Different States are Broadening Their Data Breach Laws
A few years ago a U.S. senator referred to privacy laws by state as a ‘messy patchwork’ of different laws.
That description is even more fitting today.
In the first place, most states really do have their own data breach law. Secondly, in recent months there has been a flurry of proposed bills and amendments, likely in response to all the data breaches in the news. Many states want to expand the definition of personal information to include more categories of data. Also, some states are expanding what entities must be notified when there is a breach.
Of course, better protecting confidential information makes sense.
The 2015 Second Annual Data Breach Industry Forecast by Experian showed that for businesses, the risk of experiencing a data breach is higher than ever with almost half of organizations suffering at least one security incident in the last 12 months.
The average data breach costs organizations $3.5 million, according to the 2014 Cost of Data Breach Study: Global Analysis by Ponemon. The average cost paid for each lost or stolen record containing sensitive and confidential information globally increased more than 9% from $136 in 2013 to $145 in 2014. The cost per record increased to $195 for companies in the U.S.
How do some of the state laws governing security breaches differ?
California and Florida both want the definition of personal information to include a username or e-mail address in combination with a password or security question.
Montana, like California and Florida, has amended the definition of personal information to include medical-related information. But it doesn’t include email addresses or usernames in the definition.
In Iowa, a breach is reportable when two pieces of identifying information such as name, Social Security number, bank account number, or driver's license number, are exposed.
Biometric data has been included in the definition of personal information in Wyoming.
In terms of notification, when more than 1,000 residents are affected by a breach in Hawaii, the Office of Consumer Protection has to be notified. In New Hampshire, the attorney general has to be notified if one or more state residents’ private information is breached.
What’s most important is that business and other organizations stay up-to-date on state data breach laws where they have offices –and where they conduct business. Not knowing laws does not exempt a business.
Here are some other guidelines that will help:
- Develop an incident response plan that is compliant with industry and state laws, and outlines who must be notified and when.
- Strive for a culture of total security from the top down. Appoint a Chief Information Security Officer (CISO) and form a committee to help facilitate the integration of information security into all aspects of the business.
- Develop a retention schedule for confidential documents based on each record’s usefulness and legal requirements.
- While there are data disposal laws in at least 32 states and Puerto Rico, every workplace should securely destroy personal identifying information when it is no longer needed.
- Outsource document destruction to a reliable company that provides a secure chain of custody including locked consoles, secure on- or off-site shredding, cross-cut shredding technology, and a certificate of destruction after every shred.
It's important that businesses understand all their legal obligations. Here is a review of other privacy legislation in the U.S.