This cyberattack also raises questions regarding whether other state data breach notification obligations are triggered even if those states do not define personal information to include usernames and passwords...
Now that entities are aware that at least 1.2 billion records have been compromised from websites spanning across all industries, a question arises whether entities have an obligation to investigate whether their websites have been breached instead of simply waiting for that information to be released.
Some state security laws require entities to take “reasonable measures” to protect and secure data in electronic form containing personal information, and the Massachusetts regulations, for example, specifically require entities to engage in regular monitoring to ensure that security measures are operating in a manner reasonably calculated to prevent unauthorized access to personal information and to upgrade information safeguards as necessary to limit risks. In light of the massive cyberattack, organizations that collect data online should immediately test their websites for intrusions and update any patches available for their web servers, database servers, and applications. Organizations should also contact third-party service providers to ensure that those vendors are likewise taking measures to prevent fraud.
Organizations that were hacked may also have an obligation to notify affected consumers under state data breach notification laws, especially if the website collects data about California or Florida residents. Newly revised California and Florida data breach notification laws expand the definition of personal information to include a “user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” Under both laws, notification to consumers is required if personal information was, or is reasonably believed to have been, accessed as a result of a data breach. In addition, Florida and California require notification to the state Attorney General if the breach affects more than 500 residents in their respective states. Florida’s law imposes strict timing requirements on the notification by requiring entities to provide notice to the affected individuals and, if required, the Attorney General, no later than 30 days after discovery of the breach or reasonable belief that the breach occurred.
This cyberattack also raises questions regarding whether other state data breach notification obligations are triggered even if those states do not define personal information to include usernames and passwords. Many state breach notification laws are triggered if personal information was, or is reasonably believed to have been, accessed by an unauthorized person. If the hackers can use the username and password information to gain access to additional personal information, that may trigger some state notification requirements. For example, North Carolina’s breach notification law specifically carves out usernames and passwords from its definition of personal information unless the username and password information “would permit access to a person’s financial account or resources.” Although there are no reports that the hackers have attempted to gather additional personal information using the stolen username and password information, companies should assess what personal information the hackers would be able to access if they did access individual accounts and make an assessment regarding whether the information accessible would trigger other state data breach notification laws.