Skip to Main Content.
  • Digital global business network connection and people walking in the city with technology design

    Unexpected Trouble Ahead: Questions Arise at the Intersection of the Corporate Transparency Act and States’ Data Breach Notification Laws

Dec 11, 2024

Categories:

Corporate Transparency ActPublications

Authors:

William T. Repasky Robert W. Dibert

As many have already heard, on December 3, 2024, a federal district court in Texas issued an order granting a nationwide preliminary injunction that: (1) enjoins the enforcement of the Corporate Transparency Act and its implementing regulations (the CTA), including the CTA’s beneficial ownership information reporting requirements; and (2) stays all deadlines to comply with the CTA’s reporting requirements. Texas Top Cop Shop, Inc., et al. v. Garland, et al., No. 4:24-cv-00478 (E.D. TX). The Department of Justice, on behalf of the Department of the Treasury, quickly filed a Notice of Appeal on December 5, 2024. The district court then filed an Amended Memorandum Opinion and Order on December 5, and the Department of Justice filed an Amended Notice of Appeal on December 6.

Consequently, the Financial Crimes Enforcement Network (FinCEN) recently posted to its website the following direction:

“In light of a recent federal court order, reporting companies are not currently required to file beneficial ownership information with FinCEN and are not subject to liability if they fail to do so while the order remains in force. However, reporting companies may continue to voluntarily submit beneficial ownership information reports.” (emphasis added)

But should an entity voluntarily report? The election to do so may implicate sundry states’ data breach reporting statutes, especially if done without the consent of the beneficial owners.

By way of review, the CTA requires reporting companies to disclose specific information about its beneficial owners. That information, for individuals, is their full legal name, current physical mailing address, date of birth, a number from an acceptable government-issued identification document assigned to them, and a copy of the same governmental identification document. The governmental identification collected and disclosed is often the beneficial owners’ current state-issued driver’s licenses or passports.

In its amended memorandum, the Texas district court specifically stated, “Whether the CTA and the Reporting Rule are absolutely unconstitutional is a question for another day. Today, it is enough for the Court to determine whether Plaintiffs have demonstrated a substantial likelihood of success on the merits of any of their claims, in addition to satisfying the three additional elements necessary for a preliminary injunction.” Slip Op., at 14-15. The court then found a “substantial likelihood” that passage of the CTA exceeded federal authority under the Commerce Clause and the Necessary and Proper Clause, so that “the Court need not assess Plaintiffs’ as-applied challenges or their challenges under the First and Fourth Amendments.” Id., at 73. And herein lies the rub.

All 50 states now have codified laws mandating reporting to affected individuals and in some circumstances state regulators, whenever certain types of data held by a company is disclosed in certain situations. The states’ laws vary, but all typically impose material consequences for violations of its data breach notification law.

The answer to the general question of whether an entity owes a breach notification depends upon the state law where it exists, and possibly where its beneficial owners reside. Whether notification is required under the applicable state’s data breach notification statute involves (typically) three questions: (1) whether the data disclosed is within the scope of personal information covered by the state’s statute; (2) whether there is a “good faith” or other exception to disclosure; and (3) whether notification obligation is dependent upon a risk of misuse of the data?

In many states, including Kentucky, Ohio, Pennsylvania, Tennessee, West Virginia, Colorado, California and the District of Columbia, a driver’s license number qualifies as a type of covered data. By way of example, Kentucky law posits that “personally identifiable Information” means the person’s first and last name along with a driver’s license number, KRS § 365.732(1)(c). In other words, that’s two of the four data points the CTA requires to be reported. Incidentally, Indiana, Ohio, Pennsylvania and West Virginia, for example, provide that a state-issued identification number, in lieu of a driver’s license, is also within the scope of data covered by their breach notification statutes. If we assume that many CTA-qualifying reporting companies typically would use their beneficial owners’ driver’s licenses in their FinCEN reporting, then the first step toward many states’ data breach notification laws may come into play.

On to the second question: Many states have good faith exceptions or like exceptions which may excuse the statutorily required notification when covered data is disclosed. For example, “Good faith acquisition … by an employee or agent of an individual or entity for the purposes of the information holder is not a breach” unless the personal information was “used or subject to further unauthorized disclosure” (KRS 365.732(a)). At least in those states with similar exceptions, one may opine that CTA-mandated disclosures likely meet the good faith exception, at least prior to the Texas court’s nation-wide injunction. Now that submitting such information is a matter of “voluntary” choice, going forward, the answer may be less certain.

That uncertainty is likely to exist until the district court’s ruling, in Texas Top Cop Shop and NSBU v. Yellen, 721 F. Supp. 3d 1260 (N.D. Ala. 2024), are adjudicated to final resolution. But see, Firestone v. Yellen, No. 3:24-cv-1034-SI, 2024 WL 4250192, (D. Ore. Sept. 20, 2024) and Community Assoc. Institute. v. Yellen, No. 1:24-cv-1597, 2024 WL 4571412 (E. D. Va. Oct. 24, 2024), which are two other federal district courts’ decisions denying efforts to enjoin/invalidate the CTA.

The third question posed above considers the legal reality that many data breach notification obligations speak to both the unauthorized use of the data and whether a reasonable belief exists that the data might be misused. For example, California’s notification is based upon “breach” meaning “unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information … and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud[.]” In Colorado and Texas, the threshold is “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity” of the personal information. So, in many states, the potential or foreseeability of the harmful use of data factors into many statutes’ consideration of whether notification is required under the circumstances.

Here, the circumstances would involve a reporting company disclosing individuals’ information only to FinCEN, and possibly to its CTA compliance vendor for expected delivery to FinCEN. And of course, the repository where FinCEN will hold all such beneficial ownership information is purportedly secure. As of October 2024, FinCEN states, “Beneficial ownership information reported to FinCEN is stored in a secure, non-public database using rigorous information security methods and controls typically used in the Federal government to protect non-classified yet sensitive information systems at the highest security level. FinCEN will continue to work closely with those authorized to access beneficial ownership information to ensure that they understand their roles and responsibilities in using the reported information only for authorized purposes and handling in a way that protects its security and confidentiality” (https://www.fincen.gov/boi-faqs). Thus, further grounds exist for speculating that a reporting company’s CTA disclosures, even if now voluntarily made, may not expose the entity to statutory legal liability depending on the state where the challenge is raised.

Data breach notification law is no doubt a “hot” legal topic, based on the numbers of cases being filed, and is a body of law somewhat in its infancy, given that many state statutes are of relatively recent origin and new case law is being made in each of the states. Many reporting companies simply may wish to avoid tempting fate and the vagaries of litigation. The invitation offered by FinCEN for entities to voluntarily report their beneficial owners’ information, while the Texas Top Cop Shop’s nationwide injunction is in place, should be carefully considered by each reporting company, particularly if the beneficial owners have not been consulted and given their informed consent to the disclosure.

For questions about the Corporate Transparency Act, contact Bill Repasky or any member of Frost Brown Todd’s CTA Task Force. Additionally, for questions about data privacy/security breach notification duties, contact Bob Dibert or any member of the firm’s Data, Digital Assets & Technology Practice Group.

Frost Brown Todd’s Corporate Transparency Act Team is staying up to date on the important rule changes that will likely have significant impacts on your business operations. Click below to read the latest information about the Corporate Transparency Act.

Subscribe to Get CTA Updates