1. II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION

II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION

“Breach notification laws have been a major driver of data protection efforts in U.S. organizations for more than a decade.”¹⁸ These laws serve a laudable purpose: they require custodians of personal information to inform individuals when their personal information has been compromised so that they can take steps to protect themselves from identity theft.¹⁹ But achieving this end can be challenging because the conditions that trigger the duty to notify are not well defined.

With respect to these conditions, data breach notification laws can be divided into two categories. Most data breach laws require notification when “unauthorized acquisition” of personal information occurs.²⁰ Other statutes require notification when “unauthorized acquisition and access” occurs.²¹ However, because acquisition cannot occur without access, these statutes can be grouped together. In a minority of states, the duty to notify is triggered by events that include “unauthorized access”

¹⁸. David Thaw, Data Breach (Regulatory) Effects, 2015 CARDOZO L. REV. DE-NOVO 151, 151 (2015).

¹⁹. See Harmon, supra note 1, at 479 (“Data breach notification laws have the dual purpose of protecting private citizens and holding data owners accountable”).

²⁰. See LIISA M. THOMAS, THOMAS ON DATA BREACH: A PRACTICAL GUIDE TO HANDLING DATA BREACH NOTIFICATIONS WORLDWIDE § 2:25 (2020) (listing state statutes that define a security breach as an unauthorized acquisition of personal information).

²¹. Id.; see, e.g., VA. CODE ANN. § 18.2-186.6 (2021) (“‘Breach of the security of the system’ means the unauthorized access and acquisition of unencrypted and unredacted computerized data . . . .”).

to personal information.²² Thus, state data breach statutes fall into two categories: the majority approach, which requires both unauthorized access and acquisition to trigger notification, and the minority approach, which requires only unauthorized access.

While the minority approach may seem to offer greater protection than the majority approach, it presents compliance problems because threat actors are adept at disguising their access to security systems. Such access can often go undetected, even by sophisticated security systems, for months or years. As a result, the minority approach is essentially precatory in practice because complete compliance is not feasible.

The majority approach also presents compliance challenges because it is often unclear whether acquisition of personal information has occurred. Most data breach statutes do not define the terms “acquisition” or “acquired.”²³ Vermont’s data breach statute, one of the few exceptions, provides factors for determining whether personally identifiable information has been acquired, including: “(i) indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing brokered personal information; (ii) indications that the brokered personal information has been downloaded or copied; (iii) indications that the brokered personal information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; or (iv) that the brokered personal information has been made public.”²⁴

With this guidance in mind, consider the following common cybersecurity event. A threat actor gains access to a system, running a PowerShell script across the network and touching files containing personal information, but there is no evidence either confirming or refuting that the information was

²². THOMAS, supra note 20, § 2:25; see, e.g., N.J. STAT. ANN. § 56:8-161 (West 2021) (‘“Breach of security’ means unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information . . . .”); CONN. GEN. STAT. § 36a-701b (2021) (‘“[B]reach of security’ means unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information . . . .” (emphasis added)).

²³. See, e.g., VA. CODE ANN. § 18.2-186.6 (2021); ARIZ. REV. STAT. ANN. § 18-551 (2021); KAN. STAT. ANN. § 50-7a01 (2021).

²⁴. VT. STAT. ANN. tit. 9, § 2430 (2022).

transferred by the threat actor. Under Vermont’s statute, does the absence of evidence of downloading or copying mean no information was acquired? Reasonable minds can differ when answering this question, which makes compliance with this statute difficult and uniform application unlikely. This problem is compounded by statutes that offer no guidance on the meaning of “acquired” and demonstrates why data breach statutes are ripe for revision.

Table of Contents

• INTRODUCTION
• I. EMERGING THREATS HAVE UPENDED DATA BREACH NOTIFICATION LAWS
• II. STATE DATA BREACH STATUTES FAIL TO ADDRESS AUTOMATED WIDESPREAD ACCESS AND UNCLEAR ACQUISITION
• III. EVOLUTION OF TECHNOLOGY, INCLUDING QUANTUM COMPUTING, REQUIRES CHANGES TO THE CURRENT STATE DATA BREACH NOTIFICATION REGIME
• IV. THE PUSH FOR FEDERAL LEGISLATION TO UNIFY A NOTICE STANDARD AND ADDRESS THESE CONCERNS