1 SS Legaltech News, June 2017
The nuances of notifying stakeholders of a data breach across
the U.S. in compliance with disparate rules can be confusing
– adding delays, risk and cost to a period of time after a
breach that is already chaotic and stressful. Zach Warren,
editor-in-chief of Legaltech News, recently moderated a
discussion on the topic with Robert Braun, a partner at the
Los Angeles office of Jeffer Mangels Butler & Mitchell; Melissa
Krasnow, VLP Law Group partner; and Brookes Taney, vice
president of data breach solutions at Epiq.
“Differences in breach notification laws include the
definition of personal information, who is supposed to be
notified when a breach occurs, and the means by which
notifications must be sent,” Braun said. “It can be
What’s Reportable? Definitions and
All state breach notification must follow the appropriate
law of the states in which the affected individuals reside,
“That’s why it’s important to compare the data file with
the national change-of-address database,” Taney said.
“If somebody moves, that may change what type of
notification letter they get.”
When it comes to breached electronic versus paper
information, all laws apply to a breach of electronically
held information. Ten states, however, have notification
statutes that apply both to electronic and paper breaches.
“It seems crazy, but if you have someone’s Social Security
number or credit card information plus their name
written on paper – and maybe there are a lot of these
papers or there are a lot of names on one paper … and it
suddenly disappears, depending on the language of the
law, you could have a breach,” Krasnow said.
More than half of all jurisdictions also require entities
to report breaches to the appropriate state attorney
Data breach notification laws vary in the 48 states that have them, as well
as the District of Columbia, Guam, Puerto Rico and the Virgin Islands.
THE GUIDE TO
BY ALLEN TAYLOR