Enter to open, tab to navigate, enter to select
Preparing a Data Security Breach Notice Letter
Practical Law Legal Update 0-524-2428 (Approx. 4 pages)
Preparing a Data Security Breach Notice Letter
by Practical Law Intellectual Property & Technology
| Published on 17 Jun 2014 • USA (National/Federal) |
This Legal Update provides guidance and drafting tips for developing data security breach notice letters.
Most states, the District of Columbia, Puerto Rico and the US Virgin Islands have enacted data breach notification laws requiring businesses and other entities to notify affected individuals when a data breach involving their personally identifiable information (also referred to as PII or personal information) occurs. Most recently, Kentucky became the 47th state to enact a data breach notification law. Other states continue to periodically amend their data breach notification laws.
The requirements of these laws vary and sometimes conflict, creating a compliance challenge for companies suffering a data security breach affecting individuals residing in multiple states. No single form letter guarantees compliance with all of these laws. However, a common strategy to respond to this challenge is to:
- Review the breach notifications laws for each relevant state (meaning those states where individuals whose personal information is held by the company reside).
- Draft one template letter that meets the requirements of most of those states and one or more additional template letters to address states where affected individuals reside that have individualized requirements.
The template letter must also:
- Reflect the particular business's circumstances and address the specific state law requirements.
- Account for industry-specific federal or state legal requirements, for example, companies subject to breach notification requirements under the federal Gramm-Leach-Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA) may be subject to additional or conflicting requirements. For more information on GLBA and HIPAA, see Practice Note, US Privacy and Data Security Laws: Overview.
Contents of the Notice
Most state breach notification laws do not set out specific requirements for the notice's content. However, an assessment of state breach notification statutes that do set out minimum requirements suggests that the notice generally should be in plain English and include:
- The date of the notice.
- The reporting entity's name and contact information so that affected individuals can get additional assistance or information.
- A brief description of the data breach incident in general terms. However, this should not be included in notices to residents of Massachusetts (see Standard Document, Data Security Breach Notice Letter: Drafting Note: Brief Description of Incident and Categories of PII Involved).
- The date of the breach, or if unknown, the approximate date or date range of the breach.
- The categories of personal information at issue.
- Whether notice was delayed as a result of law enforcement investigation.
- A brief description of the actions taken by the business to contain the breach and protect data from further unauthorized access or use.
- Advice on actions affected individuals should take.
- Contact information for law enforcement and other government authorities, including the Federal Trade Commission (FTC).
- Contact information for national consumer reporting agencies.
Other Requirements
State data breach notification laws also include other requirements. For example, when preparing for and responding to a data breach, companies must also consider legal requirements relating to:
- The timing of notification.
- The method of notification.
- The notification of other entities, for example, the state attorney general and the office of consumer affairs, the FTC and law enforcement authorities and consumer credit reporting agencies.
For sample data breach notice letter template with additional guidance and drafting tips, see Standard Document, Data Security Breach Notice Letter.