In the event that your organization or business suffers a data security breach that exposes the personal information of your employees or customers, you are likely subject to state breach notification laws. The question is: with which state’s laws must you comply?
If your organization operates in the State of Maine, you will have to comply with Maine’s Notice of Risk to Personal Data Act. Generally, that statute requires notice to Maine residents whose personal information has been exposed and has been, or is likely to be misused. 10 M.R.S.A. § 1348. If your organization does business or operates outside of Maine, or holds personal information of residents of other states, however, it may also be subject to a myriad of other states’ laws regarding breach notification. Nearly every state in the country[1] has enacted its own breach notification statute, and although many of these laws are similar, there are substantial and material differences between some of the laws.
For instance, different states have different standards regarding when notification obligations are triggered. Maine, New Hampshire and Vermont all require that a breached entity notify affected individuals when personal information has been misused, or there is a reasonably likelihood/possibility of misuse. These states focus on the actual or likely misuse of personal information. In contrast, Massachusetts, Rhode Island and Connecticut require notification upon the mere acquisition of personal information by an unauthorized party. No actual or reasonable likelihood of misuse is required to trigger notification obligations.
State laws also vary regarding what breached entities must include in their notice to affected individuals. Certain states require very specific information to be included in any notice. For example, New Hampshire requires that breached entities provide (1) a description of the incident in general terms; (2) the approximate date of breach; (3) the type of personal information obtained as a result of the security breach; and (4) the telephonic contact information of the person subject to the notification laws to each affected individuals. In contrast, other states do not provide specific content requirements. State laws vary regarding the permissible forms of notice. Some states require written notice, while others allow electronic or telephonic notice.
Once the notification obligation is triggered, all of the New England states require notice to be provided as soon as is reasonably possible. While this requirement allows for some flexibility, delay will be viewed unfavorably by state regulators and by the affected individuals. Prompt notice is critical.
Although a survey of every state’s breach notification laws is beyond the scope of this article, the following is a brief survey of the breach notification laws enacted in each of the New England states. Given the geographic proximity of these states, these laws are likely most relevant to Maine businesses and organizations and should be considered by organizations that regularly collect and maintain personal information.
It is important to understand with which laws your organization must comply before a breach occurs.
If you would like to talk with someone in more detail about what steps your organization should consider taking in the event of a security breach, please feel free to contact David McConnell or Joe Talbot directly 1-866-774-2635 or dmcconnell@perkinsthompson.com or jtalbot@perkinsthompson.com.