to ask you 10 questions about security breaches and the law, but for now, I'll refer our listeners to CIODecisions.com, or our November and December issues of the magazine.
If you have other topics you'd like to hear about, please send an email to editor@CIODecisions.com. Thanks, and have a great day.
This was first published in October 2006