Enforcement Under State Security Breach Notification Laws

Thirty-four states ' Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New
Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington and Wisconsin ' have enacted security breach notification laws. And Michigan passed such a law with an effective date of July 2, 2007. These laws cover the notification that a company must make in the event of a breach of security of its system with respect to computerized personal information. How are these laws enforced in the event of a violation? These laws vary in terms of enforcement and penalties, as more particularly described below. This article provides an overview of the enforcement of these laws and describes examples of penalties.

Enforcement By State Attorney General or State Regulator

State Attorney General Enforcement

A number of laws provide for enforcement by the state attorney general. Some laws provide that the attorney general may bring an action for injunctive relief. Other laws provide that the attorney general may bring an action in law or equity to address violations and for other relief to ensure compliance or to recover direct economic damages resulting from a violation, or both. Certain of these laws specify civil penalty amounts. For example, the Texas attorney general may bring suit to recover a civil penalty of between $2000 to $50,000 for each violation of the law, may bring an action for injunctive relief and is entitled to recover reasonable expenses in obtaining injunctive relief, civil penalties, or both. The court also may grant other equitable relief. The New York attorney general may bring an action for injunctive relief, and the court may award damages for actual costs or losses, including consequential financial losses, incurred by a person entitled to notice under the law where notification was not provided. The court also may impose a civil penalty of up to $150,000 for a knowing or reckless violation.

State Regulator Enforcement

Some laws provide for enforcement by the attorney general or a state regulator. By way of example, the Hawaii law provides for enforcement by
the attorney general or the Hawaii Office of Consumer Protection. The Maine law provides for enforcement by the attorney general or the Maine Department of Professional and Financial Regulation, where applicable.

Private Right of Action

Some laws provide for a private right of action. For instance, the California and Washington laws provide that a customer injured by a violation may bring a civil action to recover damages. Other laws define the amount of damages. For example, under the Louisiana law, a civil action may be brought to recover actual damages resulting from the failure to timely disclose to a person a breach of the security system resulting in the disclosure of the person's personal information. A person injured by a violation of the New Hampshire law may bring an action for damages and for equitable relief, including an injunction. If the court finds for the plaintiff, recovery is the amount of actual damages, and if the court finds that the act or practice was a willful or knowing violation, between two to three times the amount of actual damages is awarded. In addition, a prevailing plaintiff is awarded the costs of the suit and reasonable attorneys' fees.

Examples of Penalties

Administrative Fines

The Florida law provides for administrative fines. A person required to make a security breach notification that fails to do so within 45 days following the determination of a breach or receipt of notice from law enforcement is liable for an administrative fine in the amount of $,000 for each day the breach goes undisclosed for up to 30 days and, thereafter, $50,000 for each 30-day period for up to 180 days. If no notification is made within the 180-day period, the person is subject to an administrative fine of up to $500,000. These fines apply per breach and not per individual affected by the breach. The Florida Department of Legal Affairs may bring proceedings to assess and collect these fines.

Criminal Penalties

The Minnesota law provides for criminal penalties.

Corporate Dissolution or Revocation of Authority

The Vermont law provides for the authority of the attorney general, a state's attorney or a court to dissolve a domestic corporation or revoke the certificate of authority of a foreign corporation for a violation of the Vermont law.

Violation of State Unfair Practice Law

It is important to note that a number of state laws provide that a violation of the state law constitutes a violation of that state's unfair practice or similar law (e.g., Connecticut and Illinois).

Conclusion

Given how these state laws vary in terms of enforcement and penalties, it is imperative to refer to the state laws that are applicable to a particular situation for guidance. Congress is considering federal security breach notification legislation. But the different state security breach notification laws will continue to apply until a federal law is enacted that preempts these laws.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP, Minneapolis. She may be reached at [email protected].

Thirty-four states ' Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New
Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington and Wisconsin ' have enacted security breach notification laws. And Michigan passed such a law with an effective date of July 2, 2007. These laws cover the notification that a company must make in the event of a breach of security of its system with respect to computerized personal information. How are these laws enforced in the event of a violation? These laws vary in terms of enforcement and penalties, as more particularly described below. This article provides an overview of the enforcement of these laws and describes examples of penalties.

Enforcement By State Attorney General or State Regulator

State Attorney General Enforcement

A number of laws provide for enforcement by the state attorney general. Some laws provide that the attorney general may bring an action for injunctive relief. Other laws provide that the attorney general may bring an action in law or equity to address violations and for other relief to ensure compliance or to recover direct economic damages resulting from a violation, or both. Certain of these laws specify civil penalty amounts. For example, the Texas attorney general may bring suit to recover a civil penalty of between $2000 to $50,000 for each violation of the law, may bring an action for injunctive relief and is entitled to recover reasonable expenses in obtaining injunctive relief, civil penalties, or both. The court also may grant other equitable relief. The New York attorney general may bring an action for injunctive relief, and the court may award damages for actual costs or losses, including consequential financial losses, incurred by a person entitled to notice under the law where notification was not provided. The court also may impose a civil penalty of up to $150,000 for a knowing or reckless violation.

State Regulator Enforcement

Some laws provide for enforcement by the attorney general or a state regulator. By way of example, the Hawaii law provides for enforcement by
the attorney general or the Hawaii Office of Consumer Protection. The Maine law provides for enforcement by the attorney general or the Maine Department of Professional and Financial Regulation, where applicable.

Private Right of Action

Some laws provide for a private right of action. For instance, the California and Washington laws provide that a customer injured by a violation may bring a civil action to recover damages. Other laws define the amount of damages. For example, under the Louisiana law, a civil action may be brought to recover actual damages resulting from the failure to timely disclose to a person a breach of the security system resulting in the disclosure of the person's personal information. A person injured by a violation of the New Hampshire law may bring an action for damages and for equitable relief, including an injunction. If the court finds for the plaintiff, recovery is the amount of actual damages, and if the court finds that the act or practice was a willful or knowing violation, between two to three times the amount of actual damages is awarded. In addition, a prevailing plaintiff is awarded the costs of the suit and reasonable attorneys' fees.

Examples of Penalties

Administrative Fines

The Florida law provides for administrative fines. A person required to make a security breach notification that fails to do so within 45 days following the determination of a breach or receipt of notice from law enforcement is liable for an administrative fine in the amount of $,000 for each day the breach goes undisclosed for up to 30 days and, thereafter, $50,000 for each 30-day period for up to 180 days. If no notification is made within the 180-day period, the person is subject to an administrative fine of up to $500,000. These fines apply per breach and not per individual affected by the breach. The Florida Department of Legal Affairs may bring proceedings to assess and collect these fines.

Criminal Penalties

The Minnesota law provides for criminal penalties.

Corporate Dissolution or Revocation of Authority

The Vermont law provides for the authority of the attorney general, a state's attorney or a court to dissolve a domestic corporation or revoke the certificate of authority of a foreign corporation for a violation of the Vermont law.

Violation of State Unfair Practice Law

It is important to note that a number of state laws provide that a violation of the state law constitutes a violation of that state's unfair practice or similar law (e.g., Connecticut and Illinois).

Conclusion

Given how these state laws vary in terms of enforcement and penalties, it is imperative to refer to the state laws that are applicable to a particular situation for guidance. Congress is considering federal security breach notification legislation. But the different state security breach notification laws will continue to apply until a federal law is enacted that preempts these laws.

Melissa J. Krasnow is a partner in the Corporate Group of Dorsey & Whitney LLP, Minneapolis. She may be reached at [email protected].