Data Breach Notice Requirements Increase in Complexity

October 25th, 2016 | By Jules Halpern Associates | Confidential Information, Cyber Security, Employer Liability, Technology

Employers have begun to increase efforts to protect confidential information; however, security breaches are still a regular occurrence. Security breaches bypass an employer’s security systems, enabling unauthorized individuals to access secured and unsecured information. Under federal and state law, employers are required to provide notice to relevant parties when certain security breaches occur. Unfortunately, because of the complexity and variance across state laws, compliance with data breach notification requirements can be difficult.

Implementing guidelines for protecting an employer’s confidential information can greatly reduce the possibility of a data breach and assist in repairs and recovery. Last month, we explained the importance of having cyber security protocols in greater detail, and how some employers will soon be required to have expansive written policies. For more information on cyber security policies, see our general article and our article explaining required programs.

If an unauthorized user has reached confidential information, such as employee health information or trade secrets and intellectual property, it is considered a data breach. When a data breach occurs, the initial reaction is to try to minimize damages as much as possible, which can include restricting knowledge of the breach to a select few. Notifying relevant parties presents employers with significant issues, such as expenses and reputational loss. However, failure to notify all persons involved can often allow more data breaches, slow the repair process, and prevent new safeguards from being implemented.

Local Statutes

In 2002, in order to protect businesses, organizations, employees, and consumers, California became the first state to require employers to notify relevant parties of data breaches. Since then, 47 states, as well as the District of Columbia and Puerto Rico, have enacted similar statutes. Although many of these statutes look similar in form, some states are beginning to move away from the California model by broadening definitions and eliminating exemptions.

Traversing individual data breach notification laws can be difficult and expensive, especially after a breach has already occurred. This task becomes increasingly complex for multi-state employers, as the variations between state laws can sometimes be the difference between nominal fines and costly lawsuits.

Requirements

Employers are required to respond to data breaches in specific ways, which vary depending on the state in which the employer operates. Generally, when a breach occurs, an employer must first attempt to mitigate any further damage to consumers, employees, and the employer. Additionally, notice of the breach must be provided to all relevant parties, which includes consumers, vendors, and employees.

Most states do not require notification to be provided within a specific time frame; rather, it must be given after employers have had some time to investigate and secure their systems. In certain circumstances, the laws also allow for additional time for employers to remedy the breach. Currently, eight states mandate that notice be given within a certain time frame, regardless of the employer’s actions. In these situations, the only way that the notification period can be extended is if it is requested by law enforcement.

Encrypted data, which has been converted into a cipher or code, is generally exempt from the notification requirement because most states view encryption as the best available protection for information. However, Tennessee is now the first state to mandate notification, regardless of encryption. Since the announcement of Tennessee’s amendment, California lawmakers have begun debating whether to eliminate their encryption exemption. If more states elect to follow Tennessee’s example, even this simple exemption will create compliance issues for multi-state employers.

Practical Considerations

Providing notice for breaches of confidential information can become an employer’s worst nightmare. Not only do employers have to admit that their security has been breached, but they also have to make sure that they are complying with every applicable state law. Furthermore, sending data breach notices is time consuming.

Employers can reduce their risk of breach, and subsequently their risk of providing notice, by implementing detailed cyber security policies and training employees on how to properly respond to breaches. Keeping up-to-date on the ever-changing notification requirements will also enable employers to act properly and promptly in order to avoid additional damage or fines for failure to comply with notice laws.

 

Jules Halpern Associates LLC

Workplace and Education Law Advisors

Jules Halpern Associates LLC
JULES HALPERN ASSOCIATES LLC is a boutique law firm committed to serving our clients in all facets of their workplace issues. We provide personalized, practical advice that resonates with our clients’ business objectives.
212-658-9313
1225 Franklin Ave, Suite 200 Garden City NY 11530 516-466-3200 https://plus.google.com/u/0/104226190479443206790/posts
45 Rockefeller Plaza, Suite 2000 New York NY 10111 212-786-7380 https://plus.google.com/u/0/114488933127716576681/posts
Jules Z. Halpern

Locations

Long Island Office
1225 Franklin Ave | Suite 200
Garden City, New York 11530
tel: 516.466.3200 | fax: 212.658.9313

New York City Office
45 Rockefeller Plaza | Suite 2000
New York, New York 10111
tel: 212.786.7380 | fax: 212.658.9313

Real Workplace Issues Newsletter

Please enter your e-mail address below to sign up for our topical e-newsletter, Real Workplace Issues.

Follow Us

  • linkedin
  • Facebook
  • Halpern Associates on Twitter

Copyright © 2018 All rights reserved Jules Halpern Associates LLC | Attorney Advertising