I wish I had a bitcoin for every time I get an email with the subject line “Data Breach,” yet the facts upon investigation reveal no notifiable breach occurred.
In the Venn diagram of cyber security, the big rectangle is security incidents, enveloping a smaller circle of incidents that are breaches under state PI breach notification statutes. And a yet smaller circle are the breaches for which these statutes require notification of affected individuals.
So, what are common scenarios in which a security incident does not trigger notification duties under state PI breach notification statutes?
The compromised information is not PI:
Each of 47 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands has a statute requiring notification of affected residents when their Protected Information has been breached. Each jurisdiction’s statute is unique, with its own definitions, notification requirements, and exceptions. Take the definition of Protected Information, or PI. All such jurisdictions treat the combination of first name or initial and last name with Social Security number as PI, but surprisingly, some other combinations of information fall through the gap. For example:
- In no state does an individual’s name and email address without the codes or passwords necessary for online account access constitute PI.
- In only six states does PI include name plus a financial account number without codes, PINs, or passwords necessary for account access: DC, IN, NC, PR, SC, and WI.
- In just 13 states is name combined with medical information defined as PI: AR, CA, FL, IL, MO, MT, ND, NV, OR, PR, RI, TX, and WY.
- Name plus specified health insurance information is PI in just nine states: CA, FL, IL, MO, ND, NV, OR, RI, and WY.
- Name and specified biometric information is PI in only seven states: IA, IL, NC, NE, OR, WI, and WY.
The compromised information was not computer data:
The vast majority of state notification statutes only apply to PI in the format of computer data. Only seven states define PI to include non-computerized data – AK, HI, MA, NC, RI, WA, and WI. And only two others – IA and IN – include computerized data transferred to another medium, such as paper.
The information was otherwise publicly available through lawful means:
In all but six states – AK, AR, KY, ME, MI, and RI – information publicly and lawfully available to the general public from federal, state, or local government records is not PI for breach notification purposes. Nine states also exempt information publicly and lawfully available from widely distributed media – AZ, CO, CN, ID, MS, NJ, OH, UT, and WY. Eight states exempt information in publicly available sources – IA, MA, MO, OK, PR, SC, VA, and WV – and Maryland and North Carolina exempt information that has been publicly listed or disseminated with the individual’s consent.
The information was encrypted, redacted, or otherwise unreadable by an unauthorized person:
Every state has a safe harbor from notification requirements, either separately stated or in its breach definition, for PI that is encrypted, or redacted, or similarly protected, or for some combination of these safeguards. But many states’ statutes explicitly provide that the means of protection, such as the encryption key, must not have been accessed or acquired.
The incident does not meet the statutory definition of a breach:
Each state’s statute has a definition of “breach,” and all but a few require more than merely unauthorized access or acquisition of PI. Most also require that the incident “compromises the security or confidentiality” of the PI, and many states require additional indicia of likely harm, fraud, or identity theft.
The incident only involves access by the entity’s employee or agent for a legitimate business purpose:
Every jurisdiction but four – CN, GU, MS, and PR – provides an exception for the good faith acquisition of PI by an employee or agent for a legitimate purpose of the entity, so long as the employee or agent does not make a further unauthorized use or disclosure of the information.
The incident was a “breach,” but after good faith investigation the entity determines that there is no reasonable likelihood of harm:
Under the statutes of 24 states, notifications are not required for an incident that otherwise meets the definition of a breach if, after a good faith investigation, a determination is made that there is no reasonable likelihood of harm to the affected individuals. These respective states phrase this standard somewhat differently, and three states’ statutes – AK, CN, and FL – require law enforcement involvement in the determination. Documentation of the determination must be retained under several states laws, for three years – MD – or five years – AK, FL, IA, MO, NJ, OR.