Data breach notification statutes
By Shannon T. O’Connor
High-profile cyber-attacks and investigations into data breaches have brought more attention to the importance of data technology, from individuals’ daily lives up to the highest levels of government. Governments and government employees continually try to assess the risks of a cyber-attack or other data breach — but beyond the immediate risks of compromised data and disrupted services lies the risk of liability.
Governments should invest in data protection — but not without understanding potential liability in the event of a breach. Policymakers and executives must understand the legal duties of a city or county government in case of a security or data breach, existing policies and incident response protocols — including which departments are responsible for handling a breach — and state and federal statutes.
It is easy to allocate funds toward issues more visible than IT upgrades or cybersecurity; however, failure to comply with legal obligations following a data breach damages a government’s credibility — all while the government may be struggling to provide normal services.
All governments are subject to cyber threats, and the likelihood of a data breach increases daily. A breach should trigger an internal response, involving the team tasked with identifying, containing, fixing, and complying with the external requirements. The external requirements are simply what a city or county is obligated to do under the current law.
Currently, 47 states have in place mandatory data breach notification statutes specifying post-breach obligations that apply to local governments. All breach notification statutes cover several main topics, including:
A definition section describing the types of events that constitute a breach and what constitutes personally identifying information;
Who must be notified and the deadline to make that notification;
An outline of acceptable methods of notification, including whether written notice or electronic notice is required;
Penalties for noncompliance.
Some states include a provision to notify the Attorney General’s office based on a numerical threshold of a certain number of individuals affected.
Municipalities often look to other jurisdictions to emulate. This is a bad idea. Although similarities exist in terms of common elements covered by these state statutes, there are variations both obvious and nuanced. For example, many states include an encryption safe harbor in the definition section, which means the statutory notification requirement only applies when personal identifying information is not encrypted. However, notification may still be required even if the information is encrypted, if it’s reasonable to conclude that the encryption key was obtained in the hacking or breach event. Some states require an element of harm to be present before notification requirements kick in.
The best place to look before drafting policies and protocols is the state statute itself. It would be prudent to adopt the definition section of the relevant statute into the policy. Notably, a municipality can draft a more restrictive policy, but must comply with the statutory requirements at a minimum. Any internal policy should include the deadlines for notification and assign which department or personnel will implement the notifications.
The response by a government following a data breach can assist in restoring credibility in the eyes of the public. Prioritizing cybersecurity demonstrates that a city or county understands the current threat, takes its obligations to protect the public seriously, and is engaged with 21st century issues and standards of municipal service. It is no longer simply about potholes, police, and fire services — a government must protect citizens’ private information. As technologies and threats evolve, so too must local governments in their understanding of duties and obligations to the public.
Shannon T. O’Connor is an associate attorney at law firm Goldman Segalla, who focuses her practice on municipal and governmental liability and matters involving employment and labor. She is a Local Government Fellow of the International Municipal Lawyers Association (IMLA).