United States: Privacy And EIM Alert – Data Breach Laws Become Even Stricter For All Companies With California Or Massachusetts Customers Or Users


How can a 21st century U.S. company do its best to comply with data-security-related obligations imposed by the various laws of 46 states? (Only Alabama, Kentucky, New Mexico, and South Dakota have not enacted laws requiring companies to provide notice of a data breach.) A company can implement practices and procedures designed to achieve maximum compliance with the laws adopted by the two states widely acknowledged to impose the strictest obligations: California and Massachusetts. In 2012, in different ways, these two states' respective regulatory schemes addressing data breaches have become even stricter.

I. California: Incident-Response Requirements Stricter as of January 1, 2012

A. Background

Over the past decade, California has enacted, and then amended incrementally, notice-of-breach laws designed to prevent identity theft. The first of such laws, enacted in 2002, is commonly referred to as S.B. 1386. California's notice-of-breach statutes, including S.B. 1386, apply to all companies that conduct business in California (as well as to state and local governmental agencies). From day one those statutes, including Cal. Civ. Code § 1798.82, have protected every California resident's electronic personally identifiable financial information (PII) by requiring notice to the affected individuals whose sensitive PII stored in unencrypted form is hacked, lost or otherwise compromised (a "data breach").

The geographical location of that information is irrelevant, as is whether the PII possessor outsources storage to a service provider. Thus, the protection cuts a broad swath in the borderless universe of 21st century e-commerce in which most every company stores, or outsources storage of, information on consumers from all over the country. As with the notice-of-breach laws in most other states, California's statutes have always had an automatic notice trigger once certain PII – a name coupled with other sensitive confidential information – has been compromised. There is no requirement that the company owning the data first assess the extent of the risk of identity theft created by the data breach.

In 2008, A.B. 1298 expanded the scope of the California notice-of-breach laws to encompass a California resident's "medical information" and "health insurance information." Acknowledging modern heightened confidentiality concerns – such as medical and health-insurance identity theft – the post-2008 version of the California notice-of-breach laws applies even in situations in which HIPAA, the primary federal statutory regime directed at protecting personal health information, does not apply.

B. New as of January 1, 2012: Two Additional Incident-Response Requirements

1. Attorney-General Notification

Despite its overall strict statutory scheme as to data breaches, until recently California law did not require that notices of large-scale data breaches also be sent to the state Attorney General ("state AG"). Effective January 1, 2012, however, California joined 18 other states that do have such a requirement. S.B. 24, signed into law late last year by Governor Jerry Brown, includes a directive that whenever a data breach encompasses the personal financial and/or health information of more than 500 individuals, the state agency or company maintaining the compromised data must also notify the state AG.

2. Specificity as to Breach's Facts and Circumstances

In addition to requiring state AG notification for data breaches that affect more than 500 individuals, S.B. 24 added a number of specific factual items that must appear in every notice of breach, regardless of the number of individuals affected. Effective January 1, 2012, every notice of a data breach must include these details:

  • "[a] list of the types of personal information that were or are reasonably believed to have been the subject of a breach;"
  • "[i]f . . . possible to determine at the time the notice is provided, then any of the following: . . .the date [,] . . . estimated date . . . or date range within which the breach occurred;" and
  • "[a] general description of the breach incident, if that information is possible to determine at the time the notice is provided."

At its option, the company that suffers the data breach may also include in the notice "[i]nformation about what the person or business has done to protect individuals whose information has been breached [and] . . . [a]dvice on steps that [each such individual] may take to protect himself or herself.

C. Practical Consequences and Tips

For various reasons, of course it behooves every organization to do its best to protect its customers/users/subscribers – and its employees – from identity theft. From a risk-management perspective, no company wants to be in the position of having to address the consequences of a data breach. Those ramifications typically include: statutory penalties; incident-response costs; large monetary outlays to cover statutory fines and/or customary voluntary remedies such as credit-rating freezes for the individuals whose PII was compromised; and a publicity/PR hit in the court of public opinion.

In light of S.B. 24, the mandated incident-response may now also include notifying the state AG. In addition, S.B. 24's "general description" requirement is likely to render the contents of every (large or small) breach notification quite embarrassing. Having to explain how a breach occurred could, in effect, result in a company reluctantly having to provide its customers with insight into the deficiencies of the company's information security practices that allowed a data breach to occur.

Any entity maintaining California residents' PII in electronic form should not wait to address information security until it is in reactive, apologizing incident-response mode. Regardless of its size or its type of business, every company can take various technological and practical measures proactively to decrease the risk of a data breach occurring. For example, employing data encryption – especially on portable devices and media – will not only protect the underlying information but also preclude the triggering of a statutory notification duty if the data is ever compromised.

II. Massachusetts: Service-Providers' Contractual Duty to Comply with Data Regulations – Exemption Expires March 1, 2012

A. Background

On March 1, 2010, the Massachusetts Office of Consumer Affairs and Business Regulations (OCABR) promulgated regulations that expanded upon and implemented the state's "Security Breach" statutory scheme. These " Standards for the Protection of Personal Information of Residents of the Commonwealth" imposed various strict information-security obligations on any company that owns or licenses the personal information of Massachusetts residents. These obligations include the maintenance of a comprehensive Written Information Security Program ("WISP") describing the safeguards that have been, or will be, put in place for the protection of PII.

B. New as of March 1, 2012: Service Provider Agreements – Exemption Expires

March 1, 2012 marked the deadline for any company that owns or licenses PII regarding a Massachusetts resident to include data security provisions in all of its agreements with service providers to which the company transmits such PII. On March 1, 2012, an important provision, which had exempted previously existing service provider agreements from this requirement, expired. As a result, many longstanding service provider agreements will now need to be revised to comply with the OCABR's 2010 standards.

Companies that are subject to OCABR's Standards for Protection of Personal Information – by virtue of owning or licensing the PII of Massachusetts residents – and that are a party to service provider agreements executed prior to March 2, 2010 will need to revise those agreements to require the service providers themselves to comply with the data security obligations of OCABR. Although OCABR establishes somewhat flexible compliance standards based upon the size of the business, the type of PII it accesses, and the resources available to it, OCABR also sets forth certain very specific obligations that apply directly to companies that are subject to these regulations and, contractually, to their service providers as follows:

  • Companies subject to the OCABR standards, and their service providers, should develop, implement, and maintain a comprehensive WISP describing the administrative, technical, and physical safeguards that have been, or will be, put in place for the protection of PII.
  • The WISP should designate one or more employees to maintain the information security program.
  • The WISP should identify and assess foreseeable security risks to stored PII.3 privacy and eim newsletter fenwick & west
  • The WISP should contain data security policies for employees to follow as well as disciplinary measures and responsive actions that should occur in connection with any violation or breach of the security program.
  • The WISP should address and provide for annual review of implemented security measures.

Although the March 1, 2012 expiration of the OCABR exemption will affect only agreements signed prior to March 2, 2010, the expiration of this exemption marks the final stage in the complete implementation of these regulations. Accordingly, companies that own or license PII regarding a Massachusetts resident should take this opportunity to consider, not only whether longstanding service provider agreements need to be revised, but also whether the companies themselves are, in fact, in compliance with the data-security obligations imposed by regulations.

To learn more about the requirements of OCABR's "Standards for the Protection of Personal Information," companies can refer to information on Massachusetts's Consumer Affairs and Business Regulation page.


In the data-breach realm, a legally defensible approach rests heavily on in-the-trenches deployment of appropriate information-technology and data-security tools and processes. Those same data-breach prevention measures can comprise a baseline for compliance with other privacy-related regulatory regimes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
14 Oct 2019, Conference, Washington, United States

Privacy+Security Academy will host Privacy+Security Forum as a three-day conference that breaks down the silos of privacy and security by bringing together seasoned thought leaders.

16 Oct 2019, Briefing, California, United States

Practising Law Institute to host a live one-hour briefing on "How AI Can Help Lawyers - Today and Tomorrow."

22 Oct 2019, Other, New York, United States

DLaw will be hosting a two-day summit on Disruptive Innovations in Legal Services providing a meaningful exploration of digital technology for the legal services professionals from specific emerging tools to new business models to creative client acquisition and retention strategies.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions