Breach Notification Laws

---

Data Breach Notification laws govern the actions of a company or government in the case of data records being compromised, lost, or stolen.

Federal Breach Notification

• There is no government-wide federal breach notification law
  • Some federal laws have breach notification provisions
    • E.g., HIPAA
  • but have been proposed from time to time

Office of Management and Budget (OMB)

• The OMB has released several memoranda describing breach notification requirements for federal agencies

State Breach Notification

State breach notification laws require businesses and other entities to notify their customers if they suffer a security breach that discloses personal information.

• important pillar of data privacy protection in US
  • plays big role in holding private sector accountable
• All 50 states, District of Columbia, Guam, Puerto Rico, and the Virgin Islands have breach notification laws
  • Some of these state laws apply to businesses operating within the state
  • Some apply to state governments
  • differ in definition of breaches
  • How State Breach Notification Laws Differ
• National Conference of State Legislatures (NCLS) has a resource containing each states breach notification laws
  • https://www.ncsl.org/technology-and-communication/security-breach-notification-laws

Defining Data Breaches

• must determine:
  • whether an incident is formally considered a breach
  • whether information exposed is personal information
• definitions vary by state
• breaches
  • for most states, a breach occurs when a third-party has obtained unauthorized access to information
  • if the data is encrypted or sufficiently redacted, then not considered a breach
• personal information
  • has broad similarities across most states
  • generally, must include a person’s full name, or first initial and last name, linked with another piece of identifying information (e.g., SSN)

Conditions for Notification

• notification parameters vary by state
• generally rules specify:
  • who to notify
  • when to deliver notifications
  • how notifications must be transmitted
• rules may vary based on the scale of the breach
• who to notify:
  • individuals affected by breach
  • state regulatory bodies
  • local media outlets
  • major national credit reporting agencies
• when to notify:
  • state laws typically have a deadline for notification
  • starts when organization becomes aware of a breach
  • some specify 30-, 45-, 60-day deadline or “without unreasonable delay”
• How to notify:
  • some states require notification by postal mail
  • others allow for electronic notification

Data Subject Rights

• state laws may levy penalties or impose other obligations against organizations for:
  • violating breach notification laws
  • or allowing a breach at all
• wide variation among states
• some require organizations to offer free credit monitoring for affected individuals
• some afford residents a private cause of action to pursue damages