Security Breach Legislation: Notification Laws Are Literally All Over the Map
Do you know your legal obligations when it comes to breach notification?
Of course, it depends on where your company does business, what industry it is in, and who specifically has been affected by the data breach.
Before a breach even occurs it’s important to do the research, said privacy expert Robert Ellis Smith in a digitalguardian.com article.You need to know who you have to notify (sometimes the data subjects, sometimes a government agency), whether the breach fits the type covered by the security breach law, and whether there is any federal security breach legislation that pertains.
Here’s a guide to various laws.
Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have security breach legislation that requires notification to individuals when their personally identifiable information has been breached. There are similarities and variations in all the laws, and if a company has nationwide operations it must understand the notification requirements of each one.
Many states are toughening their data breach laws by “broadening the definition of ‘personal data’, requiring timelier reporting, and expanding the number of people or agencies that companies must notify,” noted a blog at thehill.com.
In 2015, eight states updated their breach notice laws. Illinois is slated to have the toughest security breach law with consumer marketing information becoming part of the definition of personal information.
There’s been a lot of talk about a national data breach law that would pre-empt the “patchwork” of state data breach laws. One example – the Data Security and Breach Notification Act draft legislation proposes to expand the definition of personal information, provide notice to affected individuals within 30 days after the discovery of a breach, and give enforcement to the Federal Trade Commission or state attorneys general. There isn’t a federal law in effect as yet.
Depending on the type of organization and the type of data involved, there are specialized federal industry laws that may apply. For example, in the financial industry, the Gramm-Leach-Bliley Act requires financial institutions to notify customers of a breach. For publicly-traded companies, the Sarbanes-Oxley Act governs reporting. The Health Insurance Portability and Accountability Act and HITECH safeguard Protected Health Information (PHI).
It is important that every company understands its compliance requirements. Best practices include:
Plan. Have an incident response plan at the ready and respond quickly and proactively, according to the Data Privacy Survey 2015 on Security Breach Notification Laws by Weil.
Notification. Notification should be as detailed, accurate, and as timely as possible. The 2015 Second Annual Data Breach Industry Forecast reported that 63% of consumers expect identity theft protection, and 58% want credit monitoring services. Focus on rebuilding consumer confidence in your brand in communications.
On-Going Security. Create a culture of total security throughout the organization with thorough security policies and procedures. For example, outsource document destruction of paper and digitized information to a reliable company that provides secure on- or off-site shredding, cross-cut shredding technology, and a certificate of destruction after every shred.
Another way to fight fraud is to focus on fixing your workplace’s five most vulnerable areas. Learn how secure paper shredding services can help eliminate vulnerabilities.