In Brief - December 2018

Page 1

NEBRASKA PARALEGAL ASSOCIATION IN THIS ISSUE: From the President ..... 1 From the Editor ........... 3 Save the Dates ............ 4 District I News ............ 5 NALA News .................. 9 Getting to Know Your Officers ...................... 12 California Steps Into Fray ........................... 15 California’s New Privacy Law ............................ 17 Breach Disclosure Regulations in the U.S. ...... 21




FROM THE PRESIDENT: AMBER ROBERTS, ACP “The difference between what we do and what we are capable of doing would suffice to solve most of the world’s problems.” ~ Mahatma Gandhi I recently had the pleasure of attending an all -day training called the Best Year Yet®. This program is built to help individuals focus their goals into actionable items based on their values and where they want to be. At the end of the program, I had my top ten goals for 2019, guidelines for living my life to the fullest, a new paradigm to shift my way of thinking, and the one role (out of the many I play daily) that I will focus on the most. I was skeptical at first when I joined the session as to the actual benefits I would receive but was amazed at the number of insights I had regarding my own behavior, including things I do or say that sabotage my potential. From the beginning, the program made me take a step back and evaluate myself…which is something I rarely take the time to do. They asked me to write down what my life would look like this time next year if I’d experienced the best year of my life. What did I write? Great physical shape – able to do a 5k no problem Feel centered through prayer and meditation Spend at least one night a week with family without distractions like phones and just have fun  Ability to create and craft on a regular basis  Promoted at work to a position that doesn’t exist yet but which I would have developed   

We were then asked to write down our accomplishments from the previous year as well as our biggest disappointments. I had a major “ah-ha” moment on these when I compared them. Nearly all my accomplishments were related to things other than what I felt would make for a great year. My disappointments, however, were generally linked.

Continued on Page 2



PRESIDENT’S MESSAGE CONTINUED I then took time to verbalize what I learned from both accomplishments and disappointments which led me to my three guidelines.   

Get my priorities straight. Family is most important. Learn to listen and take constructive criticism. Stick to my priorities with ruthlessness. It’s okay to say no.

The next step was to look at how I limit myself through words or actions and what I say about myself to explain my failures. Out of that came my Limiting Paradigm of “I might fail so I avoid taking the risk.” I was then asked to come up with a New Paradigm to use in the coming year. I chose, “I will try my hardest and overcome my fears.” Now that I had a new lens to view 2019 through, I focused on my personal values of quality work, continuous learning, family, giving back, creativity, and spirituality. I added in the roles I play in my life of mother, wife, friend, employee, mentor, leader, provider, and artist/writer. I picked one role to focus on during the next year and brainstormed goals for each of the other roles as well. Out of that work, I chose the top ten goals I would work toward and made sure they matched up to my values, what I wanted to accomplish to have a great year, and my new paradigm. What were some of the goals I came up with? Spend at least a few hours a month with each of my kids doing what he/she wants to do. Get fit by working out at least three times or a total of three hours each week. Reconnect with my husband by going out just the two of us at least once a month. Build a training program and leverage to make an impact related to my work environment, including presenting at least one new class.  Mentor at least three successors in different areas of my life so I can step back and focus more on my other goals.  Budget better and spend more mindfully so we can redirect funds to meet our goals.  Organize my creative space to fully use my creative time which will be a minimum of two hours a week.    

The last step involved what I needed to set myself up for success, including setting monthly subgoals and scheduling them on my calendar as well as sharing my plan with my family and friends (and apparently the entire NePA community!) to get support for changes I plan to make. How do I feel now? Energized, unburdened, grateful, and ready to kick butt and take names! I hope during December you are also able to take time to reflect on the past year and really SEE not only all that you’ve accomplished but also set your goals for 2019 and deliver them with laser focus. My best wishes to all of you during this holiday season and I look forward to hearing about all of your great accomplishments (many, I hope, involving NePA)!



FROM THE EDITOR Season's greetings from the Publications Committee! I hope you will enjoy this final edition for 2018 and I want to thank the Committee, especially Casey Ochs, for their contributions to this issue. Soon we will be making resolutions for the New Year (some of us, anyway). Besides the usual ideals of weight loss, exercise, etc., I urge you to consider maximizing your NePA membership in 2019 by serving on a committee. It is a great opportunity for networking and the time commitment is minimal. In fact, if you like to write, I invite you to join our committee! We are always looking for additional help. If you have an article that you would like to share with the membership, you can forward it to me at or We will take care of any reprint requests.

Happy Holidays. See you in 2019! Do you like what you’ve seen in this issue? Do you have questions or comments? Notice an error? Let us know at:

Publications Committee:

Publications Committee Members Kim Hansen, Chair Casey Ochs, CP Kimberly Brown, ACP Amber Roberts, ACP Shannon Persoma



SAVE THE DATES January 23rd - District I Luncheon (How to Respond to a Serve from the NEOC, Brandie Hinkle of the Nebraska Equal Opportunity Commission - Anthony’s Steakhouse, Omaha) (CLE) February 13th - District II Luncheon (Breaking the Ties that Bind: Birth Mother Concerns and Ending Parental Rights, Susan Sapp of Cline Williams - Green Gateau, Lincoln) February 20th - District I Luncheon (The European Union’s GDPR Has Changed the World of Privacy Law, Rick Jeffries of Cline Williams Beacon Hills, 6750 Mercy Road, Omaha) (CLE)

Register for events at: http://

Board Meetings (5:30-7:30pm): January 8th Whitmore Law Office March 5th June 4th August 6th (budget) Gavilon October 8th

March 27th - District I Luncheon (Wind Farms, David Levy of Baird Holm LLP - Anthony’s Steakhouse, Omaha) April 12th - Spring Seminar and Mid-Year Meeting (Mahoney State Park, Ashland) (CLE) May 15th - District II Luncheon (Developing Defensible Deletion Strategies, Reggie Pool, HBR Consulting LLC - Ameritas, 5900 O Street, Lincoln) (CLE) May 22nd - District I Luncheon (Network for Success: Creating Your Personal Board of Directors, Sara English of Mutual of Omaha Anthony’s Steakhouse, Omaha) June 5th - District I Afternoon Event (CLE) August 7th - District II Luncheon (Lincoln) September 18-19th - Recognition Breakfast, Annual Meeting and Fall Seminar (Scott Conference Center, Omaha) (CLE) October 23rd - District I Luncheon (Domestic Violence & Sexual Assault: Addressing Issues, Decreasing Victims, Sara Eliason of Women’s Center for Advancement - Anthony’s Steakhouse, Omaha) (CLE) November 13th - District II Luncheon (Lincoln) November 20th - District I Luncheon (Establishing Financial Wellness for Yourself and Your Clients, Kathleen Spencer of Operation HOPE, Inc. - Anthony’s Steakhouse, Omaha)



DISTRICT I NEWS Wow! Did anyone else leave the November District I luncheon excited to improve your eating habits, your health, and your mind? Jason's presentation gave us thought-provoking ideas for our health future. Did you know that we can reverse many dietary diseases including heart disease, Type 2 diabetes, high blood pressure, high cholesterol, arthritis, cancer, gut and intestinal diseases, and thyroid and autoimmune conditions? Jason recommended a whole-food, plant-based diet to include grains, beans, seeds, nuts, fruits, vegetables, herbs, and spices. He also suggested that we select nutrient dense over calorie dense foods and that we should eat 6-8 servings of both fruit and vegetables every day! Great cruciferous vegetables for your diet include kale, bok choy, broccoli, cauliflower, cabbage, watercress, etc. Jason also recommended removing all dairy products from our diets and eating grass-fed, wild caught, or free range meats, when we do include meats in our diet. If you missed the presentation, please feel free to review the PowerPoint we emailed to the membership for more great information, including a list of great reads on this subject! Did you know that the average person eats 80,000 meals in a lifetime? What's in your diet? Please feel free to obtain further information at or contact Jason with any questions at

Next month, join us as Brandie Hinkle from the Nebraska Equal Opportunity Commission presents “Navigating the Investigative Process: How to Respond to a Serve from the NEOC.” 1 hour of CLE will be offered.

SURVEY COMMENTS: “Yesterday's speaker was fantastic!! He is the kick that I needed to hear!” “I sure did enjoy Jason's presentation. I could have listened to him for another hour. I a pleased that he wants to spread his word.” “Jason was a very engaging speaker and had an interesting topic. It was much more thoughtprovoking than I thought it would be!” “I really enjoyed Jason Ott's presentation. Many times I think that we educate our minds but forget about fueling our bodies appropriately to keep up with the demands of our schedules – both at work and at home. His message was timely and informative. Thank you for thinking of him and setting it up!”







NO NEW MEMBERS THIS ISSUE. Please remember to help spread the NePA word! We would love to have new members in 2019!



How to Respond to a Serve by the NEOC Speaker: Brandie Hinkle

January 23, 2019 **1 hour of CLE

Lead Investigator, NEOC

Cost: Member $12 Non-member $17

Anthony's Steakhouse 7220 F. Street Omaha, NE 68127 11:00-11:30 Networking 11:30-12:30 Education & Lunch Register at by January 18th



NALA NEWS Merry Christmas, Happy Holidays, and Season’s Greetings! As we are all scurrying around this time of year, I hope everyone is having a wonderful holiday season. As the new NALA Liaison, I want to keep you up-to-date with all things NALA. The November/December issue of Facts & Findings has so much information in it. If you have not read it, I suggest you do. You don’t want to miss out on all the new things NALA is coming out with; specifically, a few new columns titled: “Legal History”; “How To…”; “Ask Pat”; and, a “Member Profile”. CLEs: NALA has announced a new and exciting way to obtain CLEs. You can earn CLE credit by reading articles in Fact & Findings. There will be five articles in each issue. You read the designated articles and then take a short test. You must achieve at least an 80% on the test to receive credit. Please visit the NALA website at for more information. You can earn up to 2 CLEs per year and 5 CLEs during each certification renewal. Also, NALA is offering CLE bundles. One is an Organizational Leadership Bundle offered at $159.00 per member and you will receive 20 CLEs upon completion. The other is the CP Review Course Bundle at $166.00 per member and you will receive 12 CLEs upon completion. Awards: As a reminder, NALA also has several awards: Founder’s Award, President’s Award, Making a Difference Award, and Affiliate Association Award. The deadline for most nominations is May 1, 2019. If you would like to nominate a person you feel embodies the spirit of one of these awards, please let contact me at NALA’s website has all the information you need regarding the requirements for the awards. Affiliate Exchange: NePA has submitted a proposal for the 2019 Affiliate Exchange at the NALA convention in Arizona entitled “Collaborating Committees: Working Together for Ultimate Success.” This would be another wonderful opportunity if we are selected to present at the national level. Keep your fingers crossed! New ACPs: I am pleased to announce that we have two members who have recently earned their ACP credentials: Ronda Spence in Discovery, and Maren Collins in Trial Practice. Congratulations, ladies! NALA Survey: Finally, NALA members should have received an email to take a short technology survey. I encourage all to participate. This information will help NALA know what technology and software issues there are and possible solutions.

Merry Christmas and Happy New Year, everyone!

Breaking the Ties that Bind: Birth Mother Concerns & Ending Parental Rights

Speaker: Susan Sapp, Attorney Cline Williams Wright Johnson & Oldfather

February 13, 2019 11:30am to 12:30pm

Green Gateau 330 S. 10th St. Lincoln, NE 68508 Cost: $12 Members $17 Non-Members Register at starting January 24th

Diamond Sponsor



GETTING TO KNOW YOUR OFFICERS – MICHAELA SEIDL What is your current position on the board? Website Administrator. How did you end up in the paralegal field? I have always been fascinated by the law and helping people. I get very nervous “performing” in front of others, so becoming a lawyer and performing in a court room scared me. Supporting an attorney through difficult cases and trial preparation has always fascinated me, and was the next best thing to “performing” in a courtroom. How did you become involved in NePA? My co-worker, Lori Froistad, who is a veteran paralegal introduced me to the NePA group. What made you decide to join the board? Part of my law firm’s mission is to lead change in the legal experience, and part of my law firm’s values include those values of “excellence” and “support.” By connecting with other professionals in the legal field, this allows me to develop relationships in our legal community, create connections that may help develop our own firm as we live our own mission, and personally develop and grow my own professional skills. What has been the greatest benefit of being a member of NePA? The greatest benefit of being a member of NePA has been connecting with like-minded, empowering professionals who all strive to make our legal community better. What advice do you have for those looking to enter the paralegal field? Advice I have for those looking to enter the paralegal field is that unless you have a specific area of law that you know you would like to practice in, start out (even as a legal assistant) in a general practice firm. You will quickly learn what types of cases your strengths will best serve. After 20 years in the legal field, I continue to love my job in family law in every way, and could not imagine working in any other type of law. If you love what you do, the likelihood of boredom and burnout will be low. What is/was your favorite job? My favorite job is my current job at Koenig Dunne. We do it differently here, and take a holistic approach in supporting our clients. When life changes in big ways for people, we are here for them. We hear our clients, see our clients, and stand by them every step of the way. I am incredibly proud to say I am part of the Koenig Dunne team. What is one of your professional weaknesses that you struggle to overcome? My biggest professional weakness that I am continuously struggling to overcome is perfectionism. I think as paralegals we all naturally struggle with this weakness. I used to think perfectionism was an endearing trait, but it really can get in the way and cause unnecessary suffering. Perfectionism can cause low productivity also. Thankfully, my firm does not expect “perfection” from me, but rather they have an expectation of excellence. With perfectionism comes constant comparison between reality and what one believes his/her performance level should be. Of course we all want to be performing/producing at a high level; however, if we are constantly comparing our “real” selves with our “dream” selves, we will always be suffering with this comparison. This has been a work in progress for me for quite some time, and is a daily battle for me.



GETTING TO KNOW YOUR OFFICERS – KARI SCHMIDT What is your current position on the board? District II Director How did you end up in the paralegal field? I had always wanted to go to law school, but because I had four children, I did not feel I had the time available. But, after speaking with other paralegals, I thought this field sounded interesting, and something I might really enjoy, which prompted me to pursue a degree in Paralegal Studies. How did you become involved in NePA? My first paralegal position was with a private firm. I then joined the Nebraska State Patrol as a Paralegal and I became a member of NePA shortly thereafter. I had spoken to other paralegals that were members, and they said it was an excellent organization for ongoing education and networking. What made you decide to join the board? Laurie Montag approached me several times at the NePA luncheons and asked me if I would be interested in being the NePA District II Director. At first I was concerned that I would not have the time to fulfill what was required of the position. Three of my children are Marines, and because of that, I am actively involved with the Blue Star Moms organization, so I was a little hesitant, and my job is very demanding and does not allow for much extra time for anything else. But after helping Laurie find speakers for a couple of luncheons and seminars and speaking at length with Laurie about what my responsibilities would entail, I decided to take the plunge. Laurie helped me feel at ease with the responsibilities of the District II Director, and she and another Paralegal, Deb O’Brien, assured me that they both would be glad to help me if I got in a bind. What has been the greatest benefit of being a member of NePA? Networking and the connections I have made within this organization have been invaluable. I had the privilege of being a guest speaker at a NePA luncheon which was a great opportunity for me to explain the public records process. Processing public record requests and responding to Subpoena Duces Tecums are the majority of my job responsibilities at the Nebraska State Patrol. It was fun to convey to other Paralegals what I do on a day-to-day basis and, hopefully, I was able to help everyone learn ways to be more efficient in this process. What is/was your favorite job? My favorite job at the Nebraska State Patrol is being able to take the lead and initiative in making things more efficient and bringing inefficiencies’ to the forefront. At one time I did all the research and preparation for Sex Offender Hearings, Concealed Carry Weapon Hearings and Carrier Enforcement Hearings. I also enjoyed writing regulations and working with new legislation. Many of these tasks have fallen back on the attorneys in recent years because of the 300+ public records requests I receive, but we are working towards a resolution so I can occupy my time with what I truly love to do. What advice do you have for those looking to enter the paralegal field? I think as long as there is the demanding need to have legal services at a lower cost, there will continue to be a greater need for paralegals. If it piques your interest, I say go for it. There is never a dull moment and you are always learning. As a final note, I truly enjoy what I do, and I have a great boss who encouraged me to take this leap which has helped my apprehension with accepting the District II Director position. I am looking forward to the challenges it will bring, and I will work very hard at the balancing act that, I’m sure, we all face every day.


Gavilon is a proud sponsor of the Nebraska Paralegal Association!

1331 Capitol Ave | Omaha, NE 68106 | T 402.889.4000

Diamond Sponsor



CALIFORNIA STEPS INTO THE FRAY TO REGULATE THE SECURITY OF CONNECTED DEVICES Fresh off the heels enacting the California Consumer Privacy Act, California Governor, Jerry Brown, signed the country’s first law governing the security of Internet of Things or connected devices. The bill, SB 327, is entitled “Security of Connected Devices.” Beginning on January 1, 2020, all manufacturers of connected devices will be required to equip the device with reasonable security features to protect against the unauthorized access, destruction, use, modification or disclosure of information that is collected or transmitted by the device. The “reasonable security features” of devices may vary, depending on the nature and function of the device, and the nature of the information collected, contained or transmitted. Nonetheless, all connected devices must be designed to protect the device and information from misuse. While the law does not provide specifics on what security measures will be required, it does state that if a connected device is equipped with a means for authentication outside a local area network, it will have reasonable security features if it has a preprogrammed password that is unique to each device, or if it contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. The law does not include a private enforcement right. The California Attorney General, city attorneys, city council or district attorneys in California have the exclusive authority to enforce the law. In addition, the law does not apply to any devices subject to federal regulations or laws, or to entities or others subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA). While the law has come under considerable criticism due to its vagueness, many believe that the law is a step in the right direction toward promoting security in a blossoming industry that is ripe for hackers and security flaws. Other Internet of Things legislation have been proposed, but none have been enacted at this time. Some include the IoT Cybersecurity Improvement Act, which sets contractual clauses and standards for IoT products purchased by the federal government, the SMART IoT Act, which directs the U.S. Department of Commerce to conduct a study on the state of the Internetconnected devices industry in the U.S., and the IoT Consumer TIPS Act of 2017, which would require the Federal Trade Commission to coordinate with the National Institute of Standards and Technology and relevant private sector stakeholders to develop voluntary educational cybersecurity resources for consumers relating to protection and use of the Internet of Things.

This post first appeared October 17, 2018 on the legal blog Technology, Manufacturing & Transportation Industry Insider, written by Mindi Giftos, Husch Blackwell LLP. Reprinted with permission. Get more information at

Proud Supporter of the Nebraska Paralegal Association

Business & Corporate | Litigation | Public Finance | Real Estate 1650 Farnam Street | Omaha, Nebraska 68102 | 402.346.6000 Emerald Sponsor



ACHIEVING COMPLIANCE WITH CALIFORNIA’S NEW PRIVACY LAW In early 2018, California enacted the California Consumer Privacy Act of 2018, the most comprehensive data privacy law to date in the United States (the “Act”). The Act is intended to provide greater protection for consumer data gathered by businesses, and will become effective January 1, 2020. For a general summary of the Act and its key features, please consult our article, “What You Need to Know About California’s New Privacy Law,” published last month.

mation collected, (ii) the sources from which personal information is collected, (iii) the purposes for collecting personal information, (iv) the third parties with whom the business shares personal information, and (v) the specific pieces of information that the business has collected. Businesses must provide this promptly (i.e., within 45 days). Responding to such consumer records requests may require new processes and additional personnel and resources.

It should be noted that the The Act requires businesses obligation of a business to to implement policies providdeliver records to a consuming consumers the right to: er upon request is subject to (i) know what type of persona few limitations. For inal information is collected, (ii) stance, a business is obligatopt out of the sale of personed to respond to a consumer al information to third parties, request only if it is verifiable and (iii) request that a busi(see below), and a consumer ness delete personal inforis entitled to receive records mation that it has collected. from a business no more Businesses that are subject to than twice per year. the Act should prepare by performing a “gap analysis” to identify gaps between existing policies and the requirements of the Act. Appropriate changes to Right to Opt Out policies and procedures should be adopted and Consumers will also have the right to opt out of the sale of their personal information to a third implemented. party. Additionally, businesses who engage in The following is a summary of the impact of the the sale of personal information must inform Act and the requirements that must be met by consumers that they sell information, and must notify consumers that they have a right to opt January 1, 2020: out under the Act. Compliance with these provisions of the Act will require businesses to assess Right to Know Consumers have the right to know what type of their data collection practices to determine information is being collected about them and whether the data that they collect is being sold for what purpose. Businesses subject to the Act to third parties. If so, procedures will be necesthat collect personal information must disclose sary to notify consumers. Businesses will also to consumers, at or prior to the time of collec- need to ensure that they maintain records of the tion, the categories of personal information to third parties to whom the consumer’s personal be collected and the reasons for collecting such information is sold. information. Because “personal information” is defined broadly under the Act, determining Where a consumer is under the age of 16, the whether disclosures are necessary may prove right, effectively, becomes a “right to opt in,” as difficult. Once a determination has been made consumers between ages 13 and 16 must afthat personal information is being collected, the firmatively consent to the sale of their inforbusiness should ensure that they have the ability mation, and, in the case of consumers under 13 to disclose the categories of information collect- years of age, the consumer’s parent or guardian must consent. In order to avoid the sale of pered and their reasons for doing so. Consumers may request records of personal in- sonal information of a consumer under the age formation that have been collected by the busi- of 16, businesses will need policies and proceness. Upon receipt of such a request, the busi- dures for identifying personal information reness must disclose (i) the type of personal infor- garding young consumers.



ACHIEVING COMPLIANCE CONTINUED Right to Request Deletion Another right granted to consumers under the Act is the right to request that personal information collected by a business be deleted. In order to comply with this provision of the Act, businesses will need to identify what personal information it has collected regarding a consumer and maintain such information in an organized manner so that it can be easily deleted when necessary. There are limitations on what information a business is required to delete upon request. For example, businesses do not need to delete information necessary to consummate a transaction with a consumer, detect or report security incidents or illegal activity, or comply with legal obligations. Businesses will need appropriate data management techniques in order to efficiently respond to a consumer request for deletion.

kind in the United States, the full impact of compliance with its requirements is still uncertain. Although we anticipate the Act will undergo some substantive changes before it becomes effective in 2020, we believe that businesses should begin their compliance efforts now because the Act is consistent with the global trend towards more robust privacy laws that grant individuals more control and rights relating to their own personal information.

Reprinted with permission from the September 2018 edition of Baird Holm LLP’s Technology & Intellectual Property Update. Patrick Kennedy is a member of Baird Holm LLP’s Technology and Intellectual Property Section. Get more information at

Other Requirements for Compliance While the Act, generally, will permit businesses to comply with its requirements in any way it chooses, there are a few mandates that may require substantial preparation. For instance, the Act requires that businesses provide two methods for consumers to submit requests related to their personal information. At a minimum, businesses will need to establish a toll-free telephone number and, for businesses that maintain websites, they will need to make available a website that accepts consumer requests. Additionally, a business must respond to consumer requests only if the request is verifiable - that is, if it can be verified that the person making the request for records is, in fact, the subject of such records. In order to minimize potential liability and to promote efficiency, it will be in the best interests of businesses to verify all requests for records. Creating and implementing such a verification process may require significant planning and coordination with appropriate data sources. The exact procedure by which a business will be able to verify the identities of requestors may vary from state to state.

Patrick M. Kennedy’s practice focuses on intellectual property and technology, with an emphasis on patent law. Patrick is a registered patent attorney and works with clients, ranging from start-up ventures to established companies, to provide the most comprehensive and effective protection for their intellectual property—including patent, copyright, and trademark protection.

Patrick also represents clients on issues related to data privacy and security and information technology matters, including licensing agreements and technology acquisitions, as well as general information security. Additionally, he assists clients with matters involving e-commerce and the interConclusion The Act is a significant step in providing protection net. You can reach him at for the personal information of consumers. Be- For businesses that engage in the sale of consumer information, the Act also requires a conspicuous hyperlink on the business’s website. The hyperlink must direct consumers to an opt-out form.

cause it is the most comprehensive statute of its





The European Union's GDPR Has Changed the World of Privacy Law Speaker: Rick Jeffries Cline Williams

February 20, 2019 **1 hour of CLE Cost: Member $12 Non-member $17 Beacon Hills 6750 Mercy Rd. Omaha, NE 68106 11:00-11:30 Networking 11:30-12:00 Lunch 12:00-1:00 Education Register at starting January 24th



NOTES ON BREACH DISCLOSURE REGULATION IN THE U.S. – WHEN NOTICE IS REQUIRED Unfortunately, cyberattacks are not going away in the near future (if ever). We are reminded of that fact regularly; with the announced British Airways’ data breach being the latest addition. As a result, and together with the rise of data privacy legislation, laws governing breach disclosure are not likely to diminish, but rather get more sophisticated and robust. This article attempts to summarize one aspect of the evolving regulation in the U.S.

states’ statutes. In most instances it is prescribed that the investigation should be done in good faith and should be prompt. As an exception, Michigan statute specifies that the entity must “act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances.” Three states’ statutes (Alabama, New York and Vermont) list factors that may be considered during the determination of whether or not the protected information has been acquired by an unauthorized person. One factor involves indications that the information in question is in the physical possession and control of the unauthorized person. Examples include a lost or stolen computer or other device that contains the information. Other factors include indications that the protected information has been downloaded or copied, made public or that it has been used to open accounts. Reported identity theft may also indicate an unauthorized use.

The question of when a breach has to be notified to those whose personal or sensitive information has been exposed is no trivial matter. It includes a multistep analysis which will, in most cases, include the understanding of whether or not any information has been compromised, if so, whether or not the compromised information is legally protected, and if it is, has the breach resulted in some kind of harm. Leaving aside the considerable technical challenges of discovering the full extent of a security breach, the analysis will be tied to the jurisdiction in which the person affected resides. So far, no proposed federal cybersecurity bill has received enough sup- Besides the aforementioned determination, the conclusion of the investigation also serves as a starting port. point of the time period within which a company is The fact that there is no unified standard in the US obliged to make the disclosure. However, that is the complicates the situation for companies because the case in only some jurisdictions. The topic of notice language of state statutes differs, in some instances timing will be discussed in another newsletter issue. quite substantially. What is considered a data breach in one state may not be considered a data breach in Organizations that do business in multiple states another. When organization experiences a breach it may choose to follow the statutes with the broadest is, therefore, more challenging to make conclusions application and notify all their customers (employees), not only the ones that they are legally about how to proceed. required to provide notice to. It is important to keep Few states make notification of affected data sub- in mind that, apart from timing restrictions, the state jects mandatory when the security, integrity or con- statutes may differ in which authority has to be notifidentiality of protected information is (materially) fied, how the notices should be provided and what compromised. The pertinent statutory texts do not they should include. Additionally, there may be subfurther clarify what compromised information exactly sidiary obligations that companies have to comply means so the application may potentially be broad. with such as the provision of credit monitoring serIn contrast, the scope of the breach that an organi- vices to affected individuals. zation has to disclose to residents is narrowed down by statutes in the majority of states in a more ex- Case law will obvipress manner. Generally, a breach that triggers the ously play a critical obligation to notify in these states is limited to inva- role in any of the sion that has caused, will cause, or if there is a necessary analyses. (substantial) risk that it will cause the use of infor- This consideration mation for an unauthorized purpose. In most cases is beyond the scope the unauthorized purpose is further restricted in one of this article. way or another. The language used refers to harm, injury, (substantial) loss, fraud or identity theft. Arizona’s statute arguably has the narrowest application in terms of harm caused – residents only need to receive notice if the breach resulted in substantial economic loss. In order to understand the nature of the breach and to evaluate whether or not it reached the notice obli- First published in LexiTimes November 2018, written gation threshold, companies naturally need to initi- by Hana Hispa. Reprinted with permission. Get ate an investigation. This step is included in many more information at