By now, many attorneys are generally aware of the existence of data breach notification laws and may have even had the misfortune of receiving a data breach notice in the mail. The long string of high-profile breaches spanning back many years has raised awareness of the need to notify individuals whose personally identifiable information has been compromised in a data breach. One might envision the scenario of a hacker penetrating a system to steal sensitive business, financial or personal information, or a ransomware attack in which a threat actor encrypts a company’s data for the purpose of extorting the company. In addition to the damage that can be done due to the loss of funds or private information, if the incident results in unauthorized access or exfiltration of personal information, legal obligations may arise to notify the individuals whose information was accessed or taken.
Yet many practitioners outside of the privacy and data security space may not appreciate the variety of other types of incidents that can potentially give rise to data breach notification obligations. Suppose an employee loses a device containing unencrypted personal information by theft or mistake. Or, an unauthorized individual might gain access to paper or electronic records containing an individual’s personal information through criminal conduct or mere happenstance. Perhaps an employee inadvertently misdirects an email containing unsecured personal information to the wrong recipient. Other common incidents include a business email compromise incident, in which a threat actor gains access to a company employee’s email account, possibly through an email phishing campaign, and hijacks and re-routes emails for the purpose of committing fraud. Each of these incidents requires an analysis as to whether it rises to the level of a reportable breach under applicable data breach notification laws.
