In the event of a ransomware attack, there are a host of legal frameworks that could potentially be implicated. Whether those laws apply often depends on the nature of the data that the threat actor accessed and/or acquired. In this installment, we address the laws that could be implicated when an educational institution suffers a ransomware attack.
State Laws. All 50 U.S. states, the District of Columbia and three U.S. territories have enacted data breach notification statutes, each with varying definitions of “personal information” and requirements regarding notice to individuals and state regulators when an entity has experienced a breach of the security of its systems. Determining which state data breach notification statutes apply largely depends on where the affected individuals reside. Consequently, postsecondary institutions may face broader obligations, as there is a greater likelihood such an organization maintains information for individuals who reside in multiple states. If personal information of individuals residing in multiple states was subject