Proskauer on International Litigation and Arbitration:
Managing, Resolving, and Avoiding Cross-Border Business or Regulatory Disputes
- Overview. Our experience with clients in the U.S. and in many other countries persuades us that companies operating in non-U.S. countries but with employees, business, or activities affecting the U.S. have a real need to understand the privacy laws of the U.S. More important, we have increasingly seen that U.S. companies operating even in part in non-U.S. locations must have a keen appreciation for the privacy laws and regulations of other jurisdictions.
- State Data Breach Notification Laws. As of January 1, 2008, thirty-seven states plus Washington, D.C. and Puerto Rico have enacted data breach notification laws applicable to private entities.
- Subject to some variations, the laws generally require notification to state residents whose unencrypted computerized personal information has been compromised by a security breach. Some states (HI, MA, NC, IN and WI) extend the laws beyond computerized data; others (IN, NY, NC) require notice for encrypted data if the encryption key is compromised; and a number of others include a risk threshold for notice.
- Typically, the laws apply to “any person or business that conducts business in [the State]” and requires notice “to residents of [the State] whose information was, or was reasonably believed to have been acquired by an unauthorized person.”
- The phrase “conducts business” means the laws apply to non-U.S. corporations who “conduct business” in the applicable State.
- “Conducts business” has not been interpreted, but it may be coterminous with “doing business” as applied by courts to personal jurisdiction analysis involving non-residents.
- To assert jurisdiction over a non-resident, courts must comply with the “due process” clause of the U.S. Constitution.
- There must be “minimum contacts” with the State, jurisdiction must not offend “traditional notions of fair play and substantial justice” and there must be a state long-arm statute authorizing assertion of jurisdiction. There are two types of personal jurisdiction.
- General Jurisdiction – based on activities extensive enough that the non-resident is deemed “present” in the State. “Doing business” in the State provides general jurisdiction.
- Specific Jurisdiction – when non-resident does not meet general jurisdiction requirements, but meets constitutional test and is within the long-arm statute.
- If a foreign company is “conducting business” in the State and meets the jurisdictional requirements, then it will be subject to the applicable State data breach notification law in the event of a data breach involving consumers’ personal information.
- A few state data breach notification laws do not even have the “conducts business” threshold. For example, Arkansas’s data breach notification law applies to any business “that acquires, owns, or licenses computerized data that includes personal information” and requires notice to a resident of Arkansas whose information was, or is believed to have been acquired by an unauthorized person. Assuming a court has personal jurisdiction, such a law applies to practically any out-of-state company, even if based outside the U.S. In sum, although it will involve a fact-based inquiry, many companies incorporated outside of the U.S. and with their principal place of business outside the U.S. will still be subject to state data breach notification laws when they experience a data breach involving those states’ residents, particularly if they conduct business in the state.
- Practice Tip: Any company operating in the U.S. that handles personal information pertaining to U.S. residents should therefore create and implement an incident response plan that details how it would respond to a data breach. The plan should designate a single person responsible for coordination of the response; identify participants on a team that includes IT, legal, public relations and management personnel with 24/7 contact information; adopt procedures for providing prompt notice where appropriate or necessary to data owners, consumers, law enforcement or regulators; detail procedures to assess and investigate an incident including those used to identify compromised data and the extent of unauthorized access or misuse; adopt procedures to contain, control and correct any security incident; designate staff to respond to inquiries; provide training for such staff; specify procedures to document all actions taken; and include a process to regularly review and revise the incident response plan.
- Practice Tip: Companies need to be aware of the variations in the state laws. One example is with the definition of personal information. While the various states define “personal information” differently, typically, it includes a person’s first name or initial and last name when linked to one or more of the following: social security number, driver’s license number, credit card or debit card number, or a financial account number iwht information such as PINs, passwords, or authorization codes that could gain access to the account. Notably, as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include “medical information” and “health insurance information” in the definition of personal information. Also, any business “maintained for the purpose of managing medical information” must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1.
- Other State Laws. The same analysis applies to other state laws, e.g., those requiring that companies have reasonable security (AR, CA, NV, RI, TX, UT), those requiring that personal data be destroyed in a particular way when a business is disposing of it (AR, AZ, CA, GA, HA, IN, KS, MI, MT, NV, NJ, NY, NC, TX, UT, VT, WA, WI), and those requiring that Social Security Numbers be handled in a certain way (numerous states).
Next Section >