On December 11, 2021, the Cybersecurity & Infrastructure Security Agency (“CISA”) released a statement regarding a cyber security vulnerability found in Java software libraries. The CISA categorized this “Log4j” or ‘Log4shell” vulnerability as a “severe risk” that could be “widely exploited” by actors with ill-intent.[1] While this vulnerability is a risk to business software generally, it also poses an additional risk to those businesses that maintain records of nonpublic personal information under federal and state data protection laws. These data protection laws can be extremely burdensome in their reporting requirements, and some require businesses to maintain written policies regarding the control of sensitive personal data.
To determine whether an organization and the nonpublic personal information it maintains on consumers might be at risk, it is important to understand how software code is written. Programmers commonly integrate pre-written software into their program to quickly add basic functions or components. These bits of code, such as Java libraries, can become ubiquitous within their respective programming language. Unfortunately, this means that a single vulnerability can be found embedded in a wide variety of software.
Accordingly, the CISA and the Joint Cyber Defense Collaboration (“JCDC”) are providing updates and guidance regarding steps to mitigate the risk associated with this cyber security vulnerability. CISA Alert AA21-356A provides further insight through a Cybersecurity Advisory (“CSA”), advising steps to reduce risk.[2] While no confirmed security breaches have been widely reported yet, several major technology suppliers have been affected by this vulnerability, including Apple, Amazon, Cloudflare, IBM and Twitter.[3]
To the extent there has been a security breach exposing personally identifiable information to unauthorized third parties, all U.S. states, the District of Columbia and Puerto Rico require private businesses to notify affected individuals of the security breach. Below is a select small sample of state laws to highlight some of the differences in reporting and/disclosure requirements.
Florida:
Under Florida law, companies that acquire, maintain, store or use personal information must notify an individual and the Florida Department of Legal Affairs no later than thirty (30) days after a determination of a breach or reason to believe a breach occurred. (Fl. St. § 501.171(4).
Separately, if more than 500 individuals were, or are reasonably believed to have been affected by a security breach of personal information, the company must also notify the Florida Department of Legal Affairs of this threshold being passed no later than thirty (30) days after a determination of a breach or reason to believe a breach occurred. (Fl. St. § 501.171(3)).
Further, if more than 1,000 individuals were, or are reasonably believed to have been affected by a security breach of personal information, the organization must also notify all consumer reporting agencies after a breach without unreasonable delay. (Fl. St. § 501.171(5)).
Lastly, Florida law also prescribes that organizations take reasonable measures to protect and secure personal information stored as electronic data. (Fl. St. § 501.171(2)).
Massachusetts:
Under Massachusetts law, companies that license, maintain or store data that includes the personal information of a state resident affected, or suspected of being affected, by a security breach are obligated to provide notice as soon as possible and without unreasonable delay to the state resident, as well as the Massachusetts Office of Consumer Affairs and Business Regulations and the Massachusetts Office of Attorney General. (Mass. Gen. Laws Ch. 93H, § 3(a)-(b)).
Further, the Massachusetts Office of Consumer Affairs and Business Regulations requires any company that owns or licenses the personal information of a state resident to implement and maintain a Comprehensive Written Information Security Program (“WISP”) to protect the personal data of state residents. (201 CMR 17.03).
New York:
Under the New York State Information Security Breach and Notification Act, companies that own or license data that includes the private information of a state resident must disclose to the state resident, the New York State Attorney General, the New York Division of State Police and the New York Department of State Division of Consumer Protection any security breach where private information was, or was reasonably believed to be, exposed. Disclosure to a state resident must be made as expediently as possible and without unreasonable delay, subject to legitimate law enforcement needs. (NYS Gen. Bus. § 899-aa).
Additionally, the Stop Hacks and Improve Electronic Data Security Act (“SHIELD Act”) signed into law in 2019 expanded the definition of private information to increase consumer disclosures in the event of a breach. The SHIELD Act also requires organizations that maintain state resident private information to implement safeguards against security breaches.
North Carolina:
Under the North Carolina Identify Theft Protection Act, companies that own or license personal information must notify state residents of a security breach in the event of an unauthorized release of personal information. Notification must be without “unreasonable delay” after discovery or notification of the breach, subject to legitimate law enforcement needs. (N.C. G.S. § 75-65).
Further, if a company notifies just one state resident of a security breach, the organization must also notify the North Carolina Attorney General’s Office. If over 1,000 state residents must be notified by the organization, the North Carolina Attorney General’s Office Consumer Protection Divisions and all consumer reporting agencies must also be notified. (N.C. G.S. § 75-65).
Rhode Island:
Under the Rhode Island Identity Theft Protection Act, companies that use data that includes the personal information of a Rhode Island resident are required to notify state residents of a disclosure or breach that has, or is reasonably believed to have, passed personal information to an unauthorized person. Notice must be provided as soon as possible and not more than forty-five (45) days of confirming a security breach and the ability to ascertain all required information contained in the disclosure, unless notice will impede a criminal investigation.
South Carolina:
Under the South Carolina Financial Identify Fraud and Identity Theft Protection Act, a company that owns or licenses personal identifying information must disclose a security breach to state residents whose unencrypted personal identifying information was acquired by an unauthorized person. Disclosure must be in the most expedient time possible and without unreasonable delay, subject to legitimate law enforcement needs. (S.C. Code of Law § 3901-90(A)).
Additionally, if more than 1,000 state residents must be notified by the company, the Consumer Protection Division of the South Carolina Department of Consumer Affairs and all consumer reporting agencies must also be notified. (S.C. Code of Law § 3901-90(K)).
Separately, if more than 500 Rhode Island residents were, or are believed to have been affected, the organization must also notify the state Attorney General and major credit reporting agencies. This notice cannot delay a required notice to a state resident. (R.I. Gen. Laws § 11-49.3-4(a)).
Whichever the jurisdiction, should there be a security breach of sensitive personal information, there is a wide range of reporting and notification obligations that must be satisfied in a timely manner.
____________________________________
This alert should not be construed as legal advice or a legal opinion on any specific facts or circumstances. This alert is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal question you may have. We are working diligently to remain well informed and up to date on information and advisements as they become available. As such, please reach out to us if you need help addressing any of the issues discussed in this alert, or any other issues or concerns you may have relating to your business. We are ready to help guide you through these challenging times.
Unless expressly provided, this alert does not constitute written tax advice as described in 31 C.F.R. §10, et seq. and is not intended or written by us to be used and/or relied on as written tax advice for any purpose including, without limitation, the marketing of any transaction addressed herein. Any U.S. federal tax advice rendered by DarrowEverett LLP shall be conspicuously labeled as such, shall include a discussion of all relevant facts and circumstances, as well as of any representations, statements, findings, or agreements (including projections, financial forecasts, or appraisals) upon which we rely, applicable to transactions discussed therein in compliance with 31 C.F.R. §10.37, shall relate the applicable law and authorities to the facts, and shall set forth any applicable limits on the use of such advice.
[1]https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability[2]https://www.cisa.gov/uscert/ncas/alerts/aa21-356a
[3]https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180