06/01/2015 by Attorney J. Brandon Sieg
Authored by attorney J. Brandon Sieg
Previous articles in this series have introduced considerations for Virginia businesses that experience a “breach of the security of the system.” They have discussed Virginia-specific disclosure obligations, including who to notify and what information to provide. But many Virginia businesses experiencing a security breach will also have affected customers or clients in other states. These businesses must look beyond Virginia law and consider the law of each state where an affected individual resides.
When considering so many jurisdictions, begin by identifying whether notification is even required in each state under your unique circumstances. Many states, including Virginia, ease the burden on businesses by recognizing that not all security breaches are likely to result in identity theft or other fraud affecting your clients. Some states provide a narrower “good faith” exception for situations where your employee acquires the information for legitimate purposes and the information is not used improperly. And other states require notification without ever considering the risk of harm faced by your clients.
Also consider how many individuals will be affected, both with respect to individual states and cumulatively. Once you identify 500 affected individuals within a single state, you will be more likely to encounter additional notification requirements, such as notification to the state government and to credit reporting agencies. But the trigger for additional notification requirements varies widely. For example, New York requires notification to the state government if a single resident is affected, but additional reporting obligations in Texas kick in at 10,000 affected individuals
Most states have similar requirements about the specific information to be included in the notice. You likely must provide a general summary of the circumstances surrounding the breach, disclose what type of personal information was acquired, and provide contact information for credit reporting agencies. Notwithstanding the frequently similar language in each state’s statute, always carefully review these requirements to identify unusual requirements. For example, California may require you to provide identity theft prevention and mitigation services at no cost to your affected clients. Minnesota recently considered requiring some businesses to provide their affected customers with a $100 gift card as a result of the breach.
Juggling different notification requirements in multiple jurisdictions will quickly become a challenging task. Work with an attorney experienced in these issues to ensure that you fully and efficiently comply with all of the applicable laws. Click here to contact Vandeventer Black LLP today!