Data security law in 2011: States remain the center of attention

February 17, 2011 by cwolf

Our guest blogger this week is Chris Wolf, practice director at Hogan Lovells and co-chair of the Future of Privacy Forum.

Join us on Thursday, February 24th for a live webinar with panelists, Chris Wolf and Reed Freeman discussing  State Legislation Past & Present: The Effects on Data Breach Notification and Resolution.

While the talk of 2011 may be the possibility of Congressional action on a privacy bill and/or a single, preemptive federal data security law, states enter the year as the primary enforcer of data security laws in the U.S.   While state laws requiring “reasonable” data security have had a positive impact, data breach notification laws have had the most profound effect on the improvement of data security.  These laws have motivated companies – through negative incentives – to improve data security to avoid publicity, embarrassment, and the risk of notification.  State involvement in data breaches also has extended to the medical space, as states have begun to enforce the HITECH Act.

A handful of other states enacted passed data security laws in 2010.  Mississippi became the 46th state (plus DC, Puerto Rico, and the Virgin Islands) to adopt a breach notification law, leaving Alabama, Kentucky, New Mexico, and South Dakota as the remaining hold-outs.  In a victory for banks, Washington passed a law that permits financial institutions recoup card reissuing costs from companies and processors whose negligence causes a breach.  The biggest data security law news of 2010, however, may very well have been the comprehensive Massachusetts data security standards.  These standards, which became effective last March, require any entity that maintains information on a Massachusetts resident to implement a comprehensive written information security program.  Though we have not yet seen any enforcement, the state may wish to make a splash in 2011.

This past year also saw individuals continue to bring lawsuits under state law alleging non-identity-theft-related damages resulting from breaches, despite the lack of success of these suits in the past.  In two cases, the Ninth Circuit, though ruling against the plaintiffs, opened the door for breach victims to sue in federal court and suggested that damages could potentially be found under California due to costs expended on credit monitoring.  In more traditional holdings, the Maine Supreme Court held time spent to prevent future harm is not sufficient to show damages, and an Oregon appellate court held that potential future damages were insufficient to support a negligence class claim for breach of medical data.

With the proliferation of breach laws and their extension to health data, cyber-risk insurance – which generally covers the cost of a data breach and eases compliance burdens – is becoming more popular.  This insurance coverage, however, has extended past the breach context.  For example, Allied World Assurance, a provider of property, casualty, and specialty insurance and reinsurance solutions, has entered into a risk management alliance with my firm, Hogan Lovells, to (among other things) provide breach planning and proactive legal representation to companies looking to avoid data breaches.

Over the past year, state data security laws have driven most of the data security compliance obligations of U.S. companies, and will continue to do so into 2011.  To stay up-to-date on the latest news on compliance obligations under state privacy and data security law, visit and subscribe to our blog at www.hldataprotection.com.