Data breaches of personal data can be extremely harmful to a business, and navigating the laws surrounding them is often confusing.  All 50 states have security laws in place for how a business must act when its customers’ personal information is compromised.  Some states, such as Florida and California, require notification when a certain number of individuals have been affected by a data breach.  Others, like Pennsylvania, only require that the affected individuals themselves be notified.

To understand these laws and how they differ across states, it must first be understood what is considered personal information, and what is considered a breach.  For instance, in Pennsylvania, personal information constitutes a person’s first name or first initial and last name when combined or in any way linked to unencrypted or redacted data elements such as a social security number, a driver’s license, or state identification card number, any financial account numbers, or passwords that allow access to financial accounts.  For a situation to be properly categorized as a breach, computerized data containing personal information must have been accessed and acquired without authorization, or there must be a reasonable belief that the information may have been accessed and acquired.  If the business believes that the accessing of this information will or may cause a loss or injury to any person within the state of Pennsylvania, it is also considered a breach.  It is not, however, considered a breach under Pennsylvania law when personal information has been accessed in good faith by a company employee or agent, such as for lawful purposes that do not subject the information to further unauthorized disclosure.

Many businesses operate across state lines, especially businesses that sell their products online.  These businesses must also meet the requirements set by other states which may be more rigorous than those in Pennsylvania.  Under California and Florida law, the definition of what is considered personal information is broader.  These states include the first name or first initial and last name of an individual in combination with driver’s license or state identification card numbers, social security number, or financial account numbers, codes, or passwords. These states also include, however, medical information, and health insurance information.  When combined with a name, California also considers biometric data generated from body analysis such as fingerprints, or information collected using an automated license plate recognition system to be personal information.  Furthermore, both states consider a username or email address combined with a password or security question and to be personal information when it would provide access to an online account.  Information that has been made publicly available is excluded.

As stated previously, Pennsylvania law does not require governmental notification in light of a data breach.  The business must only give notice to any individual within the state of Pennsylvania whose information was or is reasonably believed to have been accessed in a data breach.  This notice must be provided in writing to the last known home address for the individual, by telephone if the customer can reasonably be expected to receive it, or by email if a prior business relationship exists and there is a valid available email address.  When providing notice by telephone, Pennsylvania requires that the call provide clear and conspicuous notification that generally describes the incident and verifies personal information.  The call cannot require the customer to provide personal information, and the business must give the individual a proper telephone number or website to visit to ensure they have a contact point for any further questions.

Pennsylvania provides an option for substitute notice when the costs associated with notifying people would exceed $100,000, when the company does not have sufficient contact information, or when the affected people to be notified exceeds 175,000.  When one or more of these instances occurs, the company can use substitute means.  This requires them to post conspicuous notice on their website, use any existing email addresses to which they have access, and notify major statewide media.  Pennsylvania is permitted to delay notification when they are requested to do so in writing under the advisement by a law enforcement agency that notification would compromise a criminal or civil investigation.  The access of the personal information of more than 1,000 individuals at one time also requires that companies notify consumer reporting agencies that maintain consumer files on a national basis.

California’s notification process is highly formal in its structure.  Whether in hard copy or electronic form, companies must follow strict format for titling sections to tell customers what happened, what information was involved, what the company is now doing, and what customers are able to do.  Furthermore, the business must provide customers with a section titled “For More Information” to provide them with a contact point within the company.  When notifying customers, the company must tell them a date or approximate date of the breach, a general description of the overall incident, the types of information that were or are reasonably believed to have been compromised, and telephone numbers and addresses for major credit reporting agencies if the breach exposed either a social security number of an identification card number.  While California companies can also delay notification when notifying individuals may risk a law enforcement investigation, they must later inform customers whether notification was delayed as a result of a law enforcement investigation when possible.

California is unique from Pennsylvania in that it also requires companies to provide identity theft prevention and mitigation services at no charge for affected individuals for at least a year when the business itself was the source of the breach.  The company must also notify the individuals of all the information they need to take advantage of this resource.

California and Florida require that the state be made aware when a certain number of people had personal information compromised.  In California, companies must notify the attorney general of the state when more than 500 California residents are impacted by a single breach.  Florida must notify the Department of Legal Affairs when more than 500 Florida residents are impacted by a single breach by informing the department of what occurred, the number of potentially affected individuals, any services being offered to customers, and how to access those services.

Florida requires notice to be given without unreasonable delay, limiting businesses to no more than 30 days after they determine a breach has occurred to notify impacted individuals.  Businesses are able to request delays if federal, state, or local law enforcement agencies believe that notifying individuals would interfere with a criminal investigation.  Florida also allows companies to withhold notification of a data breach if they reasonably determine that the breach is unlikely to result in identify theft or any other financial harm to those whose information has been compromised.  If a company comes to this determination, however, it must maintain its documentation of such findings in writing for at least 5 years, and the company must notify the Florida Department of Legal Affairs within 30 days after the determination.

When a business must provide notification under Florida law, it has several avenues by which it can complete its duties.  The business must either send an email notice to the email address of the person on record or they must send written notice to the mailing address saved in their records.  Florida law also requires that individual to know either the date, an estimated ate, or an estimated date range during which the data breach occurred as well as a description of the personal information that was compromised.  Individuals must also be notified of a contact point with the company to ensure that they are able to inquire about the breach.

Florida does allow another exception for notifying individuals if notification is not feasible because it would exceed $250,000, if the number of impacted people exceeds 500,000, or because there are affected individuals for whom the company does not have contact information.  When one of these situations occurs, companies may instead either provide conspicuous notice on their website or provide notice in print and broadcast media in areas in which impacted individuals reside.  Florida also requires notification to credit reporting agencies and consumer reporting agencies that function on a national level without unreasonable delay if the company discovers that they must notify more than 1,000 individuals at a time so that these agencies can properly maintain consumer files as required by the Fair Credit Reporting Act.

Pennsylvania, California, and Florida offer civil relief when their notification acts are violated by deeming the violation an unfair or deceptive.  In Pennsylvania, the Office of the Attorney General has sole authority to bring an action that is considered a practice in violation of the Unfair Trade Practices and Consumer Protection Law.  The attorney general in California can hold businesses to penalties of up to $7,500 per intentional violation and up to $2,500 for any unintentional violation.  California consumers may also bring actions, however, in damages between $100 and $750 per consumer, per incident.  Alternatively, customers may file for actual damages if those are greater than the statutory damages.

Florida holds companies to a civil penalty not exceeding $500,000.  Businesses can be held liable for $1,000 per day up to the first 30 days after a violation of notification of individuals or the Office of Legal Affairs.  After the 30-day period is up, businesses can be charged $50,000 for each subsequent 30-day period for up to 180 days.  When the violation continues beyond 180 days, the penalties can reach as high as $500,000.  Florida’s law also requires that any penalties for violating the notification laws be deposited into the General Revenue Fund.

In order to properly navigate the legal requirements in responding to a data breach, it is critical to understand what is considered personal information and a breach in each state where your business operates, what forms of notification are required, and what remedies may be offered to best serve customers and stay in compliance.

With contribution from Angela Mauroni, first year J.D. candidate at the University of Pittsburgh School of Law.