Category Archives: Articles

GoForward – The HealthCare industry that can’t seem to make it forward.

I’ve been very interested in GoForward.  It’s presented like all the things you would want from health care in 2018.  Known costs, preventive care, backed by technology to help people cut costs and make intelligent decisions. Membership fees so  you can walk in whenever you need, doctors available and on-site, wellness monitoring for sleep, exervise, stress and high touch care with a 24/7 team.  I mean, who doesn’t want that.

Then I read the terms and conditions (forgive me, I’m a lawyer and I read these things especially when someone new is coming to the market). So what does it say?  Pretty much the exact opposite of what you expect.  This is my favorite quote from the terms of service:

GoForward acts solely as a technology platform…..

That doesn’t really bring a lot of warm fuzzy’s to me.  As a matter of fact, it sounds like I’m signing up for a SAAS platform.  Doesn’t sound like there’s any doctors involved.  As a matter of fact, it sounds like if there ever were doctors involved, you aren’t paying for that. They do say that they’ll connect you with a Medical Group or “Providers”, but then they say that those Providers can sell you stuff, sell you services and products, and no where does it say that their services are included in the membership fee.

This next bit is my favorite part:

By accepting these Terms of Use, you acknowledge and agree that GoForward is not a healthcare provider and that by using the Service, you are not entering into a doctor-patient or other health care provider-patient relationship with GoForward.

So that is health care of the future?   No doctor patient relationship, all of my information is for sale to the highest bidder, and guess what, the doctor for all I know is a lovely paid for marketing rep for who is just trying to push products on me. But I’m getting into the weeds right?…let’s talk about the basics.  If I sign up, how much and for how long?

The marketing babble makes it look like it’s normally $199/month and right now in NY they are going for $99/month to increase membership.  Seems pretty straight forward, I can risk $100 if it really is healthcare of the future. I’m in to giving that a try.  However, I read the online terms, and there doesn’t seem to be a way for me to terminate/cancel do anything.  I read their online terms and conditions located at  So, I decided to chat with their online support.  Here’s what they said…

Yes 6 month commitment, then afterwards you can cancel at any time.”

Wait a second, where does it say that?  If I go through the payment information (meaning the screen I give the credit card, down in tiny text on the bottom it says (and no where before then):

6 month minimum commitment.

I guess that means that I’m in for at least $600?  But where does it say how I end that commitment?  And so far the only thing I’ve figured out is that I get to pay them $600 for a login to a platform and the opportunity for them to sell me stuff and refer me to specialists that aren’t included in the membership plan…I guess that’s a solid way forward? I think the most confusing part at this stage, and who knows, maybe when you sign up everything is much simpler, but the customer care/sales reps/online chat bots don’t differentiate between third parties and themselves.  This is what they say when I said I have no idea what I’m signing up for and what I get….

We use lots of technology with our members, to help expedite their care for services. As a member you’d be able to come in to see your doctor, chat in through our app any hour of the day or night, schedule phone call visits and more. The membership fee covers all the interactions you have with Forward — whether you’re chatting in on a weekend evening about a sore throat or you’re wanting to build a more proactive plan to monitor your risk of developing heritable cancers — your Forward doctor and care team are always there for you. We don’t bill anything through insurance, but rather the membership fee covers everything we can do in-house. That means blood testing to monitoring things like your heart health, kidney and liver function and so on are included, as are things like routine medications, all vaccines and even a take-home smart device to keep your doctor continuously plugged in to your health. The aim is to make it easy for you to access really high-quality care. Below is a link to the doctors that are currently with Forward, so that you can have more information.

Maybe I’m a little thick, but that sounds like the doctors are part of Forward.  And I get that legally you have to separate things and abide by professional responsibilities, but then you would assume that their terms would reference terms for the ACTUAL DOCTORS!  I mean, we all love a good SAAS product, but we’re not at the state where SAAS products replace doctors (and most likely never will), and if it’s telemedicine, great, just say that.  After all there are a lot of telemedicine services out there, and shocker, their terms are pretty clear.

In the end, and after reading a whole bunch of Yelp reviews, it sounds like I’m sitting this one out til I know what I’m signing up for.  At this stage, all I know is I get a username and a password.  Google gives me that for free and they make the same amount of promises as Forward does.

Why Aereo Matters: Where did Secondary Liability Go?

Earlier this summer, in American Broadcasting Cos., Inc. v. Aereo, Inc., 573 U.S. (2014), the United States Supreme Court held that Aereo infringed the copyright holders’ exclusive rights to publicly perform their works by providing a service which allows subscribers to watch free, over-the-air broadcast television channels over the Internet. Aereo provided the service by mounting an array of small antennas — each dedicated to one individual subscriber. Aereo’s antennas would receive the broadcast signal, which Aereo would then buffer and stream over the Internet to the subscriber, much the same as any individual could do by connecting an antenna to a PC or laptop. The Court’s decision matters because the Court’s reasoning and ultimate decision that Aereo was engaged in direct copyright infringement, if widely followed, could eviscerate the concept of secondary liability on which many online services depend for their legality, and with it, the framework which has provided some degree of predictability to a complex area of law.

Copyright law applies to original works of authorship that are fixed in a tangible medium, and is the protective shield for movies, books, songs, dances, architecture and other artistic endeavors. There exists a “bundle of rights” within each copyrighted work, which are: the right to make copies of the work, the right to distribute copies of that work, the right to prepare derivatives, and depending on the nature of the work, the right to publicly perform or display the work publicly. A copyright owner can then assign or license any of these rights to any number of parties. In the Aereo case, the petitioners — TV broadcasters — alleged that Aereo infringed upon their exclusive right to publicly perform the work, specifically, their right to distribute and broadcast various television shows.

As background, one can become liable for copyright infringement in one of two ways: directly or secondarily (also known as contributory or vicarious infringement). Tracing concepts that are familiar in many other areas of law, direct liability for copyright infringement occurs when the infringer engages in one of the rights described above without authorization, ordinarily requiring some “volitional conduct” on behalf of the person accused of infringing. See Sony Corp. of America v. Universal City Studios, Inc., 464 U.S. 417, 422 (1984); 3 W. Patry, Copyright §9:5.50 (2013). Secondary infringement occurs when the infringer has not itself engaged in the infringing activity but “intentionally induces or encourages infringing acts by others or profits from such acts while declining to exercise a right to stop or limit them. See MGM Studios, Inc. v. Grokster, Ltd. 545 U.S. 913, 930 (2005). Think of a secondary infringer as a co-conspirator or enabler.

Prior to the Aereo decision, companies that provide a commercial technology capable of both infringing but also substantial non-infringing uses could count on any copyright challenge being analyzed under principles of secondary, not direct liability. This was established in the landmark case of Sony Corp. of America v. Universal Studios, Inc., 464 U.S. 417 (1984), in which the Court refused to hold a manufacturer of VCR technology liable for copyright infringement. Under the test established by Sony and cases that followed it, the defendant would not be secondarily liable for copyright infringement unless the defendant had (i) actual knowledge of specific instances of infringement and failed to act on that knowledge, or (ii) through public statements or advertisements, promoted the technology’s use as a means to infringe copyright. Id., see also MGM, Inc. v. Grokster, Ltd., 545 U.S. 913 (2005). This legal framework has provided some comfort to the owners of products and services such as the VCR, DVR, peer-to-peer file-sharing networks, cloud storage services, antennas, and many other Internet businesses, that they would not be sued out of existence by overly zealous copyright owners. In light of this clear history, it would seem to have made sense for Aereo’s service to be analyzed under a theory of secondary liability. That’s not what happened.

In the complaint, the petitioners alleged direct and secondary liability. They also requested a preliminary injunction to force Aereo to suspend its services during the pendency of the litigation. The request for a preliminary injunction was based exclusively on the theory of direct liability. The district court denied the injunction, finding Aereo did not itself publicly perform the work; rather, each Aereo user specifically requested be content for his or her own personal viewing. The Court of Appeals denied rehearing the case. Therefore the only issue the Supreme Court could decide on, was whether or not Aereo directly infringed the petitioners’ right to publicly perform the work for purposes of the preliminary injunction.

One possible result, and one that many commentators thought likely, would have been for the Supreme Court to agree with the district court that Aereo did not engage in direct infringement and remand the case back to the lower courts to play out. Instead, the Court steamrolled ahead and seemingly ignored the volitional-conduct requirement for direct infringement. In its place, the Court’s analysis depends on what the dissenting Justices snarkily called the “Looks Like a Cable Company” test in order to analyze Aereo’s technology under a theory of direct infringement.

While not officially called the “Looks Like a Cable Company” test, heavily seasoned throughout the Court’s reasoning was a 1976 Congressional amendment to the U.S. Copyright Act, in which Congress sought to include the activities of cable companies within the statute’s scope. Under the amended Copyright Act, “perform” means “to show its images in any sequence or to make the sounds accompanying it audible.” 15 U.S.C. 101. At the same time, Congress also added the “transmit” clause within The Copyright Act, which expanded the copyright owner’s exclusive right to perform its work to the public to include conduct which “transmits or otherwise communicates a performance… to the public, by means of any device or process.” 15 U.S.C. 101. Despite Aereo’s protests that it does no more than supply equipment that emulates the operation of a home antenna and DVR, the Court found that by providing a service which allowed subscribers to select a TV program to watch on Aereo’s website, which then streamed a single copy specifically downloaded for the subscriber to his or her device, it performed the work. Moreover, the Court held that the transmission to a single subscriber from a personal copy was, under the statute, a “transmission to the public” because “an entity communicates the same contemporaneously perceptible images and sounds to multiple people, it transmits a performance to them regardless of the number of discrete communications it makes.”

Under the Court’s reasoning, it is now more difficult to delineate between online technologies which do and do not run afoul of The Copyright Act. Arguably, the only way online technologies could be 100% certain of their legality under copyright law would be s to implement filtering tools to prevent the use of their service to access copyrighted works unless the user can provide proof they are the copyright owners or are entitled to lawful possession of such works. Obviously, copyright owners would love that to become common practice, but it has very clearly not been a requirement of US law. Seeking assistance from the public on this question, the U.S. Copyright Office, Library of Congress issued a Request for Additional Comments for interested parties to provide thoughts and questions on the relevancy of secondary liability and the meaning of “making available” and “communication to the public” in light of the Aereo decision. Comments must be received by August 14, 2014.

In the meantime, here are the not-so-comforting words of The Supreme Court:

We cannot now answer more precisely how the Transmit Clause or other provisions of the Copyright Act will apply to technologies not before us. We agree with the Solicitor General that “[q]uestions involving cloud computing, [remote storage] DVRs, and other novel issues not before the Court, as to which ‘Congress has not plainly marked [the] course,’ should await a case in which they are squarely presented. And we note that, to the extent commercial actors or other interested entities may be concerned with the relationship between the development and use of such technologies and the Copyright Act, they are of course free to seek action from Congress.

So, the Supreme Court’s advice to tech innovators and entrepreneurs is to either wait for a lawsuit or get Congress to pass a law (which, of course, takes years and lots of lobbying dollars). Not exactly practical or appealing options.

How I would structure my tech startup!

If I were structuring a tech startup that met a few parameters (1. more than 1 founder; 2. intending on raising several rounds of VC; 3. intendingn a rather quick 4 to 5 year exit or less), here’s how I would structure it:

The Basics:

Incorporation structure:

  1. Entity Choice: Corporation (in some few circumstances an LLC works, but those are very specific).
  2. State of Incorporation: Delaware or Nevada.  There are some reasons to do local, but you better have a good one.
  3. Authorized Number of Shares: At least 1,000,000, but 10,000,000 is a good number
  4. Type of Shares: Common Stock and Founders Stock – Common Stock for general purposes and growth. Founders stock for board control.
  5. Par Value of Common: as low as I can make it, usually $0.0001
  6. Initial Amount of Stock Issued to Founders: This depends on your corporate governance strategy.  A lot of people like to authorize more shares with investment.  I prefer to transfer already authorized shares.  Leave 10% –  20% for an employee stock options pool, expect your first $1MM to take the largest chunk of stock per value, so leave 30% for investors, issue the rest to the founders.
  7. Founders Equity Split: This depends on the team, but sort it out before you invest money…..not after.  Additionally, reward people based upon the roles they fill…aka if you are sales, reward not just in stock, but in money from the sales.  If you are management or tech, reward them appropriately for hitting company or dev targets.  Do not think of compensation and equity splits linearly.  People have different roles and different contributions.  Likewise, stock splits should not just be flat lined.
  8. Vest Founders Shares?: Yes, yes and yes.  At least 4 years with a 1 year cliff…2 year cliffs aren't unheard of.  I also like to see performance/time factors for the vesting schedule rather than just time, as sometimes relationships make it tough to part with friends

Just remember, rarely do all founders make it beyond Year 1, and even less beyond Year 2.  Plan accordingly.

Rebooting – almost always the first place to start….what do I reboot?

If it's a problem with the computer, did you reboot?  TV….did you reboot?  DVD/Blu-Ray player? Did you reboot?  Just recently, I had a problem with my mouse.  My mouse is nothing too fancy…a nice little bluetooth logitech diddy that keeps me cord free, brain cancerfied, and roaming around my office like a cat in search of catnip.

Nevertheless, all of the sudden I couldn't right click.  Then my left click turned in to my right click.  Odd I dare say, as in all the years I have been working with/on/around computers (and that around 25 or so years, so I have some good experience) I have never had the buttons switch on me.  Yes, I have had mouses die…and usually a function goes out, then another one, or back in the day the roller ball was just too much of a pain to clean, so we bought a new one or an optical mouse.

So, here I am at my office and my mouse is acting up…so what do I do?  I reboot.  Turn off the computer.  Computer comes back up, same problem…..ugggghhhh.  Next I do a little googling…after all, isn't that tech supports second line of defense?

I put in “forum” into the search term after a while to see if I can get some discussion on the issue….alas, just a lot of conjecture and posturing by people without real answers.  “It could be the software” (Logitech doesn't have the best software) “Have you tried it on a different computer?” (Who has multiple computers sitting around…oh I do!) “I think you should RMA it!” (Well, that doesn't solve my problem now, it solves it in a few weeks/months/years until I go buy a new one.)

After trying all these lovely things, and to no avail, I noticed a little on/off button on the bottom of the mouse.  Hmmmm…..reboot is always the answer right?  So, what did I do, I turned off the mouse.  Lo and behold, the mouse started functioning properly again.  It had never occurred to me that the piece of equipment to reboot was the mouse.

Which brings me to my conjecture/philosophical muse of the day…….if you've got the basic bit of advice that everyone should follow as the starting block (in this case, all tech problems are solved first by trying to reboot), the question is, what do you apply that to?

All too often I work with start-ups and mature tech companies alike that hit this wall.  Things stop functioning, work becomes a drudge, products we produce aren't nearly as interesting or compelling, customer service goes down the toilet, all the predecessors for a company on the brink of extinction, and what do we do then?  What do we reboot?  Investors take one approach often of kicking out the founders.  Or at least moving them away from CEO roles.  Mature corps do the same thing by firing their CEO's.  Employees go on vacation.

All of these are a form of a reboot….but all too often, they aren't the reboot required.  Regularly, I think a lot of corporations thing they need to “reboot” by starting at the top and that will fire the cylinders all the way down the pipe and the company will start producing again.  In some cases, that isn't the reboot required.  Maybe you need to think of things a little differently, take some time away from crazy schedules, meetings, and events, and just think.  Maybe you need to reboot your mouse.

Just thoughts, apply as you will!

Outsourcing in 2010

1. Confidentiality:  It is tough to control information leaks in your own company, and even tougher to control them in a third party.  While you can't stop it, you can at least hold them liable for any leaks.  One thing you may want confidential is the fact that YOU ARE outsourcing.  Outsourcing can be a delicate topic, and who you choose may be even more critical, including your identification of a partner that has some specific key skills that you don't want your competitor to learn about.

2. IP Ownership:  This is always a point of contention, but one thing you want to be clear about is who owns the intellectual property, and whether the people developing it can utilize parts, pieces, or the product as a whole to service other customers.

3. Staff Tenure:  Ask how long they keep their developers on as employees before you choose your outsourcing house.  Often times my clients outsource to some of the larger dev shops in countries such as the Brazil, Ukraine, India, Egypt, Poland and Romania. The big problem is in a market that is “booming” with offshore outsourcing (or even on-shore) is how long the people have been working for them.  You want to see long tenures in the employees for a couple of reasons. You don't want to have to retrain people on a long project…particularly if that product/creation cycle takes more than 3 months this is a crucial issue.  If you have a year or two year project, and the outsourcing development house is retraining staff every six months, that project will be delayed for each and every retraining cycle at least a month or two, if not more for very complex development projects.

4. Misunderstood requirements:  It is very important to be clear about what it is you want developed.  All too often specifics are not clearly defined as far as deliverables, nor are the processes and logic developed in between.  Outsourcing takes a lot of management and thought process.

5. Cost Overruns:  It is very common to have cost overruns with outsourcing projects.  Regularly are the estimated amounts of time to produce a product and the actual very different, sometimes by multiples.  Make sure you are clear about how this will be handled, and if you can get fixed price development, that has its advantages and disadvantages as well.

6. Cultural and Language issues:  This is the toughest one to really understand what will be the impact on the project.  It is important to have someone on YOUR staff who understands and can speak the local language and understands the local culture (particularly with offshore consultants).  Different cultures operate different ways, communicate things differently, and have very different understandings of deadlines, goals, deliverables, and in some cases their role.  Some countries have a cultural tendency to be very direction following….in that they do exactly what is asked, and don't question.  Other cultures will have staff at all levels thinking about the project as a whole and how it works, and start punching holes and asking questions of why this way vs. that.  You need to understand what the tendencies of a culture are so you can plan for them in how you approach the management of the project.

CIO magazine published a recent article of offshore outsourcing hotspots:

The UDRP process and ICANN – how to stop cybersquatting and get your domain!

For that reason, we decided to publish a small, brief, article on the UDRP or the Uniform Domain Name Resolution Policy.  The UDRP was established by ICANN or the Internet Corporation for Assigned Names and Numbers for the express purpose of handling or dealing with cybersquatters, or individuals who are using protected names, words, and marks as domain names and to prevent or lessen the amount of confusion afforded to end users.  For that purpose, the UDRP aligns itself very closely to U.S. Trademarks, as the purposes are relatively similar.

One of the major benefits of the UDRP process is it is over relatively quickly, and fairly cheaply.  The UDRP from start to finish is generally over in 45 days, which in legal timelines, is the speed of the energizer bunny on steroids. In a UDRP process, you have to prove 3 things to prove that an individual is essentially cybersquatting:

(i) your domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and

(ii) you have no rights or legitimate interests in respect of the domain name; and

(iii) your domain name has been registered and is being used in bad faith.

A few tips for you looking to go for a quick and relatively painless UDRP process.

Once you have shown that you have demonstrated a prima facie case that you have a right to the domain, the burden of proof then is shifted to the owner of the domain to rebut the showing by providing evidence that it has rights to or legitimate interests in the domain name.

Some things that have proven useful in other UDRP processes:

1. A federally registered trademark.  While this won't make it a slam dunk, it will provide you with a solid basis for arguing the other sides infringement on your mark.

2. A Bad Faith intent by the other side – it is only being used for the purposes of selling, renting, or transferring the domain to another party in exchange for valuable consideration in excess of the normal out of pocket expenses for a domain.  Or this could be indicated by a confusingly similar name or mark so as to attrach business through the use of the other's mark.  This can even be demonstrated by false registration information.

Once you have made a determination from the above, it is time to draft a complaint and file it with your local service provider. ICANN has a select few service providers for the faciliation of the UDRP process.  As of June, 2009, they were listed at  There are not very many providers, so it won't be a very hard selection process.

Soon thereafter, an arbitrator will be selected.  Do realize that the arbitrator will be paid by you, the complainant.

After a brief discovery period and hearing (either virtual or in person) an Arbitrator will make a decision.

The process is fairly straight forward, but realize that you could get tripped up in the complaint process and related.

If you have any questions, feel free to contact us.


Data Breach Notification Requirements in the United States and European Union


Executive Summary

Both the United States and European Union require certain entities to notify individuals when their personal information has been breached. In the United States, State Breach Notification Laws (BNLs) require persons and organizations to notify individuals whose personal information has been “breached.” BNLs generally apply to any entity which possesses certain classes of personal information, such as social security numbers or account numbers. The usual elements of a breach are as follows, with common variations in parentheses:1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.[1]With the exception of certain health information breaches, [2] breach notification requirements are not yet Federalized.

The approach of European Union Directives varies in two key aspects: First, the EU adopts a broader definition of “personal information,” or “personal data.” Second, in contrast to United States BNLs, European Union Directives impose notification requirements based on economic sectors rather than data possession.The table below illustrates the differences in approaches, by example, which may not be correct under every circumstance.

Notification Required?


Communications Sector

Private Sector

Public Sector

Example Breached Information







Information Protected In:


IP Address & Name







Itemized Bill








Name& SSN







Name & Password

















Anatomy of US Breach Notification Laws

Data Breaches are regulated by states, with the exception of health information breaches, which were Federalized under the American Recovery and Reinvestment Act of 2009 (Stimulus Package), which mimics state BNLs.[3]

Since California passed the Security Breach Information Act of 2003,[4] all but a handful of States have enacted similar breach notification laws. These laws require consumer notification when sensitive personal information is accessed by an unauthorized person.Each law imposes subtly different duties and requirements on stewards of personal information.

Legislative findings in several states emphasize the importance of preserving trust and confidentiality.[5] Other legislatures emphasize the need to protect consumers from identity theft and other misuse of personal information.[6]Still others aim to encourage businesses to protect personal information,[7] decrease identity theft,[8] or to protect the “confidential relationship” among financial institutions, creditors, and customers.[9] Some US statutes create a right of action for third-party data owners, such as financial institutions, without creating an equivalent right for data subjects.[10]


Covered Entities

Without traceable legal precedent,[11] breach notification laws treat data as a type of property, and apply to entities that “own” or “license” personal information.Despite the legal ambiguity surrounding the concept of “owing” personal information, a surprising number of notification statutes do not expressly define the term. Those that do, often define “owning” broadly, to include all entities that “retain” personal information for a legitimate purpose.[12]Licensees of personal information must also notify the data owners in the event that the personal information is breached on their watch.[13]

In addition to notification obligations, breach notification laws often impose additional duties, which vary depending upon the storage media.For example, California businesses have a duty to properly destroy “any material, regardless of the physical form, on which [personal] information is recorded or preserved by any means…” including graphic, audio, and written information in all forms.[14]However, a notification requirement is triggered only upon unauthorized acquisition of computerized data.[15] In contrast, Hawaii requires notification of a breach, regardless of the media the personal information was stored on.[16]

Breach notification laws can reach beyond state borders because they apply to entities that maintain personal information about residents, even if the breached database is located out-of-state. [17]For example, Arizona imposes a notification duty on any natural, legal, or corporate entity “that conducts business in this state and that owns or licenses unencrypted computerized data that includes personal information,” of Arizona residents.[18]Several other states impose broad duties on any person, group, or corporate entity that maintains personal information of state residents.[19] And others bifurcate duties among special classes of actors, such as state or local municipalities.[20] In several instances, municipalities or state agencies may be exempt from notification or other parts of the law altogether.[21] Other common classes of exempted businesses are financial institutions subject to the Gramm-Leach-Bliley Act of 1999 (GLB),[22] medical institutions subject to Health Insurance Portability and Accountability Act of 1996 (HIPPA),[23] consumer reporting agencies,[24] or any business subject to more stringent law.[25]Some statutes create unusual notice exemptions, for information brokers[26] and even property and casualty insurers.[27]

The practical effect of these exemptions is limited because they are far from uniform. Although an inter-state financial institution may choose to scrupulously adhere to the technical details of each states' rules, such a strategy may have negative public relations consequences. In fact, in an effort to limit public relations damage, many companies now exceed statutory minimum requirements and provide credit monitoring services to breach victims.[28]As a practical matter, organizations that maintain customer information and operate in more than one state will likely be subject to the most stringent combination of all states' notification laws.


Breach of the Security of the System

California's Security Breach Information Act first adopted the term “breach of the security of the system,” which is defined as an “unauthorized acquisition of computerized [personal] data.”[29]Entities covered by the statute cannot defeat its provisions simply by failing to secure personal information, because California's law also creates a duty to “provide reasonable security” for personal information.[30] A breach of the security of the system triggers notification to the affected individuals.[31]A breach is comprised of several common components, which vary by state. The usual elements of a breach are as follows, with common variations in parentheses: 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).Absence of one or more of these elements will defeat the notification requirement, whereas mere knowledge of a potential breach will often trigger a duty to investigate.[32]

Unauthorized and Bad Faith Acquisition

At least seventeen breach notification laws trigger an unqualified duty to notify, when personal information is acquired by an unauthorized individual.[33]New York quantifies factors that help determine unauthorized access, including indications that the information is in the “physical possession and control of an unauthorized person,” that it has been “downloaded or copied,” or that an unauthorized person has used it to commit a crime.[34]A few states broaden the notification trigger to include acquisitions that were “reasonably believed” to have occurred.[35]In contrast, states like Florida and Idaho narrow the acquisition requirement to “illegal” or “unlawful” acquisition of personal information, before imposing a notification duty.[36] The remaining statutes impose no duty to notify if the breach not will reasonably cause harm to the affected individuals.

Notification requirements are defeated if the transaction of personal information is authorized by the data owner, not necessarily the individual. This point is reiterated in several statutes which somewhat redundantly declare that “good faith” acquisitions do not constitute a breach.[37]Once a person yields personal information to a third party, breach notification laws do not preserve his right to authorize or disallow further dissemination of his personal information. The right to authorize use of personal information belongs to the data steward, who is free to authorize or license the data to third parties as it sees fit, or in accordance with contract or other law. Absent a customer contract to the contrary, the only difference between an authorized and unauthorized acquisition of personal information may be a marketing agreement.

Unencrypted or Unredacted Sensitive Personal Information

In general, encrypting or redacting personal information eliminates the obligation to notify, because encrypted or properly redacted personal information is unreadable or unusable.[38]Indiana law extends this exception to stolen laptops, if they are merely password-protected.[39]

Broadly speaking, “personal information” is any information about a person, including a birth date, a favorite color, or a pet's name. However, not all personal information is objectively sensitive or identifying. Breach notification laws tend to protect specific enumerated sets of personal information deemed to be universally sensitive.

All US BNLs require notification when a person's unencrypted or unredacted name, in conjunction with their social security number, or financial account number and password, is breached.[40] Other common sets of protected information include driver's license numbers,[41] medical information,[42] and biometric indicators.[43] California's law also places additional obligations when handling 34 other types of sensitive personal information.[44] In general, the last four digits of the Social Security Number are not protected.[45]

Likelihood of Harm or Misuse

States as diverse as New Hampshire, Colorado, Delaware, Idaho, Kansas, Maryland, and Michigan impose a “likelihood of misuse” or “harm” test before requiring notification.[46]However, “misuse” is not defined in many of the statutes, and many give no standard for determining “likelihood,” nor “harm.”Arizona applies a narrow definition of “harm,” requiring notification only if a breach “is reasonably likely to cause substantial economic loss to an individual.”[47] Here, notification is only triggered when there is a likelihood of economic loss.These statutes do not recognize the harm of embarrassment, loss of confidentiality, or lost privacy.



Once all of the components of a breach are satisfied,[48] a covered entity must notify the affected individuals about the incident, in general terms.[49]Data owners must first make an effort to contact the affected individuals directly.In most states, primary notice consists of written or certified electronic notice, [50] telephone, [51] or by some other form of communication with which the business regularly contacts customers, in accordance with an established information security policy.[52]In addition, third-party licensees of information must notify the data steward if a breach occurs.[53]Substitute notice is allowed in the event that the entity does not have sufficient contact information,[54] or if the affected class is sufficiently large, or if the cost of notification would cause undue economic hardship.

States vary radically on how they balance economic hardship. New Hampshire and Pennsylvania have the most lenient threshold for providing substitute notice. In those states, an entity may avoid direct contact if the cost would exceed $5,000, or the affected class of individuals is larger than 1,000.[55]Nebraska and Ohio provide a tiered approach- small businesses or agencies with ten or fewer employees have substantially lower thresholds of cost/class size than larger entities.[56]And Wyoming takes a decidedly protectionist stance, requiring out-of state entities to demonstrate a cost of $250,000 or a class of 500,000 individuals, while in-state persons or businesses need to demonstrate a burden of only $10,000 or 10,000 persons to qualify for substitute notice.[57]In general, substitute notice thresholds range from $100,000-$250,000 for cost of notice, or an affected class of 200,000-500,000.[58]

Although multi-state businesses could strictly adhere to the notice provisions state by state, the practical public relations effect is that interstate businesses will have to meet a $250,000 and 500,000 person burden, or demonstrate that they do not have sufficient contact information, before taking advantage of the much cheaper Substitute Notice provisions. With very few variations, substitute notice consists essentially of three things: E-mail notification (when available), notification on the company's website, and notification to statewide media.[59]

Entities must deliver primary or substitute notice quickly, after verifying the scope of the breach, and securing the data system, subject to the needs of any law enforcement investigation. Statutes have nuanced definitions of expediency, from “the most expedient time possible and without unreasonable delay,”[60] to “as soon as reasonably practicable. “[61]Florida and Wyoming require notification “without unreasonable delay,” but “no later than 45 days following the determination of the breach. “[62]The recent Stimulus Package requires HIPPA-covered entities to act within 60 days.

Finally, several states require entities to notify third parties when breaches occur, such as consumer reporting agencies, state consumer affairs departments, and state Attorneys Generals' offices.[63]However, they need not divulge the names nor personal information of the individuals affected.[64]


Civil Penalties and Private Rights of Action

Often the state's Attorney General[65] can recover civil penalties if a covered entity fails to provide proper notice of a data breach.[66]Several states classify breaches as a deceptive business or trade practice, and impose civil penalties for violations.[67]Not all states specify a maximum civil penalty.[68] In contrast, Arizona provides for a maximum penalty of $10,000 per incident,[69] while Texas imposes a maximum penalty of $50,000.[70]New York's civil penalty is capped at $150,000,[71] while Florida tops out at $500,000.[72] Finally, Michigan imposes a maximum $750,000 civil fine for failing to notify its residents of a breach.[73]Some states, including Utah, expressly prohibit a private cause of action based on a failure to notify,[74] while Delaware and Wyoming leave open the possibility of a private lawsuit.[75]

A few states, including California and Minnesota, expressly authorize a private right of action, though it's unclear exactly what kinds of damages are cognizable.[76]Possible types of damages include apprehension, emotional distress, fear of fraud, loss of money, loss of property, identity theft, false arrest, ineligibility for benefits, the burden and cost of credit monitoring, closing compromised credit accounts, scrutinizing credit card statements indefinitely, loss of privacy, and damage to reputation, to name a few. Several cases have focused on the right of customers to recover for the cost of identity theft protection and mental distress caused by the increased risk of fraud after a data breach. They have generally failed. Some commentators have suggested that requiring data owners to provide identity theft protection for victims is analogous to medical monitoring damages after exposure to toxic substances.[77] Medical monitoring claims seek to mitigate the long-term risk of disease by recovering for the cost of periodic medical examinations.[78] By analogy, under this theory a data steward would be responsible to pay for identity theft monitoring where there is: “(1) significant exposure of sensitive personal information; (2) a significantly increased risk of identity fraud as a result of that exposure; (3) the necessity and effectiveness of credit monitoring in detecting, treating, and/or preventing identity fraud.”[79]However, this reasoning has been rejected by several courts.[80]

In general, courts have held that “costs of purchasing a credit monitoring product” and “time and money spent monitoring … credit” are not recoverable as a matter of law, where “no unauthorized use of … personal information has occurred.” [81]In those circumstances, any injury is purely speculative, until fraud, identity theft or other misuse actually occurs. Without showing actual or imminent injury, plaintiffs lack Article III standing to recover for an alleged increased risk of identity theft.[82]Mere apprehension of future fraud or misuse is also insufficient to recover for emotional distress damages.[83]

Once plaintiffs suffer cognizable harm, they must demonstrate “but-for” causation. This requirement can be insurmountable, because it is often impossible to demonstrate a criminal's source of personal information, and the criminal may be located in another country or be judgment-proof.[84]Victims can recover cognizable damages only when they are able to demonstrate the breach of a duty, and proximate causation. In one example, a union regularly sent members' sensitive personal information home with an employee. The employee's daughter stole the data and used it to commit several counts of identity theft. The court found that a special relationship existed between the plaintiff and the union, and that the union did not protect against the foreseeable risk of identity theft, because the union “knew confidential information was leaving its premises and no procedures were in place to ensure the security of the information.”[85] The plaintiff was therefore able to recover damages against the union.

In Minnesota, breach notification statutes expressly authorize a private right of action, and a duty to properly dispose of sensitive records.[86]A school improperly dumped educational records which included information about a student's IQ, psychological, intellectual, and functional abilities in a school dumpster. The papers blew out of the dumpster and were recovered by fellow students, who used the information to mock the boy. The boy recovered $60,00 in damages for pain and emotional distress and $80,000 for future embarrassment.[87]The court held that the Minnesota statute creates a duty to destroy records, that the school breached that duty, and that the boy suffered proximate harm due to the failure.[88]However, absent relatively rare duties to maintain confidentiality, recovering against a breaching entity is exceedingly difficult.


Other Theories of Liability

In his thorough article, Cybersecurity, Identity Theft, and the Limits of Tort Liability, Vincent R. Johnson explores other theories of liability of private suits in states which do not expressly provide for a private cause of action.[89]Even in those states, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. As embodied by the landmark case, Palsgraf v. Long Island Railroad, Judge Cardozo articulated a fundamental principle of tort liability- that foreseeability and risk of harm defines the duty to another.[90]Economically efficient laws place duties on those who can most efficiently prevent harm.[91] Often, data owners are in the best position to prevent harm to customers by increasing security measures to decrease the foreseeable risk of breaches and hacks. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the data steward fails to warn customers about foreseeable risks to personal information.[92] In contrast, privacy torts (such as Appropriation of Likeness) is only applicable where the sale or abuse of personal information dilutes the property value of reputation or prestige,[93] or when the breached information causes extreme emotional distress.

Even absent a court-imposed tort duty, a data steward may voluntarily assume the duty to protect data, most commonly in a privacy policy.[94] Under this contract theory, the entity is liable if he induces another to rely on his promise to exercise care, to the other's detriment. In states where data is treated as property, the law accrues harms and benefits of personal information to the “owner” or steward. Minnesota's notification law has a strong tendency to treat data as property, by providing an express remedy to credit card companies for the cost of replacing credit cards,[95] but failing to create a private right of action for harm to individuals.[96] However, several courts have held that privacy policies are notices, not contracts, and are therefore not generally binding.[97]


American Recovery and Reinvestment Act (ARRA)

Congress recently passed the American Recovery and Reinvestment Act (ARRA), colloquially known as the “Economic Stimulus Package.” Buried in Subtitle D of the massive spending plan, Congress federalized breach notifications for HIPPA-regulated entities. ARRA preempts the few state BNLs which regulate health information breaches. Indeed, a few states already exempt HIPPA-regulated entities from even reporting breaches of social security numbers.[98] ARRA is currently the only Federal breach notification law, but Congress is likely to pass additional breach legislation in the future. ARRA mimics state notification laws in form and substance, with subtly different elements and duties. An ARRA breach is comprised of: 1. Unauthorized and Bad Faith 2. Acquisition, Access, Use, or Disclosure of3. Unencrypted or Unredacted 4. Protected Health Information, 5. Which compromises the security or privacy of such information. 6. Where an unauthorized person could likely retain such information.

ARRA Covered Entities

ARRA applies to “covered” entities under the meaning of CFR 45 160.103.These entities include Health Plans, Health Care Providers, and Health Care Clearinghouses. The statute dramatically broadens the ambiguous state-law concept of “data owners,” and applies to any HIPPA-covered entity that “accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information.”[99] “Protected Health Information” means “individually identifiable health information” which is stored or transmitted.[100] Such information may include personal information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code.[101] The law also requires third-party contractors or “business associates” to report breaches to the covered entity.[102]

The statute also reaches well beyond traditional “covered entities” to any service provider or vendor of personal health records. Presumably, this would include data warehouses like Google or Microsoft, each of which has or has announced plans to create online consumer health records warehouses. However, these vendors need only report breaches to the FTC, which will investigate the event as a deceptive trade practice.

ARRA Breach Components

Like typical BNLs, ARRA requires HIPPA-regulated entities (but not vendors) to notify each individual if their “unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of [a] breach.”[103] The legislation gives liberal exceptions for good faith and inadvertent disclosure, as long as the information is not breached further.[104]Redaction or encryption using reasonable technology is an absolute defense to a breach.[105]

ARRA Breach Notice

The breaching entity must notify individuals and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach.[106]The covered entity must notify the individual directly if possible, and must also post a notice on their website if the breach involves 10 or more victims who are not directly reachable. Unlike State BNLs, ARRA contains no economic hardship provision which would limit the duty to notify individuals in the case of very large breaches. If the breach involves more than 500 residents of a single state, the covered entity must notify the statewide media.[107] The notification must include a brief description of the incident, the date of the breach, the date of the discovery, a description of the types of protected health information breached, and steps individuals should take to protect themselves from potential harm resulting from the breach. The notification must also briefly describe the investigation, efforts to minimize losses, and protect from future breaches. Finally, the letter must contain contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.[108]

ARRA Liability

ARRA provides for civil and criminal liability for negligent or willful violations of this law.


Anatomy of European Union Breach Laws

EU breach notification requirements differ in key aspects from United States' BNLs. First, the concept of “personal information” is much broader in the EU, compared with the United States. U.S. BNLs regulate persons and organization which “own” narrow classes of highly-sensitive personal information, such as social security numbers, while EU Directives regulate the exposure of any personal information. In this sense, EU laws are substantially broader. Second, EU laws regulate economic sectors. Directive 2002/58/EC regulates only the Communications sector, but not the broader “Information Society Service” sector. This means, for example, that a laptop theft from an ISP where the computer contains users' personal information is a breach. But the same laptop stolen from an online store currently does not constitute a “breach.”Third, EU Directives envision national regulatory bodies which coordinate all breach notifications. No single analogous organization (or uniform State entity) exists in the United States.

Despite approaching the problem of breaches from different perspectives, the EU directives and US laws contain several analogous provisions. EU Directive 2002/58/EC emphasizes the importance of protecting confidentiality,[109] and even encourages minimal collection of personal data in the communications sector.[110]


Covered Entities

EU Directives impose notification requirements based on an organization's economic sector. Directives 2002/21/EC (’21) and 2002/58/EC (’58) apply only to the electronic communications sector. Examples of “electronic communications services” are television broadcasters, Internet Service Providers, and Cell Phone companies.[111] Further, the Directive applies only to personal information collected from customers for the purpose of buying service.[112] In other words, the directive only protects personal data processed by ISPs, Cell phone and Cable companies; for example, users' credit card numbers or e-mail addresses.

Notification requirements specifically do not apply to the broader class of “information society services,”[113] which are covered by Directive 2000/31/EC.[114]The definition of “Information Society Services” is broad, essentially encompassing any paid service which utilizes modern communication systems [115] in order to provide service.[116] In the information age, this includes almost every conceivable service with customer interactions. [117] United States BNLs, in contrast, make few (if any) regulatory distinctions based on economic sector. However, these directives are under review by the Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (Working Party).The Working Party has recommended that the ’58 Directive be extended to Information Society Services, arguing that an extension “is necessary given the ever increasing role these services playing the daily lives of European citizens, and the increasing amounts of personal data processed by these services.”[118]


Breach of the Security of the Network

Neither the ’58 nor ’21 Directives clearly define what constitutes a “breach,” or whether a notification requirement accrues to a breaching entity.However, ’58 imposes a duty to notify service subscribers of “particular risk[s] of a breach of the security of the network,” along with tips to mitigate the risk.[119]Presumably, an actual breach would constitute a “particular[ly high] risk of a breach,” and would therefore incur a duty to notify.


The Directives anticipate that every breach will be reported to a national regulatory agency, but may not be reported to individuals if the breach does not pose a substantial risk.[120] Absent an explicit duty to notify individuals, the Working Party recommends that “security breaches should be notified to data subjects when they may lead to adverse effects to individuals' privacy and data protection.”The notification should be in a harmonized format, which includes clear and objective criteria that assist in assessing adverse effects of the breach.[121]

At least one proposed amendment to the data privacy directives would create a safe harbor for organizations which meet a minimum duty of care by installing “appropriate technological protection measures” to secure personal information, exempting them from all breach notifications. However, the Working Party opposes the amendment because, “[a]ffected users may only be in the position to take appropriate measures to mitigate the risks they are facing if they have been adequately informed…regardless of the technical measures that were actually taken to protect their data.”[122]

Authorized Use

United States BNLs grant authority to use personal information in property law terms such as “owning” or “licensing” data. Bad-faith, unauthorized use constitutes a breach. Similarly, in the EU, authority to use personal information emanates from the entity which possesses it, though the Directives do not invoke a property-like concept of personal information.[123]The ’58 Directive further creates an affirmative duty to restrict access to personal information from third parties, limiting access “to what is necessary” for any given activity.[124] The intent of the ’58 Directive is to require third parties acting under the authority of service providers to assume strict duties to protect the information.[125]

Definition of Personal Information

In the United States, protected personal information typically consists of narrow classes of information.However, the ’58 directive indicates that personal data incorporates a broad range of information about a person, including “traffic data,”[126] “location data,”[127] and line items in itemized bills.[128]

In contrast to the United States, the Directives are silent about whether encrypting or redacting personal information nullifies a breach. However, the Working Party Opinion 2.2 seems to indicate that even breaches of encrypted personal information must be reported to a national regulatory agency.[129]

Likelihood of Harm or Misuse

EU laws also integrate risk analysis in determining whether notification is necessary.In the US, several states incorporate a “Likelihood of Harm or Misuse” test when determining whether a breach has occurred. In the EU, no analogous Risk Analysis test currently applies. However, the Working Group recommends creating a Risk Analysis test, not for purposes of determining whether a breach occurred, but whether an individual notification requirement exists. Such a test would attempt to avoid unnecessarily alarming individuals or flooding authorities with minor cases by considering several factors, including: The amount of data breached, the sensitivity of the data, the potential for adverse effects like identity theft, financial loss, loss of business or employment opportunities, etc.[130]


Other Duties

In order to comply with the ’58 Directive, communication sector services owe several duties to subscribers. These duties can establish a minimum duty of care and standard of negligence in civil litigation. They include taking appropriate software and encryption measures to protect personal information,[131] and to fully inform subscribers of potential risks to their personal information.[132]


Directive 2002/58/EC anticipates that each EU nation will provide judicial remedies for failure to comply with the requirements.[133]The Working Party also recommends that national regulatory authorities should be authorized to independently disclose a breach to the public, and impose fines if a service provider fails to fully report a personal data breach.[134] Detecting a concealed breach may require auditing and additional regulation.


[1] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was “reasonably believed to have been acquired by an unauthorized person.”).

[2] See American Recovery and Reinvestment Act (ARRA), Subtitle D.

[3] See American Recovery and Reinvestment Act (ARRA), Subtitle D.

[4] Cal. Civ. Code §§ 1798.82-84.

[5] See, e.g. N.H. Rev. Stat. § 359-C:2.

[6] See, e.g. Ga. Code § 10-1-910(4),(7).

[7] Ark. Code § 4-110-102(a)-(b); Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1).

[8] R.I. Gen. Laws § 11-49.2-2(1); Ga. Code: 10-1-910(6)-(7).

[9] N.H. Rev. Stat. 359-C:2(I)-(II).

[10] See, e.g. Minn. Stat. § 325E.64 Subd. 3(5).

[11] Treating Data as Property has few legal roots in intellectual property law, treated either as first- or third-party property. Most personal information, such as names, addresses, phone numbers, and social security numbers, are facts. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.Although innovative arrangements of information are themselves copyrightable, facts are not. Feist Publications, Inc. v. Rural Telephone Service, 499 U.S. 340, 363-64, 111 S.Ct. 1282, 1297 (1991) (Holding that an alphabetized collection of personal facts in a phone book is not copyrightable because 1. Facts are not copyrightable, and 2. The phone book lacks minimally creative selection, coordination, and arrangement. “As a statutory matter, 17 U.S.C. § 101 does not afford protection from copying to a collection of facts that are selected, coordinated, and arranged in a way that utterly lacks originality.”)Patent law protects novel methods, processes, and physical compounds, but does not create first- or third-party ownership interests in personal information. 35 U.S.C.A. §§ 101-102. Facts in a database may qualify for trade secret protection under state law, but only if the information meets stringent requirements, and remains secret. 19 NO. 7 Intell. Prop. & Tech. L.J. 5, 8.

[12] Cal. Civ. Code § 1798.81.5(a); R.I. Gen. Laws § 11-49.2-2(1); Ark. Code § 4-110-103(6).

[13] See, e.g., Ark. Code§ 4-110-105(b); Cal. Civ. Code§ 1798.82(b); Colo. Rev. Stat.§ 6-1-716(2)(b); Conn. Gen Stat.§ 36a-701b(c); Del. Code tit. 6,§ 12B-102(b); Fla. Stat.§ 817.5681(2)(a); Ga. Code§ 10-1-912(a); Haw. Rev. Stat.§ 487N-2(b); Idaho Code§ 28-51-105(2); Ind. Code§ 4-1-11-6(a); Kan. Stat.§ 50-7a02(b); La. Rev. Stat.§ 51:3074(B); Me. Rev. Stat. tit. 10§ 1348(2); Md. Code, Com. Law§ 14-3504(c)(1); M.G.L.A.§ 3(a); Mich. Comp. Laws445.72 § 12(2); Minn. Stat.§ 325E.61 Subdiv. 1(b); Mont. Code§ 30-14-1704(2); Nev. Rev. Stat.§ 603A.220(2); N.Y. Gen. Bus. Law§ 899-aa(1)(d)(3).

[14] Cal. Civ. Code § 1798.80(b).

[15] Cal. Civ. Code § 1798.82(d).

[16] Haw. Rev. Stat. § 487N-2(a) (Requiring notification of a breach of personal information in any form, “whether computerized, paper, or otherwise.”)

[17] California's prototypical statute reaches “well beyond California's borders, potentially affecting any company, person or agency that has a computer database containing any California resident's ‘personal information.”’ Tyler Paetkau & Roxanne Torabian-Bashardoust, California Deals with ID Theft: The Promise and the Problems, Bus. L. Today, May-June 2004, at 37, 37.

[18] Ariz. Rev. Stat. § 44-7501(A), (L)(5) (2007 S.B. 1042, Chapter 23)

[19] See, e.g., Mont. Code Ann. §§ 30-14-1702(1)(a), -1704(1)-(2) (2005) (imposing a notification duty on “[a]ny person or business that conducts business” and defining a business as “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit, including a financial institution…or the parent or the subsidiary of a financial institution.”); N.D. Cent. Code § 51-30-02 (Supp. 2005) (creating an obligation to notify for “[a]ny person that conducts business”).

[20] See e.g., Ohio Rev. Code § 1347.12.

[21] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(5) (2007 S.B. 1042, Chapter 23) (exempting notification requirements for breaches made by public safety officials, courts, and municipal prosecutors); Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (exempting “any governmental agency whose records are maintained primarily for traffic safety, law enforcement, or licensing purposes”).

[22] Ariz. Rev. Stat. §44-7501 (J)(1); Colo. Rev. Stat. § 6-1-716(2)(p); Mich. Comp. Laws §445.72 (8)(b); N.H. Rev. Stat. §359-C:20 (VI)(b); Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(c); Tenn. Code § 47-18-2107(i); D.C. Code § 28-3852(c); Vt. Stat. tit. 9 § 2445 (d)(1) (exempting financial institutions from duty to destroy personal information).Though the GLB requires financial institutions to publicize their privacy policies, and establish internal safeguards and procedures to protect consumer personal information, the statute does not require consumer notification in case of a breach. Gramm-Leach-Bliley Act of 1999, Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801–6809.

[23] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information).Until recently, entities covered by HIPPA were not required to notify individuals of breaches. See American Recovery and Reinvestment Act (ARRA), Subtitle D.

[24] Vt. Stat. tit. 9 § 2445 (d)(3) (exempting consumer reporting agencies from duty to destroy personal information).

[25] Oregon, 2007 S.B. 583, Chapter 759 Section 3(8)(b).

[26] See, Ga. Code Ann. §§ 10-1-911(2), -912(a) (Supp. 2005) (limiting the obligation to “information brokers,” or “any person or entity who, for monetary fees or dues, engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring, or communicating information concerning individuals for the primary purpose of furnishing personal information to nonaffiliated third parties.”Coincidentally, the major data broker ChoicePoint is headquartered in Georgia. ChoicePoint suffered a large and well-publicized data breach in 2005.).

[27] Me. Rev. Stat. tit. 10 §1347 (6)(E) (2005).

[28] See e.g., BuisinessWeek. Firm to settle suits stemming from employee's theft of records, April 12, 2008, 5:45 AM ET&headline=Firm to settle suits stemming from employee's theft of records [The Kansas City Star, Mo.]&docSource=Knight Ridder/Tribune&provider=ACQUIREMEDIA&symbol=SAI (Accessed June 13, 2008).

[29] Cal. Civ. Code § 1798.82(d).

[30] See, e.g., Cal. Civ. Code § 1798.81.5(a),(b). Ark. Code § 4-110-104(b).

[31] Cal. Civ. Code § 1798.82(a).

[32] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Me. Rev. Stat. tit. 10 § 1348(1)(A); Md. Code, Com. Law § 14-3504(b)(1) (Requiring an investigation when the entity becomes aware of a breach.);La. Rev. Stat. § 51:3074(G) (Imposing a duty to investigate when personal information was or was “reasonably believed to have been acquired by an unauthorized person.”).

[33] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1) (2007 S.B. 1042, Chapter 23); Cal. Civ. Code § 1798.82(a); Colo. Rev. Stat. § 6-1-716(1)(a); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(4); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 530/5; Ind. Code § 4-1-11-2(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Me. Rev. Stat. tit. 10 § 1347(1); Md. Code, Com. Law § 14-3504(a)(1); M.G.L.A. 93H § 1(a); Mich. Comp. Laws § 445.63(3)(b); Minn. Stat. § 325E.61(1)(a); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. § 603A.020; N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(a); Vt. Stat. tit. 9 § 2430(8)(A); D.C. Code § 28-3851(1).

[34] N.Y. Gen. Bus. Law § 899-aa(c).

[35] See, e.g., Cal. Civ. Code § 1798.82(a); R.I. Gen. Laws § 11-49.2-3(a); Wash. Rev. Code § 19.255.010(1); Ark. Code § 4-110-105(a)(1) (Requires notification when a breach is “reasonably believed” to have occurred.).

[36] See, e.g., Fla. Stat. § 817.5681(4); Idaho Code § 28-51-104(2).

[37] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Ark. Code § 4-110-103(1)(B); Cal. Civ. Code § 1798.82(d); Colo. Rev. Stat. § 6-1-716(1)(a); Del. Code tit. 6, § 12B-101(1); Fla. Stat. § 817.5681(7); Ga. Code § 10-1-911(1); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-2(b)(1); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(2); Md. Code, Com. Law § 14-3504(a)(2); M.G.L.A. § 1(a); Mich. Comp. Laws 445.63 § 3(b)(i); Minn. Stat. § 325E.61(1)(b); Mont. Code § 30-14-1704(1); Nev. Rev. Stat. Nev. Rev. Stat. § 603A.020; N.J. Stat. N.J. Stat. § 56:8-161(10); N.Y. Gen. Bus. Law N.Y. Gen. Bus. Law § 899-aa(1)(c); Ohio Rev. Code § 1347.12(2)(a), § 1347.19(A)(1)(b)(i).

[38] See, e.g., Ariz. Rev. Stat. § 44-7501(L)(1); Colo. Rev. Stat. § 6-1-716(1)(d)(I); Conn. Gen Stat. § 36a-701b(a); Del. Code tit. 6, § 12B-101(1); Ga. Code § 10-1-911(5); Haw. Rev. Stat. § 487N-1; Idaho Code § 28-51-104(2); 815 ILCS 815 ILCS 530/5; Ind. Code § 4-1-11-5(a); Kan. Stat. § 50-7a01(h); La. Rev. Stat. § 51:3073(4)(a); Me. Rev. Stat. tit. 10 § 1347(6); Md. Code, Com. Law § 14-3501(d)(1); M.G.L.A. § 1(a); Mich. Comp. Laws 445.72 § 12(1)(a); Minn. Stat. § 325E.61(1)(a); R.I. Gen. Laws § 11-49.2-3(a); Tenn. Code § 47-18-2107(a)(1); Utah Code § 13-44-102(1)(b); Vt. Stat. tit. 9 § 2430(5)(A); D.C. Code § 28-3851(1).

[39] Ind. Code § 24-4.9-2-2(b)(2).

[40] See, e.g., Utah Code § 13-44-102(3).

[41] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(a).

[42] See, e.g., Ark. Code § 4-110-103(1)(A).

[43] See, e.g., M.G.L.A. 93H § 1(a).

[44] Cal. Civ. Code § 1798.81.5(d)(1), 1798.82(e).

[45] See, e.g., Ind. Code § 4-1-11-3(b)(1); Nev. Rev. Stat. 603A.040(3); see also Ohio Rev. Code § 1347.12(A)(9) (Stating that a Social Security Number is properly redacted if only the last four digits are exposed).

[46] N.H. Rev. Stat. § 359-C:20(I)(a); Colo. Rev. Stat. § 6-1-716(2)(a); Del. Code tit. 6, § 12B-102(a); Idaho Code § 28-51-105(1); Kan. Stat. § 50-7a02(a); Md. Code, Com. Law § 14-3504(b)(2); Mich. Comp. Laws 445.72 § 12(1).

[47] Ariz. Rev. Stat. § 44-7501(K)(1) (2007 S.B. 1042, Chapter 23).

[48] Namely, 1. (Reasonable likelihood of) Unauthorized and Bad Faith 2. Acquisition of3. Unencrypted or Unredacted 4. (Computerized) Personal Information, 5. (Which is likely to cause harm).

[49] See, e.g., Haw. Rev. Stat. §487N-2(d)(1) (Requiring that notice of the breach describe “[t]he incident in general terms.”). See also, Mich. Comp. Laws § 359-C:20(IV)(a).

[50] Cal. Civ. Code § 1798.82 (g).

[51] See, e.g., Colo. Rev. Stat. § 6-1-716(1)(c)(II).

[52] See, e.g., Ariz. Rev. Stat. § 44-7501(E); Cal. Civ. Code § 1798.82(h); Colo. Rev. Stat. § 6-1-716(3); Ga. Code §§ 10-1-911(3)(C)(iii)

[53] See, e.g., Mich. Comp. Laws 445.72 § 12(1)(a); Cal. Civ. Code § 1798.81.5(c); Ariz. Rev. Stat. § 44-7501(B); Ark. Code § 4-110-105(b).

[54] See, e.g., Ark. Code § 4-110-105(e)(3)(A)(iii).

[55] N.H. Rev. Stat. 359-C:20 (III)(d); see also, Vt. Stat. tit. 9 § 2435(b)(5)(B) (Allowing substitute notice if the cost exceeds $5,000 or the class of affected individuals exceeds 5,000).

[56] Neb. Rev. Stat. § 87-801 (4)(e); Ohio Rev. Code § 1347.12(E)(5).

[57] Wyo. Stat. § 40-12-502 (d)(iii).

[58] See, e.g., Cal. Civ. Code § 1798.82(g)(3) (Requiring persons to demonstrate a $250,000 cost or class of affected individuals over 500,000); Haw. Rev. Stat. § 487N-2(e)(4) (Requiring persons to demonstrate a $100,000 cost or class of affected individuals over 200,000).

[59] See, e.g., Cal. Civ. Code § 1798.82(g).

[60] See, e.g., Cal. Civ. Code § 1798.82(a).

[61] Md. Code, Com. Law § 14-3504(b)(2).

[62] Fla. Stat. § 817.5681(1)(a); Wis. Stat. § 895.507(1)(cm)(3).

[63] See, e.g., Colo. Rev. Stat. § 6-1-716(2)(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ga. Code § 10-1-912(d) (Must notify all consumer reporting agencies where breach exceeds 10,000 people); Haw. Rev. Stat. § 487N-2(f) (Must notify all consumer reporting agencies and Hawaii's Office of Consumer Protection where breach exceeds 1,000 people); 815 ILCS 530/12(d) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); Ind. Code § 4-1-11-10 (State agencies must notify all consumer reporting agencies where breach exceeds 1,000 people); Kan. Stat. § 50-7a02(f) (Must notify all consumer reporting agencies where breach exceeds 1,000 people); La. Rev. Stat. 32:4 (Must notify Louisiana Attorney General); Me. Rev. Stat. tit. 10 § 1348(4),(5) (Must notify all consumer reporting agencies, Department of Professional and Financial Regulation, or Attorney General where breach exceeds 1,000 people); Md. Code, Com. Law § 14-3504(h) (Must notify Maryland Attorney General); M.G.L.A. 93H § 3(b) (Must notify the Director of Consumer Affairs, Attorney General, and consumer reporting agencies); Mich. Comp. Laws 445.72 § 12(8) (Must notify all consumer reporting agencies where breach exceeds 1,000 people).

[64] See, e.g., N.H. Rev. Stat. § 359-C:20(I)(b) (“Nothing in this section shall be construed to require the person to provide to any regulator or the New Hampshire attorney general's office the names of the individuals entitled to receive the notice or any personal information relating to them.”)

[65] Pisciotta v. Old Nat'l Bancorp., 499 F.3d 629, 637 FN 8 (7th Cir. 2007) (Louisiana law “provides as the exclusive remedy an action by the Attorney General against the database owner.”).

[66] See, e.g., Ariz. Rev. Stat. § 44-7501(H); Ark. Code § 4-110-108; Colo. Rev. Stat. § 6-1-716(4); Kan. Stat. § 50-628; Me. Rev. Stat. tit. 10 § §1349(1); Minn. Stat. § 325E.61 Subd. 6; N.D. Cent. Code § 51-30-07; Ohio Rev. Code § 1347.12(G); Tenn. Code § 47-18-2105(a).

[67] See, e.g., 815 ILCS 530/12 Sec. 20. (“A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act”); Tenn Code § 47-18-2106(b) (“any violation of the provisions of this part shall be construed to constitute an unfair or deceptive act or practice”); Conn. Gen Stat. § 36a-701b(g).

[68] See, e.g., D.C. Code § 28-3853(b) (“Attorney General may recover a civil penalty not to exceed $100 for each [residents' breached information], the costs of the action, and reasonable attorney's fees.”).

[69] Ariz. Rev. Stat. § 44-7501(H).

[70] Tex. Bus. & Com. Code § 48.201.

[71] N.Y. Gen. Bus. Law § 899-aa(6)(a) (A “court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars.”);

[72] Fla. Stat. § 817.5681(1)(b)(2).

[73] Mich. Comp. Laws § 445.72 Sec. 12(13) (Recovery of civil fine of not more than $250 for each individual, not totaling more than $750,000.00).

[74] See, e.g., Utah Code § 13-44-301(1)-(2)(a) (“Nothing in this chapter creates a private right of action”).

[75] Del. Code tit. 6, § 12B-104 (“The provisions of this chapter are not exclusive and do not relieve an individual or a commercial entity subject to this chapter from compliance with all other applicable provisions of law.”); Wyo. Stat. § 40-12-502(f) (The provisions of this section are not exclusive and do not relieve an individual or a commercial entity subject to this section from compliance with all other applicable provisions of law.)

[76] Cal. Civ. Code § 1798.84(b) (“Any customer injured by a violation of this title may institute a civil action to recover damages.”); Minn. Stat. § 13.05 Subd. 5(2).

[77] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255, 305-311 (2005).(Noting the analogy between toxic torts and cybersecurity breaches.);

[78] Potter v. Firestone Tire & Rubber Co., 863 P.2d 795, 821 (Cal. 1993) (citing Ayers v. Twp. of Jackson, 525 A.2d 287, 308 (N.J. 1987)). See also, Badillo v. American Brands, Inc., 16 P.3d 435, 439 (Nev. 2001).

[79] Stollenwerk v. Tri-West Healthcare Alliance, No. 03-0185PHXSRB, 2005 WL 2465906, at *4 (D. Ariz. Sept. 6, 2005) (But, “as a matter of law identity theft and credit monitoring must still be differentiated from toxic torts and medical monitoring”); see also People v. Ware, No. H025167, 2003 WL 22120898, *2 (Cal. Ct. App. Sept. 11, 2003) (affirming an award of restitutionary damages to a victim of identity theft, including “$100 per year for monitoring the adverse consequences on her credit rating”).

[80] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); Henry v. Dow Chemical Co., 473 Mich. 63, 701 N.W.2d 684, 692 (2005) (Rejecting the medical monitoring analogy, concluding that “our common law requires a present injury in addition to economic loss incurred as a result of that injury.”).

[81] Kahle v. Litton Loan Servicing LP, 486 F.Supp.2d 705, 709-12 (S.D.Ohio 2007); see also, Ponder v. Pfizer, 522 F.Supp.2d 793, 798 (M.D. Louisiana 2007) (Holding that actual damages are only realized when “someone actually use[s] the disclosed information to [plaintiff's] detriment.”); Hendricks v. DSW Shoe Warehouse, Inc., 444 F.Supp.2d 775 (W.D.Mich. 2006) (Holding that “purchase of a credit monitoring product” is not “actual damages or a cognizable loss.”); Forbes v. Wells Fargo Bank, N.A., 420 F.Supp.2d 1018, 1020-21 (D.Minn. 2006) (Holding that “expenditure of time and money” for credit monitoring does not constitute injury or damages because it “was not the result of any present injury, but rather the anticipation of future injury that has not materialized.””[T]hreat of future harm, not yet realized, will not satisfy the damage requirement.”); Key v. DSW, Inc., 454 F.Supp2d at 690 (Holding that an “alleged increase in risk of future injury is not an 'actual or imminent' injury,” and must therefore fail.).

[82] Randolph v. ING Life Insurance and Annuity Co., 486 F.Supp.2d 1, 11 (U.S. District Court, DC 2007) (Holding that in a stolen laptop case where no evidence of fraud or identity theft has occurred, “[p]laintiffs have failed to allege an injury in fact and thus lack Article III standing.”); Nat'l Treasury Employees Union, 101 F.3d at 1427 (citing Lujan, 504 U.S. at 560, 112 S.Ct. 2130, 119 L.Ed.2d 351); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (Holding that standing is an “irreducible constitutional minimum.”).

[83] Pisciotta v. Old Nat'l Bancorp., 499 F.3d 629, 639-40 (7th Cir. 2007) (Refusing to compensate for “emotional distress and worry that third parties will use [the plaintiffs'] confidential personal information to cause economic harm.”).

[84] Brent Wible, A Site Where Hackers Are Welcome: Using Hack-In Contests to Shape Preferences and Deter Computer Crime, 112 Yale L.J. 1577, 1581-85 (2003), at 1582 (Contending that “hackers tend to be judgment proof”).

[85] Bell v. Michigan Council, Not Reported in N.W.2d, 2005 WL 356306 at *5 (Mich.App.).

[86] Minn. Stat. § 13.05 subd. 5(2).

[87] Scott v. Minneapolis Public Schools, Special Dist. No. 1, No. A05-649, 2006 WL 997721 (Minn. App. Apr. 18, 2006).

[88] Scott v. Minneapolis Public Schools, Special District No. 1, Not Reported in N.W.2d, 2006 WL 997721, *3 (Minn.App. 2006) (Holding that Minn.Stat. § 13.02, subd. 16 (2002) and § 13.08, subd. 1 creates a duty to individuals, not just a broad duty against disclosure of records.).

[89] Cybesecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.Rev. 255 (2005).

[90] Palsgraf v. Long Island Railroad Co., 162 N.E. 99, 100 (N.Y. 1928).

[91] Kline v. 1500 Massachusetts Avenue Apartment Corp., 439 F.2d 477 (D.C. Cir. 1970).

[92] McGrath v. Zenith Radio Corp., 651 F.2d 458, 468 (7th Cir. 1981) (Holding that the failure to correct earlier true statements which have become false or misleading was fraudulent); see e.g., Note 134, where a breaching entity continues to assert that “your personal information is safe,” in the wake of a severe data breach. But see Note 64, where a business responds to a data breach by attempting to disclaim all duties.

[93] Rest. 2d Torts § 652C cmt (1977) (Explaining that “[if] the benefit derived from the sale in no way relates to the social or commercial standing of the person whose information is sold… [then] a person whose personal information is sold does not have a cause of action for appropriation against the [person] who sold the personal information.”).

[94] See generally, Restatement (Third) of Torts: Liab. for Physical Harm § 42 (Proposed Final Draft No. 1, 2005) (discussing duty based on undertaking).

[95] Minn. Stat. § 325E.64 Subd. 3.

[96] Minn. Stat. § 325E.61 Subd. 6.

[97] Citation Pending.

[98] Ariz. Rev. Stat. §44-7501 (J)(2); Cal. Civ. Code §1798.81.5(e)(3); Haw. Rev. Stat. § 487N-2(g)(2); Mich. Comp. Laws § 445.72 Sec. 12(10); Oregon, 2007 S.B. 583, Chapter 759 Sec. 12(2)(c); R.I. Gen. Laws § 11-49.2-7; Vt. Stat. tit. 9 § 2445 (d)(2) (exempting health insurers and health care facilities from duty to destroy personal information)

[99] American Recovery and Reinvestment Act, H.R. 1, § 13402(a).

[100] 45 CFR 160.103.

[101] ARRA, H.R. 1, § 13402(f)(2).

[102] ARRA, H.R. 1, § 13402(b).

[103] ARRA, H.R. 1, § 13402(b).

[104] ARRA, H.R. 1, § 13400.

[105] ARRA, H.R. 1, § 13402(h)(1)(A)-(B).

[106] ARRA, H.R. 1, § 13402(d)(1).

[107] ARRA, H.R. 1, § 13402(d).

[108] ARRA, H.R. 1, § 13402(f).

[109] Directive 2002/58/EC Preamble (21)

[110] Directive 2002/58/EC Preamble (30)

[111] Directive 2002/21/EC Article 2(c).

[112] Directive 2002/58/EC Article 3(1).

[113] Directive 2002/21/EC Article 2(c).

[114] Directive 2000/31/EC, currently does not require consumer notification for breaches.

[115] Directive 2002/21/EC Article 2(a) defines “electronic communications network” as “transmission systems and, where applicable, switching or routing equipment and other resources which permit the conveyance of signals by wire, by radio, by optical or by other electromagnetic means, including satellite networks, fixed (circuit- and packet-switched, including Internet) and mobile terrestrial networks, electricity cable systems, to the extent that they are used for the purpose of transmitting signals, networks used for radio and television broadcasting, and cable television networks, irrespective of the type of information conveyed;”

[116] Directive 2002/21/EC Article 2(c).

[117] Directive 98/34/EC as amended by Article 1(2) of Directive 98/48/EC defines an Information Society Service as “…any service normally provided for remuneration, at a distance, by electronic means… [except] radio…[and] television broadcasting services.”

[118] Working Party Opinion 2.1

[119] Directive 2002/58/EC Article 4(2).

[120] Working Party Opinion 2.1, “Notwithstanding their obligation to notify the competent national regulatory authorities of all breaches whenever there is a risk of adverse effects, service providers should determine if notification to subscribers or individuals is required.”Working Party Opinion 2.2 “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

[121] Working Party Opinion 2.1.

[122] Working Party Opinion 2.2.

[123] Directive 2002/58/EC Articles 6(5), 9(3) requires personal information to be used only by persons “acting under the authority of” the communications providers.

[124] Directive 2002/58/EC Articles 6(5), 9(3)

[125] Directive 2002/58/EC Preamble (32): “Where the provider of an electronic communications service or of a value added service subcontracts the processing of personal data necessary for the provision of these services to another entity, such subcontracting and subsequent data processing should be in full compliance with the requirements regarding controllers and processors of personal data as set out in Directive 95/46/EC.”

[126] Directive 2002/58/EC Article 2(b).

[127] Directive 2002/58/EC Article 2(c).

[128] Directive 2002/58/EC Article 7(1).

[129] “…breach notifications [to national regulatory agency] should include information about the circumstances of the breach, including whether personal data had been protected by encryption…”

[130] Working Party Opinion 2.1, fn.4, “The qualitative and quantitative criteria for assessing the impact of adverse effects will need to be defined precisely during the commitology procedure…”

[131] Directive 2002/58/EC Article 4(1), Preamble (20).

[132] Directive 2002/58/EC Article 4(2), Preamble (20).

[133] Directive 2002/58/EC Preamble (47).

[134] Working Party Opinion 2.1.

How to Write an ARRA Breach Notification Letter

The American Recovery and Reinvestment Act of 2009 (ARRA) requires HIPAA-covered entities to notify breach victims when protected health information has been disclosed to an unauthorized person. The legislation gives liberal exceptions for good faith and inadvertent disclosure. Redaction or encryption is an absolute defense to a breach.

“Protected Health Information” is any stored or transmitted health information which can be tied to an individual. It may include information not directly related to health, such as a full name, social security number, date of birth, home address, account number, or disability code. The law also requires third-party contractors or “business associates” to report breaches to the covered entity.

When a breach occurs, the covered entity must notify victims and the Secretary of Human Services “without unreasonable delay,” and within 60 days of the discovery of the breach. The covered entity must notify the individual directly if possible (ie, by mail), and must also post a notice on its website if the breach involves 10 or more victims who are not directly reachable. If the breach involves more than 500 residents of a single state, the covered entity must also notify statewide media.

A breach notification letter must meet differing but complementary legal and economic goals. They include:

  1. Complying with law
  2. Minimizing Losses

Compliance with Law

Complying with the law is straightforward. In addition to the requirements above, the notification must include a brief description of the incident, including the following information:

  • Date of the breach;
  • Date of discovery;
  • Description of the types of protected health information breached;
  • Steps individuals should take to protect themselves from potential harm resulting from the breach;
  • A brief description of the investigation, efforts to minimize losses and prevent future breaches;
  • Contact information for individuals who wish to ask questions or learn more information, including a toll-free phone number, e-mail address, website, or postal address.

Repairing your Company’s Image

Avoid the natural tendency to clamp up. Of course, the best way to protect your company’s image is to keep bad news out of the public eye. But once the cat’s out of the bag, several studies indicate that more than two-thirds of economic losses arising from a data breach are due to brand diminishment and lost customer trust, rather than litigation or identity theft expenses.

Above all, your company must maintain credibility. Be honest, open, and share enough detail to convince an educated person that you know what you’re talking about, and that you’ve actually fixed the problem. Consider hiring an outside security consultant who can 1. Give you genuine feedback on your security practices, and 2. Vouch for your credibility when you say that your customers are safe.

Rebuilding Customer Trust

Consider your last trip to the Department of Motor Vehicles. It probably consisted of waiting for hours in multiple serpentine lines without any direction, followed by more waiting, followed by spending money. The best part is riding away in your car when you’re done. Surprisingly, Disneyland and the DMV have a lot in common: Long lines, spending money, and rides. What sets the DMV apart from the happiest place on earth? One important ingredient is Customer Empowerment.

One way the Disney folks empower customers is by posting periodic signs in long lines: “Wait Time: 45 minutes from this point.” Though the sign does not decrease wait time, it informs and empowers customers. And as Disney knows, empowered customers are happy customers. Frustrated, angry customers are far more likely to cause trouble or leave altogether.

The best way to rebuild your customers’ trust is to empower them. Too many breach notifications include the unhelpful statement, “We have no reason to believe that anyone has accessed or misused your information.” The statement is faulty because it does not empower the customer to take action. Also, if the statement isn’t completely true, or if it changes in the future, it may inadvertently induce liability under certain circumstances. Further, these types of statements tend to frustrate rather than empower customers, causing some to conclude that the notification is incomplete or disingenuous.

Instead, consider these options:

  • Say, “Although we have no reason to believe that anyone has accessed or misused your information, if you think your personal information has been misused as a result of this breach, please call 1-800-XXX-XXXX so we can investigate…”
  • Include statistics on typical rates of harm for similar breaches, where possible.
  • Actually investigate the breach.
  • Create a website where customers can get up-to-the minute updates on the investigation directly from you, rather than from the media.

Mitigating Civil Liability

ARRA does not expressly create a private right of action for a HIPAA breach. Other theoretical sources of liability exist, though. For example, an individual may be able to rely upon a notification statute as the basis for a suit alleging negligence per se, where the breach of the duty to notify causes proximate harm to the plaintiff. Next, failure to correct statements (such as privacy policies) which have become false or misleading in light of new events, may create a tortious cause of action if the company fails to warn customers about foreseeable risks to personal information.

In contrast, most breaches are not likely to create privacy liability. Privacy tort actions usually require the breached information to cause extreme emotional distress, or a dilution of the property value of reputation or prestige. In addition, most courts have consistently failed to force companies to pay for credit monitoring services unless:

  1. A person has become an actual victim of identity theft.
  2. The person has found the thief
  3. The person can prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and
  4. The person proves that the entity had a legal obligation to keep that information private.

Instead, it’s important to remember that businesses stand to loose more money from brand diminishment and lost customer trust than from litigation.

Privacy Policies and their inclusion in Terms of Service

Recently, as the proliferation of copy and paste has become more noticable because of search technology terms and related, I find that sites are trying to do a few interesting things.

1. They are burying their policies, both terms of use, privacy policies, and related deeper into the site rather than being accessible on the front page.  Google was a known culprit of buryig their legal policies, and there has been a large amount of discussion about whether their actions were compliant.  Recently, they have amended their approach, and posted a Privacy Policy at the bottom of their homepage, with the rest of their legal policies still difficult to find.  This has been of recent discussion mostly due to the increased activiity by the European Union Article 29 working group and their requests to remove personally identifiable information retained by search engines after a reasonable amount of time.

2. The issue that inspired this post was whether a privacy policy that is not incorporated either by reference or entirely in a Terms of Service is actually binding or in the least bit applicable to govern the use of personally identifiable information collected by a website when a user visits the site.  Many sites post a privacy policy separate and apart from their Terms of Service/Use, and may mention the privacy policy in it, or not at all.  Most Terms of Service/Use however also have the following clauses or something similar:

“Entire Agreement

These Terms of Service are the entire and exclusive agreement between [COMPANY] and you regarding the Site, Content, Services,… and these Terms of Service supersede and replace any prior agreements between {COMPANY] and you regarding the Site, Content, Services…..”

Now, generally speaking in contract drafting, if a document is not referenced therein and explicitly incorporated as being part of the agreement, it is not a part of the binding contract, and may simply be considered as persuasive documents to demonstrate the intent of the parties.  Not a binding document.  In this instance, does a user or the FTC have the right to sue for theft/misappropriation of personally identifiable information or even deceptive marketing practices and the bevy of laws which are applicable to that, including the CAN-SPAM act and related.  A solicited email may no longer be considered solcited if the Terms of Service/Use are governing and therefore the privacy policy is no longer effectual because the “Entire Agreement” clause has therefore made the privacy policy not worth the bytes it takes.

This is speculative legal musings, because no court has ruled on this at this point, and I wonder why no lawyer has brought this action previously.  I exempt myself because I'm not a litigator, but watch the dockets, it may be coming shortly.

Overcoming Obstacles in a Web 2.0 world

A couple of really interesting points that we are addressing.

1. Due to the Article 29 working group of the European Union, how long can you keep your server logs, what information do you need and can you keep, and what informatio od you have to get rid of, and when.

This is an interesting topic, especially considering Google's most recent declaration of limiting the length of time they are retaining logs and information.   The European Union data protection officials have recently disagreed with the Google's response as being adequate in relation to how long they can retain identifiable personal information.  Data protection policies are currently much more advanced adn detailed around the world than they are in the United States.

2. Privacy policies, behavioural advertising, and deep packet inspection by ISPs are under close inspection currently by the FTC.  It has been a few months since hte Facebook Beacon behavioural marketing fiasco erupted.  Although there are still no bright line rules for anonymizing personally identifiable information, or how usre information can be sent to third parties.  Data protection issues are abound and the FTC is essentially stating that until something clear comes out…please use Transparency.  Make it clear to users how information is handled and directed.

 …..more to come.