Revised State Data Breach Laws Demand Attention

I’ve written quite a bit during the past year about cybersecurity, urging lawyers to take seriously their obligations to protect client confidential information and to be judicious when acquiring technology and services that will be used to store and transmit client data. I’m returning to the topic of cybersecurity again today, this time to note that data breach notification laws in several states have been amended during just-completed legislative sessions.

Now might be a good time for law firm technology leaders to re-evaluate their cybersecurity operations and incident response plans. Have local laws changed in a way that calls for upgrades to technology or revisions to the processes currently in place for protecting client confidential information? Do local laws now protect additional types of client data? Have the notification time limits been shortened? Are there new affirmative defenses the firm might take advantage of?

These questions are worth asking on a regular basis. The lawyer’s ethical obligation to provide strong technology safeguards for client confidential information isn’t a “set it and forget it” matter. Technology changes, new threats emerge and compliance obligations evolve in response to an ever-changing cybersecurity landscape.

The Impact of Data Breach Notification Laws

A careful review of the local data breach notification law is a good first step when law firms begin to formulate their cybersecurity programs and incident response plans. Every state has a data breach notification law in place. Lawyer ethics guidelines are often just that — guidelines and encouragement to take reasonable steps to protect client confidential information.

Data breach notification laws, on the other hand, are detailed and prescriptive. They define which sorts of data trigger the firm’s notification obligation, how serious the data breach must be before clients and legal authorities must be informed, the time limit for issuing a breach notification, and the contents of the notification. In some jurisdictions, for example, a data breach involving client data that has been encrypted will not trigger a notification obligation. That is because the loss of encrypted data is believed not to raise significant security concerns.

In other jurisdictions, a data breach involving a small number of clients might not trigger a notification obligation. An errant email attachment containing client confidential information on a single client would likely not trigger a notification obligation under any state’s data breach notification statute (though other considerations, such as the terms of the retainer agreement, may require the firm to inform the client).

Some data breach laws contain affirmative defenses to the legal claims that often swirl in the wake of a data breach incident. During the 2020-21 legislative sessions, several state legislatures considered bills that would create affirmative defenses to tort claims arising from data breaches for firms who employ best practices in their security programs. In fact, Ohio enacted one such law in 2019, creating legal incentives for businesses to adopt strong cybersecurity protections. Law firm technology leaders would be remiss if they designed their firm’s cybersecurity infrastructure without attempting to take advantage of these legal protections.

Legislative Developments So Far This Year

In Connecticut, lawmakers passed two pieces of data breach legislation that should be of interest to attorneys in that state. The first, HB 5310, shortens the time for reporting a data breach from 90 to 60 days. The new law, signed by Gov. Ned Lamont on June 16, takes effect on Oct. 1, 2021.

Connecticut also enacted legislation that seeks to promote cybersecurity by eliminating tort liability for punitive damages for those businesses who have taken the time to build a robust cybersecurity program aligned with industry best practices. Substitute HB6607 provides in part:

In any cause of action founded in tort that is brought under the laws of this state or in the courts of this state and that alleges that the failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal information or restricted information, the Superior Court shall not assess punitive damages against a covered entity if such entity created, maintained and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry-recognized cybersecurity framework.

The new Connecticut law specifies several cybersecurity frameworks that qualify for punitive damages relief, including the influential Framework for Improving Critical Infrastructure Cybersecurity, published by the National Institute of Standards and Technology. HB6607 was signed by Gov. Ned Lamont on July 6 and goes into effect on Oct. 1, 2021.

This past March, Utah enacted the Cybersecurity Affirmative Defense Act (HB80), a law that creates an affirmative defense to claims that a business (1) failed to implement reasonable security measures that resulted in a breach of security, (2) failed to respond appropriately to a breach of security, or (3) failed to appropriately notify an individual whose personal information was compromised in a breach of security. A business will be entitled to assert an affirmative defense to these types of claims if it “creates, maintains, and reasonably complies with a written cybersecurity program” that meets requirements spelled out in the statute.

On June 14, Texas Gov. Greg Abbott signed HB3746, a law that requires the state attorney general to publish online notices of data breaches it receives from businesses in the state. Under current Texas law, businesses have 60 days to report a data breach from the time they become aware of it. HB3746 sets a 30-day time limit for publication by the attorney general.

Knowing that the data breach notice will be made public, Texas businesses will want to take care in drafting the notice — particularly when describing actions taken following the breach and taking care to withhold from the notice any information that is confidential or which may compromise the security of the affected computer network.

Aside from state legislatures whose work has been completed, the efforts of lawmakers still at work this year will be worth watching, especially in light of the highly publicized increase in ransomware exploits across the globe. It’s never too early to begin preparing for potential compliance obligations when the writing is practically engraved on the wall.

Several data breach-related bills are under consideration in New York, where the 2019 Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) already imposes data breach notification requirements and demands that law firms “develop, implement and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.”

For example, S5808 would create a 15-day limit for disclosing a data breach. AB2500 would shorten the time limit to just five days. AB7612 would make the time limit even shorter — 24 hours following the discovery of the data breach, albeit to state law enforcement agencies not affected individuals. S2087 would create a business tax credit subsidizing the purchase of data breach insurance. Beyond that, S3003 would create a private right of action allowing consumers to sue businesses for damages when a data breach results in unauthorized access to their personal information.

In Pennsylvania, data breach legislation has been introduced that would require law firms to notify affected individuals — in excruciating detail — of the particulars of data breach incidents. SB608 calls for data breach notices to:

• Be written in plain language, clearly and conspicuously displayed
• Be titled “Notice of Data Breach”
• Contain the headings “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”
• Be written in text no smaller than 10-point type
• Be designed to call attention to the nature and significance of the information contained in the notice

SB608 also broadens the definition of “personal information” to include biometric data, geolocation data, data regarding religious beliefs, and login credentials.

Legislation in Tennessee (HB1551, SB1540) would reduce the data breach notification time limit from 45 days to 30 days. No action had been taken on these bills when the Tennessee General Assembly wrapped up its work for 2021, but they will be carried over into the next term.

Lawyers’ Role in Shaping State Legislation

So far we have covered states where legislative actions should motivate a law firm to re-examine and optimize its cybersecurity operations. In states where the laws are (so far) unchanged, lawyers may still have work to do. The needs of the business community are often top-of-mind considerations in state legislatures, so it is possible that bills under consideration can be influenced by constructive engagement with state lawmakers, either directly or through state bar associations. After all, laws drafted with the general business community’s needs in mind may not translate well to the particular needs of the legal profession. 

Lawyers can also kick-start legislative initiatives in their jurisdictions by contributing expertise to reports and case studies that can be used as a basis for the introduction of new legislation on a particular matter. If liability limitations such as those passed in Utah or tax incentives like those under consideration in New York are appealing, now might be a good time to reach out to relevant lawmakers and let them hear your views.