Russian Cyberattack May Trigger State Security Laws And Notification Obligations

more+
less-

This cyberattack also raises questions regarding whether other state data breach notification obligations are triggered even if those states do not define personal information to include usernames and passwords...

Now that entities are aware that at least 1.2 billion records have been compromised from websites spanning across all industries, a question arises whether entities have an obligation to investigate whether their websites have been breached instead of simply waiting for that information to be released.

Some state security laws require entities to take “reasonable measures” to protect and secure data in electronic form containing personal information, and the Massachusetts regulations, for example, specifically require entities to engage in regular monitoring to ensure that security measures are operating in a manner reasonably calculated to prevent unauthorized access to personal information and to upgrade information safeguards as necessary to limit risks. In light of the massive cyberattack, organizations that collect data online should immediately test their websites for intrusions and update any patches available for their web servers, database servers, and applications. Organizations should also contact third-party service providers to ensure that those vendors are likewise taking measures to prevent fraud.

Organizations that were hacked may also have an obligation to notify affected consumers under state data breach notification laws, especially if the website collects data about California or Florida residents. Newly revised California and Florida data breach notification laws expand the definition of personal information to include a “user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.”  Under both laws, notification to consumers is required if personal information was, or is reasonably believed to have been, accessed as a result of a data breach. In addition, Florida and California require notification to the state Attorney General if the breach affects more than 500 residents in their respective states. Florida’s law imposes strict timing requirements on the notification by requiring entities to provide notice to the affected individuals and, if required, the Attorney General, no later than 30 days after discovery of the breach or reasonable belief that the breach occurred.

This cyberattack also raises questions regarding whether other state data breach notification obligations are triggered even if those states do not define personal information to include usernames and passwords. Many state breach notification laws are triggered if personal information was, or is reasonably believed to have been, accessed by an unauthorized person. If the hackers can use the username and password information to gain access to additional personal information, that may trigger some state notification requirements. For example, North Carolina’s breach notification law specifically carves out usernames and passwords from its definition of personal information unless the username and password information “would permit access to a person’s financial account or resources.”  Although there are no reports that the hackers have attempted to gather additional personal information using the stolen username and password information, companies should assess what personal information the hackers would be able to access if they did access individual accounts and make an assessment regarding whether the information accessible would trigger other state data breach notification laws.

Topics:  Cybersecurity, Data Breach, Data Protection, Hackers, Notice Requirements, Personally Identifiable Information, Popular, Russia

Published In: Business Organization Updates, Communications & Media Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© JD Supra Perspectives | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »