Overview
Most US states now have their own data breach notification law. If your business operations involve the storage and transfer of personal information, there are a couple of things you ought to know to reduce the risks and bring down the costs of compliance.
What are Data Breach Notification Laws?
Data breach notification laws are legislations that require businesses who suffer from a data breach to notify individuals whose personal information (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.) may have been compromised in the incident. The main purpose of these mandates is to prevent those individuals from getting victimized by identity thieves and other fraudsters.
Whenever a data breach involves a large amount of personal information, there's always a good chance that information could end up in hacker forums or online marketplaces in the dark web. There, they could be bought by other cyber criminals who (depending on the kind of personal data involved) may use them to acquire credit cards, steal tax refunds, file health claims, or a carry out a host of other fraudulent acts.
To prevent these fraudulent acts from succeeding, US state legislators passed these breach notification laws. By compelling companies who suffer from a breach to send out breach notifications, legislators hope to give affected individuals ample time to carry out countermeasures. For example, individuals could change passwords, request for fraud alerts, request for credit security freezes, etc.
All good, right? Well, not for everyone.
Adverse effect on businesses
Depending on the state, breach notifications are supposed to be distributed through regular mails, emails, phone calls, or publications on the Internet or major statewide media (e.g. TV, radio, newspapers). These public disclosures can be quite costly; and we're not just talking about the costs of sending out the notifications.
The nature and magnitude of these public disclosures can cause considerable damage to a company's reputation. Companies who have had to disclose data breach incidents are known to have subsequently suffered financial losses as a result of abnormal customer churn, forced discounts, footing credit monitoring and identity protection fees, hefty lawsuits, and many others.
The article "Thoughts On The Rising Cost of Data Breach And How To Reduce Risk" offers a more in-depth discussion on the additional costs companies incur following a data breach disclosure.
You can't just sweep a breach under the rug either. States typically levy hefty fines on companies who are found guilty of neglecting their breach notification responsibilities.
Absence of a federal data breach notification law
The problem is further compounded by the absence of a unifying federal data breach notification law. Because these data breach notification laws vary from state to state, companies and other covered entities who operate in multiple states or who transact with businesses in other states need to pay attention to the nuances or risk violating one state's provisions despite already complying with another. This can result in additional administrative and legal consultation costs.
Encryption as safe harbor
Fortunately, most of these state data breach notification laws provide a form of safe harbor that allow businesses to avoid those costly public disclosures. That safe harbor is encryption. Encryption renders data unreadable. Even if encrypted data is stolen (assuming the encryption is strong enough and the decryption key is safe), the confidentiality of whatever information it had would still be safe.
And so, what these laws say is that (although the specific text may vary): breach disclosure / notification requirements only apply to data breaches that involve unencrypted personal data. If the personal information was encrypted, then notification is not required.
Note, however, that, although the far majority do, not all states offer this kind of exemption.
States and territories offering encryption as safe harbor for data breach notification law
As far as we know, these are the US states and insular territories that have enacted legislation for data breach notification:
Disclaimer: This chart is only for illustrative purposes. Please consult your lawyers if you need to verify its accuracy.
| State | Offers encryption as safe harbor | Montana | Offers encryption as safe harbor |
| Alaska | Yes | Nebraska | Yes |
| Arizona | Yes | Nevada | Yes |
| Arkansas | Yes | New Hampshire | Yes |
| California | Yes | New Jersey | Yes |
| Colorado | Yes | New York | Yes |
| Connecticut | Yes | North Carolina | Yes |
| Delaware | Yes | North Dakota | Yes |
| Florida | Yes | Ohio | Yes |
| Georgia | Yes | Oklahoma | Yes |
| Hawaii | Yes | Oregon | Yes |
| Idaho | Yes | Pennsylvania | Yes |
| Illinois | Yes | Rhode Island | Yes |
| Indiana | Yes | South Carolina | Yes |
| Iowa | Yes | Tennessee | - |
| Kansas | Yes | Texas | Yes |
| Kentucky | Yes | Utah | Yes |
| Louisiana | Yes | Vermont | Yes |
| Maine | Yes | Virginia | Yes |
| Maryland | Yes | Washington | Yes |
| Massachusetts | Yes | West Virginia | Yes |
| Michigan | Yes | Wisconsin | Yes |
| Minnesota | Yes | Wyoming | Yes |
| Mississippi | Yes | District of Columbia | - |
| Missouri | Yes | Puerto Rico | Yes |
| Montana | Yes | Virgin Islands | Yes |
A complete list of US states and territories that have enacted breach notification laws along with links to the corresponding statutes can be found here.
As you can see, an overwhelming majority of US state and territories offer exemptions for encrypted personal information. It should therefore be safe to say that, regardless which state you're in or which state the person or organization you're transacting with is currently located, strong encryption with well managed encryption keys can help you avoid breach notifications.
The need for end to end encryption
In today's highly connected world, personal information can be in several places. In most cases, it can be at rest, in a database or filesystem. However, there are instances when it can also be in transit, such as when it's traversing LANs or WANs while it's being transferred from one business unit to another or from one organization to another.
In cases wherein personal information can either be at rest or in transit, the best way to secure it would be by implementing end-to-end encryption. End-to-end encryption basically encrypts data before, during, and after it crosses a network. This will ensure that the data is safe from unauthorized access regardless where it's located.
End-to-end encryption is usually achieved by combining three or more solutions. One solution for providing data-at-rest encryption, another for data-in-transit encryption, and yet another for transferring the encrypted files.
How a managed file transfer server can help in achieving compliance
A managed file transfer server is an advanced B2B solution that enables the secure, efficient, and automated transfer of data.
Recommended read: Exploring Use Cases for Managed File Transfer
A good managed file transfer server like JSCAPE MFT Server already has built-in support for secure file transfer protocols like FTPS, SFTP, WebDAVs, and HTTPS, which provide data-in-transit encryption, as well as OpenPGP, which provides data-at-rest encryption. In other words, this is a single solution that readily provides end-to-end encryption.
Using a single solution can help you reduce administrative costs as well as simplify your data breach notification law compliance initiatives.
Get Started
JSCAPE MFT Server comes with a free, fully-functional evaluation edition. If you'd like to give it a test run, download it now.
Related posts
What The EU-US Safe Harbor Is All About And How It May Affect Your Business
How To Install A SFTP Server on Windows
Securing HIPAA EDI Transactions with AS2