The purpose of data breach laws is to encourage organizations to take measures to protect their sensitive data. After a data breach, a business must comply with the state data breach notification statutes where its customers are located. States normally define a “breach” as either “unauthorized acquisition” or “unauthorized access” of personal information.
Risk of Harm Analysis
Some state statutes include a “risk of harm analysis” that triggers the notification requirement. This analysis allows a business to determine if there is a reasonable likelihood of harm that an intruder will use any sensitive information for harmful purposes, such as identity theft or fraud. However, many statutes have requirements to utilize this provision, such as documenting the risk determination and notifying a state agency.
Once notification is triggered, a business must send notifications to affected individuals who were compromised by the breach. Some statutes also require notifying state agencies and credit agencies.
Safe Harbor Provision
Many statutes include a safe harbor provision to reward businesses for encrypting their data. This provision allows an organization to portray the security event as an “incident” instead of declaring it had a “breach.” Importantly, this provision relieves the business from the expense and humiliation of having to send out breach notifications.
To use a safe harbor, the breached organization must prove that it encrypted the sensitive data in accordance with the state statute. Many state statutes specify a safe harbor for encryption where the trigger for notification is unauthorized access or acquisition of personal “unencrypted computerized data.” Other state breach statutes do not define encryption at all. Meanwhile, some states have defined “breach” or “personal information” to specifically exclude encrypted data where the unauthorized person has the key required to decrypt the data. This exclusion creates the argument that encrypted data no longer has a safe harbor from notification.
For more information, visit these links:
Data Breaches and the Encryption Safe Harbor
State Data Breach Notification Laws Just Got Crazier
Alice M. Porch, Esq., CIPP/US, C|EH, Security+
Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance in her law practice. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She currently serves as Chair of The Florida Bar Journal/News Editorial Board.
