Massive, high-profile data breaches are constantly in the news. We still do not know the consequences of the Equifax breach from a year and a half ago. As technological services become more ubiquitous in our everyday lives, more and more breaches will occur. However, it is a misconception that only large entities need to worry about such data breaches.
Any entity which collects any sensitive information about anyone is a target. As far back as seven years ago, the Ponemon Institute recognized this. They released a study concluding that, “[s]mall and midsize businesses … are at a greater risk of their employees mishandling data than enterprises.” Although large companies may seem more likely targets because of the size and richness of their data, small and midsize businesses often do not have adequate levels of security and training. Therefore, attempts to breach such entities are often easier and more successful.
Harms resulting from these breaches have been apparent for a while. However, the United States does not have a comprehensive federal information security or data breach notification law. There have been numerous attempts to pass comprehensive information privacy and data security laws. Most recently Senator Mark Warner of Virginia, attempted to address security risks posed by Internet of Things devices, like Amazon’s Alexa, and Google’s Google Home.
Congress, Courts and government agencies have been reticent, for different reasons, to branch out into the information privacy space. Some of the slack has been picked up by the States. California has been a leader in this area with numerous, far-reaching laws covering various areas. Virginia has been on the other end of the spectrum, with very few laws addressing information privacy.
Information privacy, also known as data privacy, is the privacy of personal information. Its significance has grown alongside that of the internet, where personal information is constantly, collected for, used by and stored on computer systems. Its web is inescapable. Almost every modern business, in some way, uses computer systems to manage the personal information of others. Information privacy laws are attempts to address new privacy harms which have been felt by the general public after the introduction of these information systems.
Data breach notification laws were passed in response to harms felt from the compromise of these systems. Data breach laws address procedures which must be followed in the aftermath of a data breach. The goal of the laws is to promote better data security practices. This is exemplified by the carve outs offered to entities who encrypt the data stored on their systems. Such a carve out is offered to entities in Virginia and will be discussed more later.
Virginia has two data breach notification laws. One is designed for the breach of medical information and the other is designed for the breach of all other information. Here, I will only cover the broader law, VA Code § 18.2-186.6, “Breach of personal information notification.” The law, and others like it, are designed to provide notice to affected individuals of data breaches involving their personal information. The burden to notify affected individuals is not too onerous, and it is important to comply with this law because the Office of the Attorney General has the authority to impose a civil penalty of up $150,000.00 per breach. In addition, entities are liable for any direct economic damage caused to individuals under the statute. Although, this is usually not a concern, because harms associated with data breaches usually do not occur instantly, and it is very difficult to establish a nexus between a specific data breach and a specific harm.
The data breach notification laws can apply to any individual or entity transacting business in the Commonwealth. However, entities like banks, who are regulated under different privacy regimes, like Gramm-Leach-Bliley, are exempted under this statute to avoid double regulation.
Breaches occur when data systems storing unencrypted or unredacted sensitive information about multiple individuals is acquired or even accessed. In order to trigger the notification obligations under the Virginia statute, the breach must make the entity know or reasonably believe that it has or will cause identity theft or any other type of fraud to any resident of the Commonwealth. The statute adopts a reasonable person standard. The reasonable person standard which is adopted will usually reflect the size and scale of the business. It attempts to compare the conclusions you drew or should have drawn to what like entities would have drawn.
There are three large cutouts under this statute. One was briefly mentioned earlier. That is entities who are regulated under another privacy regime usually are able to ignore this statute. The second big cutout is data which is encrypted. Because encrypted data cannot be read without decrypting the data, the access of it does not place the individuals affected in the same peril. The third carve out is the good faith exception.
If an entity’s data system is breached by an employee or agent in good faith, then the notification obligation is usually not triggered. However, the employee or agent of the breached entity must be acting within the scope of their employment or agency. In addition, unauthorized access which was initially done in good faith may become unlawful if there is further unauthorized disclosure or unlawful use. Further, individuals are on notice after their first good faith breach to not make the same mistake again in the future.
If a breach has occurred, then you must give notification “without unreasonable delay” to the affected residents of the Commonwealth and the Attorney General. Notice may be delayed to assess the size and scope of the breach and to restore the integrity of the security system. Notice can be given in a number of ways: (1) Written notice to the last known postal address in the records of the individual or entity; (2) Telephonic notice; (3) Electronic notice; or (4) Substitute notice (but only if certain conditions are met).
Notice for the purposes of this statute must include five things: “(1) The incident in general terms; (2) The type of personal information that was subject to the unauthorized access and acquisition; (3) The general acts of the individual or entity to protect the personal information from further unauthorized access; (4) A telephone number that the person may call for further information and assistance, if one exists; and (5) Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.”