Your company suffered a data breach, and you have to send breach notices to affected consumers. You know the quickest and easiest way to do that is using email. You check your records and find email addresses for the affected consumers. In some cases that's the only address you have. But can you send an electronic data breach notice?
Most US jurisdictions have enacted some form of data breach notification law. These laws typically describe (i) which businesses must comply; (ii) what constitutes a breach that triggers the need to send a notice; and (iii) the contents, timing and method of delivery for the notice. For example, California requires any business conducting business in California to disclose any breach of a security system maintaining personal information. Cal. Civ. Code §1798.82(a). The disclosure must be made in writing, id. at (d)(1), but may be made via electronic means if the business complies with the Federal ESIGN Act, 15 U.S.C. §7001 et seq. Id. at (j)(2). (See also Cal. Civ. Code § 1798.29 with respect to breach notification requirements of California state and local governmental agencies).
The ESIGN Act requires that businesses obtain a consumer's consent to receive electronic information such as a breach notice and, prior to consenting, the consumer be provided with disclosures regarding how the business will provide such information, the type of information to be provided in electronic form, and reasonably demonstrate that the consumer can access the information in the intended electronic form. 15 U.S.C. §7001(c)(1). Note that even if a state breach law does not incorporate ESIGN directly, but does require the notice to be provided in writing, then companies will need to look to the state's adoption of the Uniform Electronic Transaction Act. The UETA has been adopted in 49 jurisdictions to date, many of which have incorporated ESIGN’s consumer consent requirements. In states that have not incorporated ESIGN 101(c) or similar requirements, such laws still require consent to replace writing requirements with electronic records. The consent in these states can be express or implied.
With this knowledge, you check your records again. But you don't find an ESIGN Consent on file, or you find that your company obtained an ESIGN consent, the consent isn’t broad enough to cover data breach notices. What do you do now?
You can send your notices by US mail to those consumers with physical addresses on record. But that leaves out many consumers with only email addresses on file.
Fortunately, some data breach notification laws address this situation by permitting email notice notwithstanding not having complied with ESIGN, but only upon satisfaction of certain conditions, which may include public dissemination of information concerning the breach. For example, the California data breach law permits your company to send the required notice by email if:
- email notice is sent to the persons with only email addresses on file
- the notice is conspicuously posted on your company's website homepage for a minimum of 30 days (which means providing a link to the notice on the home page or first significant page after entering the Internet website that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link) AND
- notification is given to major statewide media. Cal. Civ. Code §1798.82(j)(3).
Be sure your company has the flexibility to discreetly and compliantly address and remediate security breaches. With some proper planning your company can handle a data breach quickly, cost-effectively and with minimal exposure, all while remaining compliant with data breach laws.
Learn more by contacting any of the authors.