A data breach can be defined as the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information. What is considered personal information depends on state law but typically includes an individual’s first name (or initial) and last name plus one or more of the following:
- Social Security Number
- Driver’s license number or state-issued ID card number
- Account number, credit or debit card number, combined with any security code, access code, PIN or password needed to access an account
Additional categories may include:
- Medical history or health information
- Biometric information
- Email address and password
- Tax ID number
All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have established data breach laws to protect consumers. These laws generally require organizations to notify individuals in the case of a data breach involving certain personal identifying information. In addition, the following topics are also addressed in many data breach notification laws:
- Notice to the Attorney General: Some states require a notice be sent to the state attorney general or a state agency informing them of a breach.
- Time-Sensitive Notification: States have differing requirements on when and how notifications must be sent out to individuals.
- Risk of Harm Analysis: Some states allow for exceptions to their notification requirements upon an assessment of the risk of harm to the affected individuals.
- Encryption Safe Harbor: States have different laws affecting the definition of a breach and the notification requirements based on whether the data was encrypted.
- Paper or Electronic: States also differ as to whether their laws affect only electronic materials, paper materials, or both.
When determining whether to pursue a data breach matter, attorneys general may consider several criteria:
- Violation of statute
- Severity and scope
- Remedies available
- Legal value of the case
The severity and scope of a data breach is an important component attorneys general must consider when pursuing a data breach case. Additional factors include:
- Data sensitivity
- Number and type of consumers affected
- Impact on consumers
- Is the harm ongoing?
- Can the compromised information be modified to the detriment of the consumer?
- How culpable is the entity for the breach?
- Liability for vendors or third-parties
Following a successful action against a company in violation of data breach laws, attorneys general may pursue different remedies:
- Injunctions: Companies may be required to take steps to protect consumer data, or update their systems and/or corporate governance.
- Civil penalties: Most state consumer protection laws list penalties for each violation.
- Consumer restitution: This could include free credit monitoring or freezes.
- Attorneys fees/costs.
Data Breach Multistate Settlements and Investigations
Attorneys general frequently work together on data breach matters and have successfully negotiated multistate settlements on behalf of consumers, resulting in significant civil penalties and added protections. Recent multistate settlements include:
- Uber Technologies, Inc.
- Nationwide Mutual Insurance Company & Allied Property & Casualty Insurance Company
- Google Safari and Google Streetview