As it currently stands, there is no specific federal law addressing a business’s obligations when it comes to a data breach. Although there are laws that apply to doctors and hospitals, there is nothing under federal law that would apply to self-storage facilities. This is not due to the lack of trying. There have been two data security breach notification bills introduced, but neither have passed through Congress. Instead, there are 47 states, plus the District of Columbia, that have enacted their own series of state law requirements dictating what a business must do if it suffers a data breach of its customers’ personal information.
While there are similarities among the states, just like with state lien laws, there are subtle differences that need to be considered by operators depending on which state a self-storage property is located. Generally, each state addresses the requirement, upon discovery of a breach, to notify the affected customers, notify law enforcement, and, in some states, notify credit reporting agencies. In other states, there is the recommendation to offer affected customers free credit services, such as credit monitoring, to watch for improper use of the stolen information. Some states require that these types of services be provided, some states provide affected customers the right to sue for damages if their information is taken, and others provide for governmental penalties if the notifications are not timely delivered. Again, since each state law is unique, self-storage operators should be careful to review the applicable law for their state should a data breach occur.
As examples, we can look at the states of California, Colorado, Florida, and Georgia. California provides that if a breach occurs, the business must not only notify the customers but also the Attorney General of the State if more than 500 customers are affected. The law does not require that the business notify credit reporting agencies. The California law does provide that notifications must be sent within 10 business days of the discovery of the breach and provides for a civil right of recovery against the business for affected customers. Lastly, the California law requires the business to offer to provide appropriate identity theft prevention and mitigation services at no cost to the affected customers for no less than 12 months. In Colorado, the notices must be sent to all affected consumers and to credit reporting agencies. The notification must be sent “in the most expedient time and without unreasonable delay”. Further, under that state law the Attorney General has the right to bring an action to provide relief for those consumers who are damaged by the breach. In Florida, the customers must be notified in addition to credit reporting agencies and such notification must occur within 30 days of the discovery of the breach. In that statute, the failure to comply can result in damages being assessed up to $500,000. Finally, in Georgia, the notification must be sent to the customers and credit reporting agencies “without unreasonable delay” and no enforcement penalties are provided under the law.
Under all the state laws, the contents of the notifications are similar. The notice must provide an explanation as to how the breach occurred and when it occurred, what information was taken, what actions have been taken to remedy the breach to ensure it cannot occur again, and what actions the business is taking for the benefit of the affected customers (for example, providing the free credit monitoring). Since the cost of notifications, as well as the cost to cure the breach, can be expensive, many companies are investing in cyber liability and data breach insurance. These days, even if self-storage companies may not seem to be at risk, it is strongly recommended that this type of insurance be included in any policy purchased to insure your business.