In the absence of a federal law protecting disclosure of personally identifiable information, all 50 states have passed some form of a data breach disclosure requirement that applies generally to breaches of personally identifiable information of the residents of each state. While each state’s notification statute will differ, they generally follow the same basic principles.  Indiana, for example, requires database owners to provide notification to Indiana residents whose unencrypted personally identifiable information has been breached.  The statute defines a database owner as “a person that owns or licenses computerized data that includes personal information.”^[1] This is a broad definition, which in theory would apply to anyone with a cell phone, laptop or other device that contains data. But this is only half of the equation for determining whom the statute applies to.  Indiana’s statute only triggers a duty to provide notification to what it defines as Indiana Residents.  An “Indiana Resident” is a person whose principal mailing address is in Indiana, as reflected in records maintained by the database owner.^[2]

Now that we have determined to whom these statutes generally apply, we must determine under what circumstances notification must be provided.  There must be a triggering event, which is defined in Indiana’s statute as a “breach of the security of data.”  A breach of the security of data is the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person.  The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.”^[3] Thus, Indiana’s data breach notification statute will apply not only to computerized data, but to data that has been printed from a database onto paper and not properly disposed of.  Generally, a safe harbor provision will apply to encrypted data, but only if the database owner can prove the encryption key has not been compromised.^[4] Now that we have established under what circumstances the statute may apply, we need to determine what kind of information it protects.  Indiana defines “personal information” as either:

1. An unencrypted, unredacted social security number; or
2. A combination of an individual’s first and last names, or first initial and last name and:
   1. Unencrypted unredacted driver’s license number;
   2. Unencrypted unredacted state ID number;
   3. Unencrypted unredacted credit card number;
   4. Unencrypted unredacted financial account or debit card number in combination with a security code, password or access code that would permit access to the person’s account.

If a breach of the security of data results in the compromise of the information above, then Indiana requires notification to be made “if the data base owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception (as defined in IC 35-43-5-3.5), identity theft, or fraud affecting the Indiana resident.”^[5] The disclosure must be made “without unreasonable delay.”^[6] Delays are reasonable if:

• Necessary to restore the integrity of the computer system;
• Necessary to discover the scope of the breach; or
• The Attorney General or law enforcement agency has requested a delay because disclosure will impede an investigation or jeopardize national security.

Once the above conditions of a “reasonable delay” are no longer present, the notification must be made “as soon as possible.”^[7] Some states impose specific timeframes within which to provide notification.  Florida, for example, requires disclosure within 30 days of discovery of the breach.^[8] Failure to disclose a data breach can be prosecuted by the Indiana attorney general as a “deceptive act” for which the attorney general can seek injunctive relief, a civil penalty of up to $150,000.^[9] Finally, Indiana requires database owners to implement reasonable measures to safeguard personal information.^[10] Failure to implement what Indiana defines as reasonable measures to safeguard personal information can result in administrative penalties of up to $5,000 per violation.^[11] “Reasonable security measures” as defined by any particular state may vary, and this may cause significant compliance concerns for any entity dealing in information pertaining to citizens of a large number of states.

As one can imagine, a large data breach of personally identifiable information affecting residents of all 50 states would result in significant compliance expenses for an organization.  Some states, such as California, authorize statutory damages to be awarded to individuals whose information has been compromised.

Thus, state-specific data breach notification laws can result in significant notification expenses and civil penalties, many of which can be insured with the right kind of insurance policy providing coverage for these expenses.

For a list of state-by-state breach laws please see the following link: Security Breach Notification Chart | Perkins Coie

HIPAA generally applies to “covered entities” (Healthcare organizations, insurance) that provide healthcare-related services to individuals.  HIPAA provides for certain penalties in the event Protected Health Information is compromised.  The Office for Civil Rights can assess monetary penalties up to $1.5 million per year per type of violation.  Additionally, the Federal Trade Commission can bring enforcement actions for “unfair and deceptive practices” even for entities covered by HIPAA.  The Department of Justice has authority to prosecute certain violations and seek imprisonment of up to 10 years for certain violations.  Importantly, however, HIPAA does not provide an individual with a private right of action to sue a company.

The Federal Trade Commission Act of 1914 grants the FTC authority to regulate “unfair or deceptive acts or practices in or affecting commerce.”  15 U.S.C. § 45(a). Commonly, organizations can be subject to FTC enforcement actions for deceptive trade practices for failure to adhere to their website’s notice of privacy practices. The FTC has authority to conduct investigations and initiate administrative enforcement actions against an organization accused of committing an unfair or deceptive trade practice.  The FTC lacks authority to assess civil penalties on its own, but it can file suit in federal court if an FTC ruling is ignored and seek civil penalties up to $16,000 per violation along with compensatory damages for victims of unfair or deceptive trade practices.

The European Union enacted the General Data Protection Regulation, in part, to provide a uniform data security requirement across the European Union.  The GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”[12] The persons protected by the GDPR are referred to as “data subjects.”  The GDPR applies to “controllers”[13] or “processors”[14] outside the Union where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

This means that GDPR can extend its reach outside the European Union to organizations doing business with citizens of the European Union.  GDPR imposes a multitude of strict regulations on the collection and use of data. GDPR confers the right to compensation and injury to individuals whose rights under GDPR have been violated. GDPR provides: “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”[15] There is no minimum or maximum compensation currently authorized by GDPR. However, penalties for violating the provisions of GDPR can reach as much as 2-4% of an organization’s worldwide annual revenue.  Thus, organizations doing business with European Union citizens should ensure they have an insurance policy in place that accounts for potential exposure to GDPR.

If an organization experiences a data breach, the regulatory and notification expenses are not the only liabilities the organization may face as a result of the data breach.  In recent years, high profile data breach class action suits have made headlines, including cases against Equifax, Uber, and countless other organizations that have suffered from cyber-attacks, ransomware, and unintentional data breaches. Generally, data breaches are candidates for class action suits because they typically affect large numbers of individuals in a uniformly applicable harm and arise out of a single event. Any litigation is costly to defend, but class action litigation typically results in substantial defense costs to organizations.  Typical defense costs for defending a single claim or lawsuit can easily reach into the six figures.  Depending on the case, class action defense costs have the potential to reach into the seven-figure range.

Because class action litigation seeks recovery on behalf of numerous individuals, and not just one individual plaintiff, class action litigation exponentially increases the liability exposure to organizations.  organization to have adequate insurance coverage for cyber-related losses. This section discusses some of the common methods by which an organization can be subject to civil liability for a data breach.

• Negligence
  • A person affected by a data breach may argue that an organization owed them a duty to maintain the security and confidentiality of their personal information.
• Breach of Contract
  • An organization may, through a contractual agreement, agree to maintain the security and confidentiality of a person’s information.  This can also serve as a foundation for a negligence action, where the affected party may argue the organization assumed a duty in tort to maintain the security and confidentiality of a person’s information.  In some situations, in the absence of an explicit written agreement to maintain the security of data, an argument can be made that an organization is under an implied contractual duty to maintain the confidentiality of data, based on the nature of the organization’s relationship with the affected individual.
• Invasion of Privacy
  • Indiana law recognizes three different subtypes of the tort of invasion of privacy. Chief among these causes of action is the tort of invasion of privacy by public disclosure of private facts.  Litigants have battled over the applicability in Indiana courts for decades, but there is potential for an organization to be sued for invasion of privacy by public disclosure of private facts arising from a data breach.  The damages in such cases are difficult to calculate, because the injury is the harm an individual has suffered to their right to privacy.  As a result, jury verdicts in such cases are difficult to predict and can often be fueled by emotion, typically resulting in a larger than expected verdict.
• Insurance subrogation
  • The above types of claims are typically brought by the party that has suffered a breach as a result of alleged fault of an organization or individual.  However, one often overlooked potential avenue for liability is liability to an affected party’s insurer.  In many cases, the insurer of a party that suffers a breach must pay expenses relating to the breach.  If the insurer is obligated to pay expenses resulting from a breach, most if not all insurance agreements allow the insurer to “step into the shoes” of their insureds and assert any claims their insured might have against any at-fault parties.  This occurs through a process called insurance subrogation.  For various reasons, a party that suffers a breach may opt not to bring suit against a party that causes or contributes to the breach.   One example would be an amicable ongoing business relationship that the parties do not want to tarnish through drawn out litigation.  However, it is possible an insurer that is required to pay expenses arising from a breach may still assert whatever claims their insured would have been legally entitled to bring.  This is a developing area of law that many parties may overlook in determining their exposure arising from a breach.