Data Breach Notification Requirements in the United States and European Union


Note: This article originally appeared on Jeffreyneu.com

This brief analyzes more than 40 United States Breach Notification laws, the American Recovery and Reinvestment Act, and compares those requirements with EU Directives 2002/58/EC, 2002/21/EC, and the Data Protection Working Party Opinion 1/2009 on 2002/58/EC proposed amendments. This brief does not address individual EU member states’ implementations of EU Directives 2002/58/EC and 2002/21/EC.

Executive Summary

Both the United States and European Union require certain entities to notify individuals when their personal information has been breached. In the United States, State Breach Notification Laws (BNLs) require persons and organizations to notify individuals whose personal information has been "breached." BNLs generally apply to any entity which possesses certain classes of personal information, such as social security numbers or account numbers. The usual elements of a breach are as follows, with common variations in parentheses:1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.[1]With the exception of certain health information breaches, [2] breach notification requirements are not yet Federalized.

The approach of European Union Directives varies in two key aspects: First, the EU adopts a broader definition of "personal information," or "personal data." Second, in contrast to United States BNLs, European Union Directives impose notification requirements based on economic sectors rather than data possession.The table below illustrates the differences in approaches, by example, which may not be correct under every circumstance.

Notification Required?

 

Communications Sector

Private Sector

Public Sector

Example Breached Information

US

EU

US

EU

US

EU

Information Protected In:

EU

IP Address & Name

No

Yes

No

No

No

No

Itemized Bill

No

Yes

No

No

No

No

US & EU

Name& SSN

Yes

Yes

Yes

No

Varies

No

Name & Password

Yes

Yes

Yes

No

Varies

No

 

 

 

 

 

 

 

 

 

Anatomy of US Breach Notification Laws

Data Breaches are regulated by states, with the exception of health information breaches, which were Federalized under the American Recovery and Reinvestment Act of 2009 (Stimulus Package), which mimics state BNLs.[3]

Since California passed the Security Breach Information Act of 2003,[4] all but a handful of States have enacted similar breach notification laws. These laws require consumer notification when sensitive personal information is accessed by an unauthorized person.Each law imposes subtly different duties and requirements on stewards of personal information.

Legislative findings in several states emphasize the importance of preserving trust and confidentiality.[5] Other legislatures emphasize the need to protect consumers from identity theft and other misuse of personal information.[6]Still others aim to encourage businesses to protect personal information,[7] decrease identity theft,[8] or to protect the "confidential relationship" among financial institutions, creditors, and customers.[9] Some US statutes create a right of action for third-party data owners, such as financial institutions, without creating an equivalent right for data subjects.[10]

Covered Entities

Without traceable legal precedent,[11] breach notification laws treat data as a type of property, and apply to entities that “own” or “license” personal information.Despite the legal ambiguity surrounding the concept of "owing" personal information, a surprising number of notification statutes do not expressly define the term. Those that do, often define "owning" broadly, to include all entities that "retain" personal information for a legitimate purpose.[12]Licensees of personal information must also notify the data owners in the event that the personal information is breached on their watch.[13]

In addition to notification obligations, breach notification laws often impose additional duties, which vary depending upon the storage media.For example, California businesses have a duty to properly destroy "any material, regardless of the physical form, on which [personal] information is recorded or preserved by any means…" including graphic, audio, and written information in all forms.[14]However, a notification requirement is triggered only upon unauthorized acquisition of computerized data.[15] In contrast, Hawaii requires notification of a breach, regardless of the media the personal information was stored on.[16]

Breach notification laws can reach beyond state borders because they apply to entities that maintain personal information about residents, even if the breached database is located out-of-state. [17]For example, Arizona imposes a notification duty on any natural, legal, or corporate entity "that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information," of Arizona residents.[18]Several other states impose broad duties on any person, group, or corporate entity that maintains personal information of state residents.[19] And others bifurcate duties among special classes of actors, such as state or local municipalities.[20] In several instances, municipalities or state agencies may be exempt from notification or other parts of the law altogether.[21] Other common classes of exempted businesses are financial institutions subject to the Gramm-Leach-Bliley Act of 1999 (GLB),[22] medical institutions subject to Health Insurance Portability and Accountability Act of 1996 (HIPAA),[23] consumer reporting agencies,[24] or any business subject to more stringent law.[25]Some statutes create unusual notice exemptions, for information brokers[26] and even property and casualty insurers.[27]

The practical effect of these exemptions is limited because they are far from uniform. Although an inter-state financial institution may choose to scrupulously adhere to the technical details of each states’ rules, such a strategy may have negative public relations consequences. In fact, in an effort to limit public relations damage, many companies now exceed statutory minimum requirements and provide credit monitoring services to breach victims.[28]As a practical matter, organizations that maintain customer information and operate in more than one state will likely be subject to the most stringent combination of all states’ notification laws.

Breach of the Security of the System

California’s Security Breach Information Act first adopted the term "breach of the security of the system," which is defined as an "unauthorized acquisition of computerized [personal] data."[29]Entities covered by the statute cannot defeat its provisions simply by failing to secure personal information, because California’s law also creates a duty to "provide reasonable security" for personal information.[30] A breach of the security of the system triggers notification to the affected individuals.[31]A breach is comprised of several common components, which vary by state. The usual elements of a breach are as follows, with common variations in parentheses: 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.[32]

Unauthorized and Bad Faith Acquisition

At least seventeen breach notification laws trigger an unqualified duty to notify, when personal information is acquired by an unauthorized individual.[33]New York quantifies factors that help determine unauthorized access, including indications that the information is in the "physical possession and control of an unauthorized person," that it has been "downloaded or copied," or that an unauthorized person has used it to commit a crime.[34]A few states broaden the notification trigger to include acquisitions that were "reasonably believed" to have occurred.[35]In contrast, states like Florida and Idaho narrow the acquisition requirement to "illegal" or "unlawful" acquisition of personal information, before imposing a notification duty.[36] The remaining statutes impose no duty to notify if the breach not will reasonably cause harm to the affected individuals.

Notification requirements are defeated if the transaction of personal information is authorized by the data owner, not necessarily the individual. This point is reiterated in several statutes which somewhat redundantly declare that "good faith" acquisitions do not constitute a breach.[37]Once a person yields personal information to a third party, breach notification laws do not preserve his right to authorize or disallow further dissemination of his personal information. The right to authorize use of personal information belongs to the data steward, who is free to authorize or license the data to third parties as it sees fit, or in accordance with contract or other law. Absent a customer contract to the contrary, the only difference between an authorized and unauthorized acquisition of personal information may be a marketing agreement.

Unencrypted or Unredacted Sensitive Personal Information

In general, encrypting or redacting personal information eliminates the obligation to notify, because encrypted or properly redacted personal information is unreadable or unusable.[38]Indiana law extends this exception to stolen laptops, if they are merely password-protected.[39]

Broadly speaking, "personal information" is any information about a person, including a birth date, a favorite color, or a pet’s name. However, not all personal information is objectively sensitive or identifying. Breach notification laws tend to protect specific enumerated sets of personal information deemed to be universally sensitive.

All US BNLs require notification when a person’s unencrypted or unredacted name, in conjunction with their social security number, or financial account number and password, is breached.[40] Other common sets of protected information include driver’s license numbers,[41] medical information,[42] and biometric indicators.[43] California’s law also places additional obligations when handling 34 other types of sensitive personal information.[44] In general, the last four digits of the Social Security Number are not protected.[45]

Likelihood of Harm or Misuse

States as diverse as New Hampshire, Colorado, Delaware, Idaho, Kansas, Maryland, and Michigan impose a "likelihood of misuse" or "harm" test before requiring notification.[46]However, "misuse" is not defined in many of the statutes, and many give no standard for determining "likelihood," nor "harm."Arizona applies a narrow definition of "harm," requiring notification only if a breach "is reasonably likely to cause substantial economic loss to an individual."[47] Here, notification is only triggered when there is a likelihood of economic loss.These statutes do not recognize the harm of embarrassment, loss of confidentiality, or lost privacy.

Notice

Once all of the components of a breach are satisfied,[48] a covered entity must notify the affected individuals about the incident, in general terms.[49]Data owners must first make an effort to contact the affected individuals directly.In most states, primary notice consists of written or certified electronic notice, [50] telephone, [51] or by some other form of communication with which the business regularly contacts customers, in accordance with an established information security policy.[52]In addition, third-party licensees of information must notify the data steward if a breach occurs.[53]Substitute notice is allowed in the event that the entity does not have sufficient contact information,[54] or if the affected class is sufficiently large, or if the cost of notification would cause undue economic hardship.

States vary radically on how they balance economic hardship. New Hampshire and Pennsylvania have the most lenient threshold for providing substitute notice. In those states, an entity may avoid direct contact if the cost would exceed $5,000, or the affected class of individuals is larger than 1,000.[55]Nebraska and Ohio provide a tiered approach- small businesses or agencies with ten or fewer employees have substantially lower thresholds of cost/class size than larger entities.[56]And Wyoming takes a decidedly protectionist stance, requiring out-of state entities to demonstrate a cost of $250,000 or a class of 500,000 individuals, while in-state persons or businesses need to demonstrate a burden of only $10,000 or 10,000 persons to qualify for substitute notice.[57]In general, substitute notice thresholds range from $100,000-$250,000 for cost of notice, or an affected class of 200,000-500,000.[58]

Although multi-state businesses could strictly adhere to the notice provisions state by state, the practical public relations effect is that interstate businesses will have to meet a $250,000 and 500,000 person burden, or demonstrate that they do not have sufficient contact information, before taking advantage of the much cheaper Substitute Notice provisions. With very few variations, substitute notice consists essentially of three things: E-mail notification (when available), notification on the company’s website, and notification to statewide media.[59]

Entities must deliver primary or substitute notice quickly, after verifying the scope of the breach, and securing the data system, subject to the needs of any law enforcement investigation. Statutes have nuanced definitions of expediency, from "the most expedient time possible and without unreasonable delay,"[60] to "as soon as reasonably practicable. "[61]Florida and Wyoming require notification "without unreasonable delay," but "no later than 45 days following the determination of the breach. "[62]The recent Stimulus Package requires HIPAA-covered entities to act within 60 days.

Finally, several states require entities to notify third parties when breaches occur, such as consumer reporting agencies, state consumer affairs departments, and state Attorneys Generals’ offices.[63]However, they need not divulge the names nor personal information of the individuals affected.[64]

Civil Penalties and Private Rights of Action

Often the state’s Attorney General[65] can recover civil penalties if a covered entity fails to provide proper notice of a data breach.[66]Several states classify breaches as a deceptive business or trade practice, and impose civil penalties for violations.[67]Not all states specify a maximum civil penalty.[68] In contrast, Arizona provides for a maximum penalty of $10,000 per incident,[69] while Texas imposes a maximum penalty of $50,000.[70]New York’s civil penalty is capped at $150,000,[71] while Florida tops out at $500,000.[72] Finally, Michigan imposes a maximum $750,000 civil fine for failing to notify its residents of a breach.[73]Some states, including Utah, expressly prohibit a private cause of action based on a failure to notify,[74] while Delaware and Wyoming leave open the possibility of a private lawsuit.[75]

A few states, including California and Minnesota, expressly authorize a private right of action, though it’s unclear exactly what kinds of damages are cognizable.[76]Possible types of damages include apprehension, emotional distress, fear of fraud, loss of money, loss of property, identity theft, false arrest, ineligibility for benefits, the burden and cost of credit monitoring, closing compromised credit accounts, scrutinizing credit card statements indefinitely, loss of privacy, and damage to reputation, to name a few. Several cases have focused on the right of customers to recover for the cost of identity theft protection and mental distress caused by the increased risk of fraud after a data breach. They have generally failed. Some commentators have suggested that requiring data owners to provide identity theft protection for victims is analogous to medical monitoring damages after exposure to toxic substances.[77] Medical monitoring claims seek to mitigate the long-term risk of disease by recovering for the cost of periodic medical examinations.[78] By analogy, under this theory a data steward would be responsible to pay for identity theft monitoring where there is: "(1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud."[79]However, this reasoning has been rejected by several courts.[80]

In general, courts have held that "costs of purchasing a credit monitoring product" and "time and money spent monitoring … credit" are not recoverable as a matter of law, where "no unauthorized use of … personal information has occurred." [81]In those circumstances, any injury is purely speculative, just remember how New Jersey Personal Injury Attorneys helped them recover their money from the accident; until fraud, identity theft or other misuse actually occurs. Without showing actual or imminent injury, plaintiffs lack Article III standing to recover for an alleged increased risk of identity theft.[82]Mere apprehension of future fraud or misuse is also insufficient to recover for emotional distress damages.[83]

Once plaintiffs suffer cognizable harm, they must demonstrate "but-for" causation. This requirement can be insurmountable, because it is often impossible to demonstrate a criminal’s source of personal information, and the criminal may be located in another country or be judgment-proof.[84]Victims can recover cognizable damages only when they are able to demonstrate the breach of a duty, and proximate causation. In one example, a union regularly sent members’ sensitive personal information home with an employee. The employee’s daughter stole the data and used it to commit several counts of identity theft. The court found that a special relationship existed between the plaintiff and the union, and that the union did not protect against the foreseeable risk of identity theft, because the union "knew confidential information was leaving its premises and no procedures were in place to ensure the security of the information."[85] The plaintiff was therefore able to recover damages against the union.

In Minnesota, breach notification statutes expressly authorize a private right of action, and a duty to properly dispose of sensitive records.[86]A school improperly dumped educational records which included information about a student’s IQ, psychological, intellectual, and functional abilities in a school dumpster. The papers blew out of the dumpster and were recovered by fellow students, who used the information to mock the boy. The boy recovered $60,00 in damages for pain and emotional distress and $80,000 for future embarrassment.[87]The court held that the Minnesota statute creates a duty to destroy records, that the school breached that duty, and that the boy suffered proximate harm due to the failure.[88]However, absent relatively rare duties to maintain confidentiality, recovering against a breaching entity is exceedingly difficult.

Other Theories of Liability

In his thorough article, Cybersecurity, Identity Theft, and the Limits of Tort Liability, Vincent R. Johnson explores other theories of liability of private suits in states which do not expressly provide for a private cause of action.[89]Even in those states, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. As embodied by the landmark case, Palsgraf v. Long Island Railroad, Judge Cardozo articulated a fundamental principle of tort liability- that foreseeability and risk of harm defines the duty to another.[90]Economically efficient laws place duties on those who can most efficiently prevent harm.[91] Often, data owners are in the best position to prevent harm to customers by increasing security measures to decrease the foreseeable risk of breaches and hacks. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the data steward fails to warn customers about foreseeable risks to personal information.[92] In contrast, privacy torts (such as Appropriation of Likeness) is only applicable where the sale or abuse of personal information dilutes the property value of reputation or prestige,[93] or when the breached information causes extreme emotional distress.

Even absent a court-imposed tort duty, a data steward may voluntarily assume the duty to protect data, most commonly in a privacy policy.[94] Under this contract theory, the entity is liable if he induces another to rely on his promise to exercise care, to the other’s detriment. In states where data is treated as property, the law accrues harms and benefits of personal information to the "owner" or steward. Minnesota’s notification law has a strong tendency to treat data as property, by providing an express remedy to credit card companies for the cost of replacing credit cards,[95] but failing to create a private right of action for harm to individuals.[96] However, several courts have held that privacy policies are notices, not contracts, and are therefore not generally binding.[97]

American Recovery and Reinvestment Act (ARRA)

Congress recently passed the American Recovery and Reinvestment Act (ARRA), colloquially known as the “Economic Stimulus Package.” Buried in Subtitle D of the massive spending plan, Congress federalized breach notifications for HIPAA-regulated entities. ARRA preempts the few state BNLs which regulate health information breaches. Indeed, a few states already exempt HIPAA-regulated entities from even reporting breaches of social security numbers.[98] ARRA is currently the only Federal breach notification law, but Congress is likely to pass additional breach legislation in the future. ARRA mimics state notification laws in form and substance, with subtly different elements and duties. An ARRA breach is comprised of: 1. Unauthorized and Bad Faith 2. Acquisition, Access, Use, or Disclosure of3. Unencrypted or Unredacted 4. Protected Health Information, 5. Which compromises the security or privacy of such information. 6. Where an unauthorized person could likely retain such information.

ARRA Covered Entities

ARRA applies to “covered” entities under the meaning of CFR 45 160.103.These entities include Health Plans, Health Care Providers, and Health Care Clearinghouses. The statute dramatically broadens the ambiguous state-law concept of "data owners," and applies to any HIPAA-covered entity that "accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information."[99] “Protected Health Information” means “individually identifiable health information” which is stored or transmitted.[100] Such information may include personal information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code.[101] The law also requires third-party contractors or “business associates” to report breaches to the covered entity.[102]

The statute also reaches well beyond traditional "covered entities" to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report breaches to the FTC, which will investigate the event as a deceptive trade practice.

ARRA Breach Components

Like typical BNLs, ARRA requires HIPAA-regulated entities (but not vendors) to notify each individual if their "unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach."[103] The legislation gives liberal exceptions for good faith and inadvertent disclosure, as long as the information is not breached further.[104]Redaction or encryption using reasonable technology is an absolute defense to a breach.[105]

ARRA Breach Notice

The breaching entity must notify individuals and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach.[106]The covered entity must notify the individual directly if possible, and must also post a notice on their website if the breach involves 10 or more victims who are not directly reachable. Unlike State BNLs, ARRA contains no economic hardship provision which would limit the duty to notify individuals in the case of very large breaches. If the breach involves more than 500 residents of a single state, the covered entity must notify the statewide media.[107] The notification must include a brief description of the incident, the date of the breach, the date of the discovery, a description of the types of protected health information breached, and steps individuals should take to protect themselves from potential harm resulting from the breach. The notification must also briefly describe the investigation, efforts to minimize losses, and protect from future breaches. Finally, the letter must contain contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.[108]

ARRA Liability

ARRA provides for civil and criminal liability for negligent or willful violations of this law.

Anatomy of European Union Breach Laws

EU breach notification requirements differ in key aspects from United States’ BNLs. First, the concept of "personal information" is much broader in the EU, compared with the United States. U.S. BNLs regulate persons and organization which "own" narrow classes of highly-sensitive personal information, such as social security numbers, while EU Directives regulate the exposure of any personal information. In this sense, EU laws are substantially broader. Second, EU laws regulate economic sectors. Directive 2002/58/EC regulates only the Communications sector, but not the broader "Information Society Service" sector. This means, for example, that a laptop theft from an ISP where the computer contains users’ personal information is a breach. But the same laptop stolen from an online store currently does not constitute a "breach."Third, EU Directives envision national regulatory bodies which coordinate all breach notifications. No single analogous organization (or uniform State entity) exists in the United States.

Despite approaching the problem of breaches from different perspectives, the EU directives and US laws contain several analogous provisions. EU Directive 2002/58/EC emphasizes the importance of protecting confidentiality,[109] and even encourages minimal collection of personal data in the communications sector.[110]

Covered Entities

EU Directives impose notification requirements based on an organization’s economic sector. Directives 2002/21/EC (’21) and 2002/58/EC (’58) apply only to the electronic communications sector. Examples of "electronic communications services" are television broadcasters, Internet Service Providers, and Cell Phone companies.[111] Further, the Directive applies only to personal information collected from customers for the purpose of buying service.[112] In other words, the directive only protects personal data processed by ISPs, Cell phone and Cable companies; for example, users’ credit card numbers or e-mail addresses.

Notification requirements specifically do not apply to the broader class of "information society services,"[113] which are covered by Directive 2000/31/EC.[114]The definition of "Information Society Services" is broad, essentially encompassing any paid service which utilizes modern communication systems [115] in order to provide service.[116] In the information age, this includes almost every conceivable service with customer interactions. [117] United States BNLs, in contrast, make few (if any) regulatory distinctions based on economic sector. However, these directives are under review by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (Working Party).The Working Party has recommended that the ’58 Directive be extended to Information Society Services, arguing that an extension “is necessary given the ever increasing role these services playing the daily lives of European citizens, and the increasing amounts of personal data processed by these services.”[118]

Breach of the Security of the Network

Neither the ’58 nor ’21 Directives clearly define what constitutes a “breach,” or whether a notification requirement accrues to a breaching entity.However, ’58 imposes a duty to notify service subscribers of “particular risk[s] of a breach of the security of the network,” along with tips to mitigate the risk.[119]Presumably, an actual breach would constitute a “particular[ly high] risk of a breach,” and would therefore incur a duty to notify.

Notice

The Directives anticipate that every breach will be reported to a national regulatory agency, but may not be reported to individuals if the breach does not pose a substantial risk.[120] Absent an explicit duty to notify individuals, the Working Party recommends that “security breaches should be notified to data subjects when they may lead to adverse effects to individuals’ privacy and data protection.”The notification should be in a harmonized format, which includes clear and objective criteria that assist in assessing adverse effects of the breach.[121]

At least one proposed amendment to the data privacy directives would create a safe harbor for organizations which meet a minimum duty of care by installing “appropriate technological protection measures” to secure personal information, exempting them from all breach notifications. However, the Working Party opposes the amendment because, “[a]ffected users may only be in the position to take appropriate measures to mitigate the risks they are facing if they have been adequately informed…regardless of the technical measures that were actually taken to protect their data.”[122]

Authorized Use

United States BNLs grant authority to use personal information in property law terms such as “owning” or “licensing” data. Bad-faith, unauthorized use constitutes a breach. Similarly, in the EU, authority to use personal information emanates from the entity which possesses it, though the Directives do not invoke a property-like concept of personal information.[123]The ’58 Directive further creates an affirmative duty to restrict access to personal information from third parties, limiting access “to what is necessary” for any given activity.[124] The intent of the ’58 Directive is to require third parties acting under the authority of service providers to assume strict duties to protect the information.[125]

Definition of Personal Information

In the United States, protected personal information typically consists of narrow classes of information.However, the ’58 directive indicates that personal data incorporates a broad range of information about a person, including "traffic data,"[126] "location data,"[127] and line items in itemized bills.[128]

In contrast to the United States, the Directives are silent about whether encrypting or redacting personal information nullifies a breach. However, the Working Party Opinion 2.2 seems to indicate that even breaches of encrypted personal information must be reported to a national regulatory agency.[129]

Likelihood of Harm or Misuse

EU laws also integrate risk analysis in determining whether notification is necessary.In the US, several states incorporate a "Likelihood of Harm or Misuse" test when determining whether a breach has occurred. In the EU, no analogous Risk Analysis test currently applies. However, the Working Group recommends creating a Risk Analysis test, not for purposes of determining whether a breach occurred, but whether an individual notification requirement exists. Such a test would attempt to avoid unnecessarily alarming individuals or flooding authorities with minor cases by considering several factors, including: The amount of data breached, the sensitivity of the data, the potential for adverse effects like identity theft, financial loss, loss of business or employment opportunities, etc.[130]

Other Duties

In order to comply with the ’58 Directive, communication sector services owe several duties to subscribers. These duties can establish a minimum duty of care and standard of negligence in civil litigation. They include taking appropriate software and encryption measures to protect personal information,[131] and to fully inform subscribers of potential risks to their personal information.[132]

Enforcement

Directive 2002/58/EC anticipates that each EU nation will provide judicial remedies for failure to comply with the requirements.[133]The Working Party also recommends that national regulatory authorities should be authorized to independently disclose a breach to the public, and impose fines if a service provider fails to fully report a personal data breach.[134] Detecting a concealed breach may require auditing and additional regulation.

 


[1] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was "reasonably believed to have been acquired by an unauthorized person.").

[2] See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

[3] See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

[4] Cal. Civ. Code §§ 1798.82-84.

[5] See, e.g. N.H. Rev. Stat. § 359-C:2.

[6] See, e.g. Ga. Code § 10-1-910(4),(7).

[7] Ark. Code § 4-110-102(a)-(b); Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1).

[8] R.I. Gen. Laws § 11-49.2-2(1); Ga. Code: 10-1-910(6)-(7).

[9] N.H. Rev. Stat. 359-C:2(I)-(II).

[10] See, e.g. Minn. Stat. § 325E.64 Subd. 3(5).

[11] Treating Data as Property has few legal roots in intellectual property law, treated either as first- or third-party property. Most personal information, such as names, addresses, phone numbers, and social security numbers, are facts. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.Although innovative arrangements of information are themselves copyrightable, facts are not. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. "As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.")Patent law protects novel methods, processes, and physical compounds, but does not create first- or third-party ownership interests in personal information. 35 U.S.C.A. §§ 101-102. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.

[12] Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1); Ark. Code § 4-110-103(6).

[13] See, e.g., Ark. Code§ 4-110-105(b); Cal. Civ. Code§ 1798.82(b); Colo. Rev. Stat.§ 6-1-716(2)(b); Conn. Gen Stat.§ 36a-701b(c); Del. Code tit. 6,§ 12B-102(b); Fla. Stat.§ 817.5681(2)(a); Ga. Code§ 10-1-912(a); Haw. Rev. Stat.§ 487N-2(b); Idaho Code§ 28-51-105(2); Ind. Code§ 4-1-11-6(a); Kan. Stat.§ 50-7a02(b); La. Rev. Stat.§ 51:3074(B); Me. Rev. Stat. tit. 10§ 1348(2); Md. Code, Com. Law§ 14-3504(c)(1); M.G.L.A.§ 3(a); Mich. Comp. Laws445.72 § 12(2); Minn. Stat.§ 325E.61 Subdiv. 1(b); Mont. Code§ 30-14-1704(2); Nev. Rev. Stat.§ 603A.220(2); N.Y. Gen. Bus. Law§ 899-aa(1)(d)(3).

[14] Cal. Civ. Code § 1798.80(b).

[15] Cal. Civ. Code § 1798.82(d).

[16] Haw. Rev. Stat. § 487N-2(a) (Requiring notification of a breach of personal information in any form, "whether computerized, paper, or otherwise.")

[17] California’s prototypical statute reaches “well beyond California’s borders, potentially affecting any company, person or agency that has a computer database containing any California resident’s ‘personal information.”’ Tyler Paetkau & Roxanne Torabian-Bashardoust, California Deals with ID Theft: The Promise and the Problems, Bus. L. Today, May-June 2004, at 37, 37.

[18] Ariz. Rev. Stat. § 44-7501(A), (L)(5) (2007 S.B. 1042, Chapter 23)

[19] See, e.g., Mont. Code Ann. §§ 30-14-1702(1)(a), -1704(1)-(2) (2005) (imposing a notification duty on “[a]ny person or business that conducts business” and defining a business as “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution…or the parent or the subsidiary of a financial institution.”); N.D. Cent. Code § 51-30-02 (Supp. 2005) (creating an obligation to notify for “[a]ny person that conducts business”).

[20] See e.g., Ohio Rev. Code § 1347.12.

[21] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(5) (2007 S.B. 1042, Chapter 23) (exempting notification requirements for breaches made by public safety officials, courts, and municipal prosecutors); Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (exempting “any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes”).

[22] Ariz. Rev. Stat. §44-7501 (J)(1); Colo. Rev. Stat. § 6-1-716(2)(p); Mich. Comp. Laws §445.72 (8)(b); N.H. Rev. Stat. §359-C:20 (VI)(b); Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(c); Tenn. Code § 47-18-2107(i); D.C. Code § 28-3852(c); Vt. Stat. tit. 9 § 2445 (d)(1) (exempting financial institutions from duty to destroy personal information).Though the GLB requires financial institutions to publicize their privacy policies, and establish internal safeguards and procedures to protect consumer personal information, the statute does not require consumer notification in case of a breach. Gramm-Leach-Bliley Act of 1999, Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801–6809.

[23] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information).Until recently, entities covered by HIPAA were not required to notify individuals of breaches. See American Recovery and Reinvestment Act (ARRA), Subtitle D. http://www.opencongress.org/bill/111-h1/text

[24] Vt. Stat. tit. 9 § 2445 (d)(3) (exempting consumer reporting agencies from duty to destroy personal information).

[25] Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(b).

[26] See, Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (limiting the obligation to “information brokers,” or “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.”Coincidentally, the major data broker ChoicePoint is headquartered in Georgia. ChoicePoint suffered a large and well-publicized data breach in 2005.).

[27] Me. Rev. Stat. tit. 10 §1347 (6)(E) (2005).

[28] See e.g., BuisinessWeek. Firm to settle suits stemming from employee’s theft of records, April 12, 2008, http://investing.businessweek.com/research/stocks/news/article.asp?docKey=600-200804120545KRTRIB__BUSNEWS_17116-3JDVBU48S0DAEKQKKHUA7RFHFT&timestamp=04/12/2008%205:45%20AM%20ET&headline=Firm%20to%20settle%20suits%20stemming%20from%20employee’s%20theft%20of%20records%20%5BThe%20Kansas%20City%20Star%2C%20Mo.%5D&docSource=Knight%20Ridder/Tribune&provider=ACQUIREMEDIA&symbol=SAI (Accessed June 13, 2008).

[29] Cal. Civ. Code § 1798.82(d).

[30] See, e.g., Cal. Civ. Code § 1798.81.5(a),(b). Ark. Code § 4-110-104(b).

[31] Cal. Civ. Code § 1798.82(a).

[32] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was "reasonably believed to have been acquired by an unauthorized person.").

[33] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1) (2007 S.B. 1042, Chapter 23); Cal. Civ. Code § 1798.82(a); Colo. Rev. Stat. § 6-1-716(1)(a); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(4); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 530/5; Ind. Code § 4-1-11-2(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Me. Rev. Stat. tit. 10 § 1347(1); Md. Code, Com. Law § 14-3504(a)(1); M.G.L.A. 93H § 1(a); Mich. Comp. Laws § 445.63(3)(b); Minn. Stat. § 325E.61(1)(a); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. § 603A.020; N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(a); Vt. Stat. tit. 9 § 2430(8)(A); D.C. Code § 28-3851(1).

[34] N.Y. Gen. Bus. Law § 899-aa(c).

[35] See, e.g., Cal. Civ. Code § 1798.82(a); R.I. Gen. Laws § 11-49.2-3(a); Wash. Rev. Code § 19.255.010(1); Ark. Code § 4-110-105(a)(1) (Requires notification when a breach is "reasonably believed" to have occurred.).

[36] See, e.g., Fla. Stat. § 817.5681(4); Idaho Code § 28-51-104(2).

[37] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Ark. Code § 4-110-103(1)(B); Cal. Civ. Code § 1798.82(d); Colo. Rev. Stat. § 6-1-716(1)(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(7); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-2(b)(1); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Md. Code, Com. Law § 14-3504(a)(2); M.G.L.A. § 1(a); Mich. Comp. Laws 445.63 § 3(b)(i); Minn. Stat. § 325E.61(1)(b); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. Nev. Rev. Stat. § 603A.020; N.J. Stat. N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a), § 1347.19(A)(1)(b)(i).

[38] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Colo. Rev. Stat. § 6-1-716(1)(d)(I); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Ga. Code § 10-1-911(5); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-5(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(4)(a); Me. Rev. Stat. tit. 10 § 1347(6); Md. Code, Com. Law § 14-3501(d)(1); M.G.L.A. § 1(a); Mich. Comp. Laws 445.72 § 12(1)(a); Minn. Stat. § 325E.61(1)(a); R.I. Gen. Laws § 11-49.2-3(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(b); Vt. Stat. tit. 9 § 2430(5)(A); D.C. Code § 28-3851(1).

[39] Ind. Code § 24-4.9-2-2(b)(2).

[40] See, e.g., Utah Code § 13-44-102(3).

[41] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(a).

[42] See, e.g., Ark. Code § 4-110-103(1)(A).

[43] See, e.g., M.G.L.A. 93H § 1(a).

[44] Cal. Civ. Code § 1798.81.5(d)(1), 1798.82(e).

[45] See, e.g., Ind. Code § 4-1-11-3(b)(1); Nev. Rev. Stat. 603A.040(3); see also Ohio Rev. Code § 1347.12(A)(9) (Stating that a Social Security Number is properly redacted if only the last four digits are exposed).

[46] N.H. Rev. Stat. § 359-C:20(I)(a); Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Md. Code, Com. Law § 14-3504(b)(2); Mich. Comp. Laws 445.72 § 12(1).

[47] Ariz. Rev. Stat. § 44-7501(K)(1) (2007 S.B. 1042, Chapter 23).

[48] Namely, 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).

[49] See, e.g., Haw. Rev. Stat. §487N-2(d)(1) (Requiring that notice of the breach describe "[t]he incident in general terms."). See also, Mich. Comp. Laws § 359-C:20(IV)(a).

[50] Cal. Civ. Code § 1798.82 (g).

[51] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(c)(II).

[52] See, e.g., Ariz. Rev. Stat. § 44-7501(E); Cal. Civ. Code § 1798.82(h); Colo. Rev. Stat. § 6-1-716(3); Ga. Code §§ 10-1-911(3)(C)(iii)

[53] See, e.g., Mich. Comp. Laws 445.72 § 12(1)(a); Cal. Civ. Code § 1798.81.5(c); Ariz. Rev. Stat. § 44-7501(B); Ark. Code § 4-110-105(b).

[54] See, e.g., Ark. Code § 4-110-105(e)(3)(A)(iii).

[55] N.H. Rev. Stat. 359-C:20 (III)(d); see also, Vt. Stat. tit. 9 § 2435(b)(5)(B) (Allowing substitute notice if the cost exceeds $5,000 or the class of affected individuals exceeds 5,000).

[56] Neb. Rev. Stat. § 87-801 (4)(e); Ohio Rev. Code § 1347.12(E)(5).

[57] Wyo. Stat. § 40-12-502 (d)(iii).

[58] See, e.g., Cal. Civ. Code § 1798.82(g)(3) (Requiring persons to demonstrate a $250,000 cost or class of affected individuals over 500,000); Haw. Rev. Stat. § 487N-2(e)(4) (Requiring persons to demonstrate a $100,000 cost or class of affected individuals over 200,000).

[59] See, e.g., Cal. Civ. Code § 1798.82(g).

[60] See, e.g., Cal. Civ. Code § 1798.82(a).

[61] Md. Code, Com. Law § 14-3504(b)(2).

[62] Fla. Stat. § 817.5681(1)(a); Wis. Stat. § 895.507(1)(cm)(3).

[63] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ga. Code § 10-1-912(d) (Must notify all consumer reporting agencies where breach exceeds 10,000 people); Haw. Rev. Stat. § 487N-2(f) (Must notify all consumer reporting agencies and Hawaii’s Office of Consumer Protection where breach exceeds 1,000 people); 815 ILCS 530/12(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ind. Code § 4-1-11-10 (State agencies must notify all consumer reporting agencies where breach exceeds 1,000 people); Kan. Stat. § 50-7a02(f) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); La. Rev. Stat. 32:4 (Must notify Louisiana Attorney General); Me. Rev. Stat. tit. 10 § 1348(4),(5) (Must notify all consumer reporting agencies, Department of Professional and Financial Regulation, or Attorney General where breach exceeds 1,000 people); Md. Code, Com. Law § 14-3504(h) (Must notify Maryland Attorney General); M.G.L.A. 93H § 3(b) (Must notify the Director of Consumer Affairs, Attorney General, and consumer reporting agencies); Mich. Comp. Laws 445.72 § 12(8) (Must notify all consumer reporting agencies where breach exceeds 1,000 people).

[64] See, e.g., N.H. Rev. Stat. § 359-C:20(I)(b) ("Nothing in this section shall be construed to require the person to provide to any regulator or the New Hampshire attorney general’s office the names of the individuals entitled to receive the notice or any personal information relating to them.")

[65] Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629, 637 FN 8 (7th Cir. 2007) (Louisiana law "provides as the exclusive remedy an action by the Attorney General against the database owner.").

[66] See, e.g., Ariz. Rev. Stat. § 44-7501(H); Ark. Code § 4-110-108; Colo. Rev. Stat. § 6-1-716(4); Kan. Stat. § 50-628; Me. Rev. Stat. tit. 10 § §1349(1); Minn. Stat. § 325E.61 Subd. 6; N.D. Cent. Code § 51-30-07; Ohio Rev. Code § 1347.12(G); Tenn. Code § 47-18-2105(a).

[67] See, e.g., 815 ILCS 530/12 Sec. 20. ("A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act"); Tenn Code § 47-18-2106(b) ("any violation of the provisions of this part shall be construed to constitute an unfair or deceptive act or practice"); Conn. Gen Stat. § 36a-701b(g).

[68] See, e.g., D.C. Code § 28-3853(b) ("Attorney General may recover a civil penalty not to exceed $100 for each [residents’ breached information], the costs of the action, and reasonable attorney’s fees.").

[69] Ariz. Rev. Stat. § 44-7501(H).

[70] Tex. Bus. & Com. Code § 48.201.

[71] N.Y. Gen. Bus. Law § 899-aa(6)(a) (A "court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars.");

[72] Fla. Stat. § 817.5681(1)(b)(2).

[73] Mich. Comp. Laws § 445.72 Sec. 12(13) (Recovery of civil fine of not more than $250 for each individual, not totaling more than $750,000.00).

[74] See, e.g., Utah Code § 13-44-301(1)-(2)(a) ("Nothing in this chapter creates a private right of action").

[75] Del. Code tit. 6, § 12B-104 ("The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law."); Wyo. Stat. § 40-12-502(f) (The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.)

[76] Cal. Civ. Code § 1798.84(b) ("Any customer injured by a violation of this title may institute a civil action to recover damages."); Minn. Stat. § 13.05 Subd. 5(2).

[77] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255, 305-311 (2005).(Noting the analogy between toxic torts and cybersecurity breaches.);

[78] Potter v. Firestone Tire & Rubber Co., 863 P.2d 795, 821 (Cal. 1993) (citing Ayers v. Twp. of Jackson, 525 A.2d 287, 308 (N.J. 1987)). See also, Badillo v. American Brands, Inc., 16 P.3d 435, 439 (Nev. 2001).

[79] Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185PHXSRB, 2005 WL 2465906, at *4 (D. Ariz. Sept. 6, 2005) (But, "as a matter of law identity theft and credit monitoring must still be differentiated from toxic torts and medical monitoring"); see also People v. Ware, No. H025167, 2003 WL 22120898, *2 (Cal. Ct. App. Sept. 11, 2003) (affirming an award of restitutionary damages to a victim of identity theft, including “$100 per year for monitoring the adverse consequences on her credit rating”).

[80] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); Henry v. Dow Chemical Co., 473 Mich. 63, 701 N.W.2d 684, 692 (2005) (Rejecting the medical monitoring analogy, concluding that "our common law requires a present injury in addition to economic loss incurred as a result of that injury.").

[81] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); see also, Ponder v. Pfizer, 522 F.Supp.2d 793, 798 (M.D. Louisiana 2007) (Holding that actual damages are only realized when "someone actually use[s] the disclosed information to [plaintiff’s] detriment."); Hendricks v. DSW Shoe Warehouse, Inc., 444 F.Supp.2d 775 (W.D.Mich. 2006) (Holding that "purchase of a credit monitoring product" is not "actual damages or a cognizable loss."); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1020-21 (D.Minn. 2006) (Holding that "expenditure of time and money" for credit monitoring does not constitute injury or damages because it "was not the result of any present injury, but rather the anticipation of future injury that has not materialized.""[T]hreat of future harm, not yet realized, will not satisfy the damage requirement."); Key v. DSW, Inc., 454 F.Supp2d at 690 (Holding that an "alleged increase in risk of future injury is not an ‘actual or imminent’ injury," and must therefore fail.).

[82] Randolph v. ING Life Insurance and Annuity Co., 486 F.Supp.2d 1, 11 (U.S. District Court, DC 2007) (Holding that in a stolen laptop case where no evidence of fraud or identity theft has occurred, "[p]laintiffs have failed to allege an injury in fact and thus lack Article III standing."); Nat’l Treasury Employees Union, 101 F.3d at 1427 (citing Lujan, 504 U.S. at 560, 112 S.Ct. 2130, 119 L.Ed.2d 351); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (Holding that standing is an "irreducible constitutional minimum.").

[83] Pisciotta v. Old Nat’l Bancorp., 499 F.3d 629, 639-40 (7th Cir. 2007) (Refusing to compensate for "emotional distress and worry that third parties will use [the plaintiffs’] confidential personal information to cause economic harm.").

[84] Brent Wible, A Site Where Hackers Are Welcome: Using Hack-In Contests to Shape Preferences and Deter Computer Crime, 112 Yale L.J. 1577, 1581-85 (2003), at 1582 (Contending that “hackers tend to be judgment proof”).

[85] Bell v. Michigan Council, Not Reported in N.W.2d, 2005 WL 356306 at *5 (Mich.App.).

[86] Minn. Stat. § 13.05 subd. 5(2).

[87] Scott v. Minneapolis Public Schools, Special Dist. No. 1, No. A05-649, 2006 WL 997721 (Minn. App. Apr. 18, 2006).

[88] Scott v. Minneapolis Public Schools, Special District No. 1, Not Reported in N.W.2d, 2006 WL 997721, *3 (Minn.App. 2006) (Holding that Minn.Stat. § 13.02, subd. 16 (2002) and § 13.08, subd. 1 creates a duty to individuals, not just a broad duty against disclosure of records.).

[89] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255 (2005).

[90] Palsgraf v. Long Island Railroad Co., 162 N.E. 99, 100 (N.Y. 1928).

[91] Kline v. 1500 Massachusetts Avenue Apartment Corp., 439 F.2d 477 (D.C. Cir. 1970).

[92] McGrath v. Zenith Radio Corp., 651 F.2d 458, 468 (7th Cir. 1981) (Holding that the failure to correct earlier true statements which have become false or misleading was fraudulent); see e.g., Note 134, where a breaching entity continues to assert that "your personal information is safe," in the wake of a severe data breach. But see Note 64, where a business responds to a data breach by attempting to disclaim all duties.

[93] Rest. 2d Torts § 652C cmt (1977) (Explaining that "[if] the benefit derived from the sale in no way relates to the social or commercial standing of the person whose information is sold… [then] a person whose personal information is sold does not have a cause of action for appropriation against the [person] who sold the personal information.").

[94] See generally, Restatement (Third) of Torts: Liab. for Physical Harm § 42 (Proposed Final Draft No. 1, 2005) (discussing duty based on undertaking).

[95] Minn. Stat. § 325E.64 Subd. 3.

[96] Minn. Stat. § 325E.61 Subd. 6.

[97] Citation Pending.

[98] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information)

[99] American Recovery and Reinvestment Act, H.R. 1, § 13402(a).

[100] 45 CFR 160.103.

[101] ARRA, H.R. 1, § 13402(f)(2).

[102] ARRA, H.R. 1, § 13402(b).

[103] ARRA, H.R. 1, § 13402(b).

[104] ARRA, H.R. 1, § 13400.

[105] ARRA, H.R. 1, § 13402(h)(1)(A)-(B).

[106] ARRA, H.R. 1, § 13402(d)(1).

[107] ARRA, H.R. 1, § 13402(d).

[108] ARRA, H.R. 1, § 13402(f).

[109] Directive 2002/58/EC Preamble (21)

[110] Directive 2002/58/EC Preamble (30)

[111] Directive 2002/21/EC Article 2(c).

[112] Directive 2002/58/EC Article 3(1).

[113] Directive 2002/21/EC Article 2(c).

[114] Directive 2000/31/EC, currently does not require consumer notification for breaches.

[115] Directive 2002/21/EC Article 2(a) defines "electronic communications network" as “transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;”

[116] Directive 2002/21/EC Article 2(c).

[117] Directive 98/34/EC as amended by Article 1(2) of Directive 98/48/EC defines an Information Society Service as "…any service normally provided for remuneration, at a distance, by electronic means… [except] radio…[and] television broadcasting services."

[118] Working Party Opinion 2.1

[119] Directive 2002/58/EC Article 4(2).

[120] Working Party Opinion 2.1, “Notwithstanding their obligation to notify the competent national regulatory authorities of all breaches whenever there is a risk of adverse effects, service providers should determine if notification to subscribers or individuals is required.”Working Party Opinion 2.2 “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

[121] Working Party Opinion 2.1.

[122] Working Party Opinion 2.2.

[123] Directive 2002/58/EC Articles 6(5), 9(3) requires personal information to be used only by persons “acting under the authority of” the communications providers.

[124] Directive 2002/58/EC Articles 6(5), 9(3)

[125] Directive 2002/58/EC Preamble (32): “Where the provider of an electronic communications service or of a value added service subcontracts the processing of personal data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controllers and processors of personal data as set out in Directive 95/46/EC.”

[126] Directive 2002/58/EC Article 2(b).

[127] Directive 2002/58/EC Article 2(c).

[128] Directive 2002/58/EC Article 7(1).

[129] “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

[130] Working Party Opinion 2.1, fn.4, “The qualitative and quantitative criteria for assessing the impact of adverse effects will need to be defined precisely during the commitology procedure…”

[131] Directive 2002/58/EC Article 4(1), Preamble (20).

[132] Directive 2002/58/EC Article 4(2), Preamble (20).

[133] Directive 2002/58/EC Preamble (47).

[134] Working Party Opinion 2.1.

  1. No comments yet.
(will not be published)