Thomas on Data Breach: A Practical Guide To Handling Data Breach Notifications Worldwide by Liisa Thomas is a solid first edition with all the markings of becoming a go-to desk reference for private practitioners and in-house counsel responsible for navigating any organization through the thicket of data breach regulations. The 200-pages of text provide a comprehensive summary of U.S. state and federal laws that may be triggered when personal information is accessed or disclosed to unauthorized persons. It also addresses international obligations and provides the reader with a good starting point for identifying obligations that may exist in countries other than the United States.
The book is published as a softbound single volume consisting of eight chapters and two extensive appendices—one containing copies of the U.S. federal and state data breach notification statutes, the other containing copies of non-U.S. notification laws. The chapters are arranged topically with relevant information from state, federal and international laws compared and contrasted within each chapter. While that organizational style makes it difficult for the reader to obtain a complete summary of any single law from a single location, arranging the book by topic facilitates understanding the details and nuances of key aspects involved in responding to a data breach, such as understanding which laws apply, the varying types of information that may trigger notification obligations, comparing when notification is required, how notice may be given and the varying and sometimes contradictory requirements for what to include in a notice.
Since the full text of each state law, major relevant federal legislation and even some international laws pertaining to data breach notification will be included in the appendices, the lack of references to specific sections in some of the chapters is likely to be a minor inconvenience. In addition, to address the challenge of keeping up with new laws, revisions to existing laws, and important court decisions, Thomas has created a companion website, which she intends to keep updated with significant developments and updates before hard copy updates and future editions can be published. For example, the current edition was finalized prior to recent amendments in Iowa’s data breach law, the enactment of Kentucky as the 47th state with data breach laws and a federal court’s determination, at least for the purposes of a motion to dismiss, that the U.S. Federal Trade Commission (FTC) has the power to regulate cybersecurity under the unfairness prong of the FTC Act. And each of these developments, as well as others that will undoubtedly occur in the future, are important enough that readers will want to make sure they regularly check Thomas’s website.
Thomas takes the reader on a tour of data breach notification obligations from beginning to end, with chapters addressing how to determine whether to notify, conducting investigations, insurance coverage, whether to notify when data breach notification laws are not triggered, providing notice, responding to post-notification inquiries and potential consequences for violating breach notification statutes. Each chapter is further divided into clearly marked sections that will facilitate the use of the volume as both a research tool and practical guide when analyzing a possible breach and charting a response. Questions such as which states require notification to which regulators or when can notifications be provided by e-mail are easily answered by a quick review of the detailed table of contents.
Thomas answers the question of what motivated her to write this book by indicating that she sought to fill a void in legal references or treatises that comprehensively addressed and synthesized U.S. data breach notification requirements as well as those applying. She identifies three goals of the book:
If it is a helpful tool for you in the next data breach in which you are involved, I have succeeded. And if showing the book to your senior leadership to demonstrate how complicated this area is also helps, all the better. And even better still, what if government regulators read it and began to understand just what a daunting—and expensive—task it can be to comply with all of these notice requirements. Requirements, that even if met, may not accomplish their stated goal of helping individuals protect themselves.
There is no doubt that Thomas has succeeded in her first goal, and even a cursory review of several of the chapters should help legislators and regulators understand the byzantine array of requirements that businesses must navigate in determining whether and how to notify users of certain events, some of which have no have no bearing on the risk of possible harm to consumers and some of which are completely contradictory. For example, Thomas points out that many states do not contain specific requirements for what to include in a breach notice, but others do. And of those that do, most require a description of the incident, but Massachusetts does not permit inclusion of a description of the nature of the breach.
Thomas, with assistance from contributors Monique Bhargava, Liz Brodzinski, Robert Newman, Pavel Sternberg and Marc Trachtenberg, devoted untold hours over the course of approximately a year in preparing the book. Their effort will not be lost on the reader, who will benefit from the effort that went into categorizing, assimilating and organizing the volume. The chapters are generally consistent in their level of detail, although some chapters, such as the one addressing the intricacies of providing notice, are more detailed and heavily footnoted. Others, such as the chapters on insurance and penalties, are suitable as a general introduction and high-level review of the topics.
Thomas and her contributors should be proud of the resource they have prepared. It is a testament to their dedication and knowledge of the subject matter and is destined to become a trusted reference to anyone that is interested in understanding the ever-evolving data breach notification landscape.
Jim McCullagh, CIPP/US, is a partner in Perkins Coie's Litigation Practice and co-chairs the firm's Privacy & Security Practice and is also active in the Intellectual Property Litigation and E-Discovery Services & Strategy national practices. He focuses on technology and intellectual property issues, including investigation, enforcement programs and litigation of computer fraud and abuse, data breaches, spam, phishing and IP infringement.