The Complicated Web of Noncompliance: Penalties Across State Data Breach Notification Laws

No two state data breach notification laws are alike - and this can create a complicated landscape for privacy teams working to assess privacy incidents and remain compliant across multiple jurisdictions. Think about it: 47 states, the District of Columbia, and three territories each have their own unique triggers, definitions, and requirements when it comes to assessing a privacy incident, determining if the incident is a data breach requiring notification, and then providing notification in a specified format to regulators and impacted individuals–and all within an increasingly specific time frame.

Then, if for some reason you are not able to follow the above process in compliance within the nuanced requirements of each state or territory, the potential penalties vary widely by state as well.

Finding Similarities–And Many Differences–in State Breach Notification Penalties

Organizations in highly regulated industries, with access to sensitive data, typically know the federal regulations that pertain to them inside and out. If you’re a privacy professional in a healthcare organization, understanding the HIPAA Data Breach Notification Rule is part of your job. Likewise for someone who deals with privacy incidents in the financial institution - you are typically well aware of requirements to notify in the event of a breach under the Gramm–Leach–Bliley Act.

But if you’re part of an organization working with sensitive data across multiple jurisdictions in the United States, staying on top of changing legislation and the requirements for compliance can be challenging. Part of that challenge is the many ways state penalties can vary from one to another. For example, in Alaska and Nebraska, civil penalties are based upon the number of residents affected, while in the majority of states and territories, the penalty may be assessed per violation, per breach, or per series of breaches.

Part of my role as senior counsel and global privacy officer at RADAR includes performing audits of state data breach notification laws. A recent project auditing the potential monetary and legal consequences of noncompliance surfaced a few examples of the many, many ways states can differ when it comes to penalties.

Below are a few major differences in how states penalize lack of compliance with breach notification laws:

1. Penalty issued per violation, per series of breaches or violations, per resident, or per another manner of calculation: The penalty may be defined as a certain amount per violation, per series of breaches, or per resident. In Rhode Island, the penalties are assessed per “record,” while Oklahoma structures its penalty to explicitly allow for a “series of breaches of a similar nature, discovered in a single investigation” to be counted as one singular breach. 
2. Able to enforce an injunction, or not: Certain states, including Pennsylvania, South Carolina, and Tennessee, allow for the possibility of an injunction, which restrains the business from conducting business and could result in a loss of revenue in addition to fines imposed. Loss of revenue, depending upon the size of an organization, or the loss or reputation that might occur, may be even more costly to an organization than any money penalties.
3. Enforcement by the attorney general or other: Attorneys general are increasingly requiring notice of a data breach impacting a certain threshold of individuals within their state. In states such as Maryland, the Attorney General is also able to enforce penalties as unfair or deceptive and pursue additional relief, including monetary fines and the possibility of an injunction (not to mention private rights of action based upon same).
4. Private right of action is statutorily authorized: In a state which allows private right of action, like California, impacted individuals are able to institute a civil action to recover damages in addition to any any penalties from regulatory authorities, while other states, like Colorado, do not explicitly provide for a private right of action. Other states, like Arizona, explicitly preclude a private right of action based upon the breach law.
5. Restitution explicitly allowed or not: Arkansas, Illinois, Nevada, Pennsylvania, and the District of Columbia, are the only states that give the attorney general explicit right to seek restitution.

This list of differences can go on and on – in Florida, delays in notification can increase statutory damages. The Arkansas breach statute authorizes misdemeanor charges, while the Idaho statute specifies a misdemeanor charge for government employees. The nuances of state penalties for noncompliance with data breach laws can have very real impacts on a privacy team already spread thin dealing with a data breach.

Tips for Privacy Professionals Dealing with Noncompliance Issues Across Multiple Jurisdictions

How can privacy teams stay abreast of the intricacies of ever-changing state breach notification laws, and stay compliant with the jurisdictional requirements? Here’s a good place to start.