Q: One of our agency's major suppliers notified us that it had suffered a data breach. Hackers had broken into its computer and stole thousands or possibly millions of travelers' records, including those for some of our clients. The records included the clients' encrypted credit card numbers. The vendor wants us to notify our clients about the breach. Do we have to do that? If we don't have to do it, should we do so anyway?A:
In the U.S., 48 states and the District of Columbia have laws requiring businesses to notify individuals of security breaches involving personally identifiable information. The only states without such laws are Alabama and South Dakota.
There are no equivalent federal laws, so in order to see if you have an obligation to notify your clients you would need to check the laws not only of your agency's state but also the states where you have affected clients. Such research is beyond the capabilities of most small businesses, so I suspect that these statutes are not well observed.
However, if you or your attorney wanted to undertake this research to answer your questions, the attorney could find links to the 49 statutes here
The first question to research is whether the law applies to you when it wasn't your computer that was hacked. Under the California law, for example, the business must "disclose a breach of the security of the system." There is no definition of "system," and the rest of the statute makes it fairly clear that it does not include a third party's system whose breach you learn about.
The exception to the rule appears to be the case where the system owner is your agent. For example, under the Florida statute, "In the event of a breach of security of a system maintained by a third-party agent, such third-party agent shall notify the covered entity of the breach of security. ... Upon receiving notice from a third-party agent, a covered entity shall provide notices required." Travel suppliers are not your agents, but rather vice versa.
Another threshold question is whether the law applies to encrypted credit card numbers, such as those in computers that merchants use, where you can see only the last four digits of the number. Under most laws, the answer is that the notice requirement does not apply if the only personally identifiable data (besides name, address, phone number and email) is an encrypted credit card number, unless the hacker has the encryption key.
So unless the statutes in your state and your clients' states provide otherwise, it looks to me as if you do not have to notify your clients about the breach.
However, statutes are not the only potential source of your obligations. If your contract with the supplier requires you to notify your clients, then you must do so, even if the supplier is solely at fault. I have also reviewed several corporate-account contracts that expressly require agencies to notify the account about any data breach they learn about.
Assuming that you do not have to notify the client, my advice is to do so anyway if you think that it will enhance your relationship with the client, because they will appreciate the heads-up.
On the other hand, if it will make the client worry about your agency, I would refrain.