The supply chain cyberattack against the U.S. government and private sector will force affected companies to reckon with dozens of state data breach notification laws and other disclosure requirements.
The patchwork of state notification statutes, with differing definitions of what constitutes a breach and what types of personal information are included, will be another headache for businesses investigating the fallout, attorneys say.
The attack hit U.S. federal agencies and private companies, including technology giant
State data breach notification laws vary regarding what constitutes a breach, and how soon companies must notify officials. Companies must conduct forensic investigations of their own platforms and see whether a breach—as defined by each state—occurred.
“Companies must first identify if they’ve been a victim of the SolarWinds attack, whether the software backdoor on their systems was exploited,” said Kim Peretti, co-leader of Alston & Bird LLP’s cybersecurity preparedness and response team. “If so, the next step is to make sure any methods of entry have been removed.”
CISA, the U.S. cyber agency, has said it has “evidence of initial access vectors” for the attack other than SolarWinds’ software platform.
Some states, including Maryland, Oregon, and California, maintain public lists of companies whose customers have been affected by data breaches. Others, such as Iowa, include disclosure exemptions in incidents where there’s “no reasonable likelihood of financial harm” to consumers whose data has been accessed in a breach.
Loss of a data set consisting solely of consumers’ names and dates of birth, for example, is unlikely to pose a financial harm or identity theft risk and may not trigger notification requirements, said Brian Kint, a privacy and data security attorney at Cozen O’Connor in Philadelphia.
“If there’s no substantial risk of harm, you may not have to take on notification,” depending on the state, Kint said.
Many states require businesses to disclose a breach as soon as practicable, but some include deadlines of up to 60 days, he said.
SolarWinds said in a Dec. 14 SEC filing that its monitoring products could have been used to compromise the servers of as many as 18,000 customers. But it’s unlikely that all of the businesses that downloaded the faulty software were compromised, said Ted Augustinos, a partner at Locke Lord LLP in Hartford, Conn.
“If you can show that the backdoor was not utilized on your systems and no one got to the data even though the vulnerability was there, you presumably would not trip the breach notification requirements,” Augustinos said.
Affected companies will also have to grapple with other information-sharing requirements.
The companies may have contractual obligations with customers, businesses, or vendors, said Sandra Jeskie, a partner at Duane Morris LLP.
“Some businesses have hundreds of contracts and must go through the process of determining what, if any, additional breach notifications they must undertake after an incident,” Jeskie said.
Businesses could find disclosure requirements further complicated if personal data from non-American citizens is compromised, she said. The EU’s General Data Protection Regulation, for example, has its own set of data breach requirements that could come into play.
The Health Insurance Portability and Accountability Act carries specific breach notification requirements as well. If covered entities or business associates were affected by the attack, they could be required to tell the secretary of Health and Human Services that sensitive health data was breached, Jeskie said.
All companies should err on the side of caution and make sure a thorough incident response investigation is conducted before concluding their systems weren’t affected by the hack, Augustinos said.
“You don’t want to be wrong here,” he said. “You don’t want to not notify people and then find out everyone in your database was compromised.”