Adopting appropriate security controls in response to risk assessment plays an important role in determining whether liability will be imposed in the event of a breach. In Bell v. Michigan Council, for example, the court held that a union was liable for failure to provide appropriate security where it did nothing to protect against a foreseeable threat to its data. Yet in the Guin case noted above, the court held that a proper risk assessment had been performed and that the harm in question was not reasonably foreseeable. As such, the defendant was not liable for its failure to defend against that particular risk.

The law also examines whether security controls are adequate and properly implemented. Just because data is encrypted, for example, does not mean it is secure. One need only look at the TJX breach, which compromised an estimated 90 million encrypted credit card records. Ongoing monitoring, testing, and evaluation of the effectiveness of security controls is required to ensure that they are properly implemented and continue to be effective.

And when assembling your security strategy to appropriately meet the risks your organization faces, don't forget about third parties that have your data. Outsourcing information processing does not relieve you of your obligation to secure the outsourced data. As a consequence, you must look carefully at the security measures your outsource providers have in place—contractual and otherwise—to respond to a breach should one occur.

The duty to disclose security breaches In addition to the legal duty to implement security measures to protect data, you are also required—in many instances—to disclose security breaches that do occur to the persons affected by the breach. Laws that require notification seek to provide individuals not only with a warning that their personal information has been compromised, but also an opportunity to take steps to protect themselves against the consequences of identity theft and unauthorized account access.

A total of 44 states, plus the District of Columbia, Puerto Rico, and the Virgin Islands have enacted breach notification laws as of August 2008. The key requirements, which can vary significantly from state to state, include the following:

• What type of information is covered? The statutes generally apply to unencrypted sensitive personal information—for example, information consisting of first name or initial and last name, plus one of the following: Social Security number; driver's license or other state ID number; or financial, credit card, or debit card account number. Some states cover additional data categories as well.
• What triggers the duty to give notice? Generally, the statutes require notice to individuals following the unauthorized acquisition of data that compromises the security, confidentiality, or integrity of such personal information. In some states, however, notice is not required unless there is a reasonable basis to believe that the breach will result in substantial harm or inconvenience to the individual.
• Who must be notified? Notice must be given to any residents of the state whose unencrypted personal information was the subject of the breach. Some states also require notice to the attorney general, and several states require notice to the credit agencies.
• When notice must be provided Generally, persons must be notified in the most expedient time possible and without unreasonable delay; however, in most states, the time for notice may be extended to accommodate the legitimate needs of law enforcement, if notification would impede a criminal investigation, and to give the company time to take necessary measures to determine the scope of the breach and restore reasonable integrity to the system.