The Equifax data breach, affecting about 145.5 million Americans, continues to provide income-enhancing opportunities for lawyers.
Under scrutiny now is the timing of Equifax's disclosure of the breach. Nearly six weeks elapsed between the time Equifax became aware of a problem and its disclosure of the problem. This is important because 48 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws requiring notification of a data breach. (Alabama and South Dakota don't.)
A problem for a company experiencing a data breach is that these laws are not uniform. They define "personal information" differently, what happens if data is encrypted, whether an investigation is required before notification, who must be notified and how quickly notification must be given.
If you're the lawyer for a company trying to respond to a data breach, you're going to have long days sorting out the company's compliance responsibilities in all jurisdictions and responding to troubling inquiries from various state attorneys general (some of whom are seeking re-election).
In Colorado, the data breach notification law says a breach occurs when there is an "unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality or integrity of personal information. . "
"Personal information" means a first name or first initial and last name, in combination with one or more of: Social Security number; driver's license or identification card number; or account number (including a credit or debit card number), together with any security code, access code or password required for account access.
When a company doing business in Colorado becomes aware of a security system breach, it must promptly and in good faith conduct an investigation to "determine the likelihood that personal information has been or will be misused." Unless this investigation concludes misuse has not occurred and is not reasonably likely to occur, the company must give notice of the breach to affected residents "as soon as possible."
To fuzz things up, the law also says that "notice shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." If more than 1,000 Colorado residents are affected, the law requires that a notice go to credit reporting agencies.
There is considerable debate whether giving notice of a data breach is a good idea. Some argue that notice makes things worse by inviting further cyberattacks. Others argue that widespread disclosure of data breaches helps to deter further attacks. In Colorado, the Legislature seems to have decided giving notice is the better bad choice.