The Past, Present, and Future of Security Breach Notification Laws
During the past decade, 47 states have enacted notice of data breach laws, as identify theft continues to rise and we hear more and more news stories of high-profile breaches of personal data held by retailers, banks, health care organizations, and other large businesses. While the clear mandate is for businesses to take all necessary steps to prevent the breaches in the first place, an additional concern is with the manner in which those businesses notify customers, patients, and others whose personal data was actually affected by the breach. While the at-risk businesses may not be able to absolutely control whether private data is protected, it is within their power to make customers aware of actual and potential breaches, and most states have put into place some form of notice requirements. Below is an overview of the history, breadth, and potential future of such laws.
California Is First State to Mandate Notification of Data Breaches
As is often the case, the Golden State was at the vanguard of creating legislation to address new social issues, and, in 2003, California became the first state to mandate that businesses notify persons whose private data has been breached. California’s law, which is still in effect, is wide-ranging and requires that any person, agency, or business “doing business in California” and who owns or licenses personal information must provide notice to affected persons upon notice or discovery of the breach.
The law mandates a very specific manner in which the notice must be given, e.g. it must be titled “Notice of Data Breach” and include specific headings such as “What Information Was Involved” and “What You Can Do.” While this may seem like one of the many added costs for businesses who decide to locate in California, it is important to remember that the law applies to any company “doing business” in California, which includes many out-of-state businesses who simply deal with customers in California.
Other States Join the Charge, Leading to a Wide Array of State-Based Requirements
As of now, 46 other states and the District of Columbia have followed California’s lead over the past 13 years, meaning businesses with data security issues can face a whole host of state-based notification requirements when there is a data breach affecting customers in those states. Alabama, New Mexico, and South Dakota are currently the only 3 states with no data breach law. Company incident response planning can be seriously complicated by this widespread variety in data breach law, increasing the cost of compliance for U.S. businesses.
President Obama Proposes Federal Data Breach Notification Legislation
Following high profile data breaches in 2013 and 2014, and in response to the wide array of state laws, President Obama proposed a national data breach law during his 2015 State of the Union address. Although the national Personal Data Notification and Protection Act of 2015, introduced into Congress last year, has not been approved by Congress (very few pieces of legislation have been passed in recent years), it is quite possible that the legislation or similar legislation could be passed following the next election cycle.
The proposed national data breach law would apply to businesses that use, access, transmit, store, collect, or dispose of personally identifiable, sensitive information about more than 10,000 people a year. Those businesses would be required to notify consumers when their information is believed to have been acquired or accessed in a discoverable security breach.
Within 30 days after a security breach has been discovered, affected businesses would be required to:
- Notify individuals concerned by telephone, email, or mail.
- Notify major media outlets when more than 5,000 residents of a state are affected by the security breach.
The proposed Act also requires businesses to notify a federal government entity — to be designated by the Department of Homeland Security (DHS) — of any security threats, incidents, or vulnerabilities. The DHS-designated government entity would in turn be required to notify the FBI, FTC, and Secret Service if the security breach affects certain amounts of people or databases connected to the federal government.
Work with Trusted Data Breach Lawyers to Manage Your Compliance Needs
With existing, recently amended, and upcoming legislation to consider, data breach law has become a complicated matter for many companies. Our complex litigation attorneys at McCune Wright Arevalo, LLP can help you ensure that your business is in compliance with all applicable state, federal, and jurisdictional laws. Contact our office for a free consultation to discuss your company’s data breach legal issues.