Given the seemingly constant attempts at hacking sensitive customer data, accountants and other financial professionals should review their obligations to provide notice in the event of a breach of their electronically stored client information. In the absence of a federal breach notification law, despite several attempts to enact one, a patchwork of 47 state statutes has developed, with varying requirements on the disclosure of a data breach to customers and reporting of the breach to state authorities.
The New Jersey Identity Theft Prevention Act, N.J.S.A. 56:8-163, is illustrative. It requires disclosure to customers within New Jersey and a prompt report to the Attorney General, through the State Police, of any breach of security of computerized records if “personal information was, or is reasonably believed to have been, accessed by an unauthorized person.” A “breach of security” is defined broadly as the “unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the information has not been secured by encryption or other methods that render the information unusable or unreadable.” N.J.S.A. 56:8-161.
New Jersey is part of a small group of states, including Connecticut and Florida, where “unauthorized access” to personal information qualifies as a breach. In comparison, Pennsylvania is among the states that have adopted a more rigorous standard, requiring both “unauthorized access and acquisition” to qualify as a breach, and incorporating a risk of harm analysis in its definition. 73 Pa. Stat. 2302. New York, similar to California, defines a breach as an “unauthorized acquisition or acquisition without valid authorization,” and includes factors to determine whether information has been acquired or is reasonably believed to have been acquired. N.Y. Gen. Bus. Law 899-aa(1)(c).
However, New Jersey law does not mandate notification in all cases. The law does not require disclosure to a customer “if the business or public entity establishes that misuse of the information is not reasonably possible. Any determination shall be documented in writing and retained for five years.” N.J.S.A. 56:8-163(a). Thus, to the extent the unauthorized access is to encrypted or password protected data, customer notification may not be required. Even where the data is not encrypted, customer notification may not be required if the firm or business can say misuse of that data is “not reasonably possible.” That could well be the case when a stolen laptop computer or smart phone requires a log-in code or unique password to access the server or firm database, or when the firm has the ability to remotely disable or “wipe” the data from the stolen device. Best practice would require the Chief Information Security Officer or an outside IT professional to provide written support for the conclusion that misuse is “not reasonably possible.” The firm should also implement and document appropriate remedial measures designed to prevent a recurrence of the incident. Violation of the breach notification law is an unlawful practice under the New Jersey Consumer Fraud Act, but there is no private right of action under the statute allowing for individual lawsuits. The New Jersey Division of Consumer Affairs has adopted regulations implementing the reporting, and recordkeeping provisions of the Identify Theft Protection Act. See N.J.A.C. 13:45F.
Even if notification is not required by the breach notification law, there may be other reasons to alert clients. For example, certified public accountants are under an ethical obligation not to disclose confidential information about their clients obtained during the course of performing professional services. N.J.A.C. § 13:29-3.7; AICPA Code of Professional Conduct, Rule 1.700.001. These standards arguably would require notice to clients of any loss of confidential client information even if the incident were not reportable under the Identity Theft Protection Act and, even if not required under ethical rules, there may be sound business reasons to provide notice to clients. A professional firm could suffer major reputational damage from the negative publicity surrounding a significant data breach, and direct client notification will allow the firm to control the communication of such incidents. Apart from damaging publicity, other potential adverse consequences are just as real, including the potential of claims and lawsuits from its clients for the breach, which would only be compounded by a failure to provide notification. The firm should also consider how to address other less direct or immediate consequences, including the potential that the firm would have to disclose the breach in responding to requests for proposals or when competing for engagements, that the firm could even be suspended or disqualified from future public sector work, that the firm could have difficulty obtaining liability insurance to cover future breaches without high premiums, and that it could face lawsuits from its clients or “whistle-blower” lawsuits from employees based on inadequate data security practices.
Given the potential exposures, as sound risk management practice, even small professional firms should be familiar with notification requirements in the event of a data breach.
Further information about data breach reporting is available through the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) website.