Form of notice – Notice may be provided in writing (e.g., on paper and sent by mail), in electronic form (e.g., by e-mail, but only provided the provisions of E-SIGN123 are complied with), or by substitute notice.
Substitute notice options – if the cost of providing individual notice is greater than a certain amount (e.g., $250,000) or if more than a certain number of people would have to be notified (e.g., 500,000), substitute notice may be used, consisting of:
E-mail when the e-mail address is available, and
Conspicuous posting on the company’s web site, and
Publishing notice in all major statewide media.
Several of these issues vary from state to state, however, and some have become controversial. The biggest issue revolves around the nature of the triggering event. In California, for example, notification is required whenever there has been an unauthorized access that compromises the security, confidentiality, or integrity of electronic personal data. In other states, however, unauthorized access does not trigger the notification requirement unless there is a reasonable likelihood of harm to the individuals whose personal information is involved124 or unless the breach is material. 125
What Companies Need to Do
How a company prepares for and responds to security breaches when they occur is a key issue. Prompt action on a variety of fronts is critical, both from a legal and a public relations perspective. 126
The first step is planning. Given the proliferation of security breach notification laws, and the resulting duty to disclose breaches, there is a premium on taking steps, in advance, to reduce or eliminate the risk of having to make a disclosure. This begins with a review of information collection practices, both to identify where sensitive personal information is collected and stored, and to assess whether such information is really needed. In many cases, information subject to the security breach notification laws may not even be needed. But if it is, it is important that the company have an accurate understanding and inventory or what data it collects, and where it is stored. The bottom line is to identify notice-triggering information.
The next step, of course, is to ensure that appropriate security measures are in place to protect the personal information. To the extent that appropriate security can
123 15 USC Section 7001 et. seq. This generally requires that companies comply with the requisite consumer consent provisions of E-SIGN at 15 USC Section 7001(c).
Arkansas, Connecticut, Delaware, and Louisiana are examples of states in this category. Montana and Nevada are examples of states in this category.
126 See generally, California Department of Consumer Affairs, Office of Privacy Protection, “Recommended Practices on Notification of Security Breach Involving Personal Information,” October 10, 2003, available at www.privacy.ca.gov/recommendations/secbreach.pdf.