As it currently stands, there is no specific federal law addressing a business’s obligations when it comes to a data breach. Although there are laws that apply to doctors and hospitals, there is nothing under federal law that would apply to self-storage facilities. This is not due to the lack of trying. There have been two data security breach notification bills introduced, but neither have passed through Congress. Instead, there are 47 states, plus the District of Columbia, that have enacted their own series of state law requirements dictating what a business must do if it suffers a data breach of its customers’ personal information.
While there are
similarities among the states, just like with state lien laws, there are subtle
differences that need to be considered by operators depending on which state a
self-storage property is located. Generally, each state addresses the
requirement, upon discovery of a breach, to notify the affected customers,
notify law enforcement, and, in some states, notify credit reporting agencies.
In other states, there is the recommendation to offer affected customers free
credit services, such as credit monitoring, to watch for improper use of the
stolen information. Some states require that these types of services be
provided, some states provide affected customers the right to sue for damages
if their information is taken, and others provide for governmental penalties if
the notifications are not timely delivered. Again, since each state law is
unique, self-storage operators should be careful to review the applicable law
for their state should a data breach occur.
As examples, we can
look at the states of California, Colorado, Florida, and Georgia. California
provides that if a breach occurs, the business must not only notify the
customers but also the Attorney General of the State if more than 500 customers
are affected. The law does not require that the business notify credit
reporting agencies. The California law does provide that notifications must be
sent within 10 business days of the discovery of the breach and provides for a
civil right of recovery against the business for affected customers. Lastly,
the California law requires the business to offer to provide appropriate
identity theft prevention and mitigation services at no cost to the affected
customers for no less than 12 months. In Colorado, the notices must be sent to
all affected consumers and to credit reporting agencies. The notification must
be sent “in the most expedient time and without unreasonable delay”.
Further, under that state law the Attorney General has the right to bring an
action to provide relief for those consumers who are damaged by the breach. In
Florida, the customers must be notified in addition to credit reporting
agencies and such notification must occur within 30 days of the discovery of
the breach. In that statute, the failure to comply can result in damages being
assessed up to $500,000. Finally, in Georgia, the notification must be sent to
the customers and credit reporting agencies “without unreasonable
delay” and no enforcement penalties are provided under the law.
Under all the state
laws, the contents of the notifications are similar. The notice must provide an
explanation as to how the breach occurred and when it occurred, what
information was taken, what actions have been taken to remedy the breach to
ensure it cannot occur again, and what actions the business is taking for the
benefit of the affected customers (for example, providing the free credit
monitoring). Since the cost of notifications, as well as the cost to cure the
breach, can be expensive, many companies are investing in cyber liability and
data breach insurance. These days, even if self-storage companies may not seem
to be at risk, it is strongly recommended that this type of insurance be
included in any policy purchased to insure your business.