In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. John Hickenlooper signed a bill that significantly strengthens its current data breach notification requirements and adds new measures designed to enhance protections for consumer data privacy. The new law will go into effect on Sept. Disposal of personal identifying information As previously discussed here while the bill was in committee , HB … Continue Reading Several weeks ago, South Dakota and Alabama became the final two states to enact data breach notification laws.
Alabama requires organizations to implement and … Continue Reading. As we previously reported, the Digital Privacy Act, … Continue Reading One of two remaining states without a data breach notification law has finally enacted one of its own. A House Committee Report detailing the current version of the bill can be found here. The bill would create a new statute, C. On February 21, , the U.
In doing so, Delaware became the second state joining Connecticut to mandate offering individuals affected by a breach of security involving Social Security numbers at least one year of complimentary credit monitoring services. The new law takes effect on April 14, , and … Continue Reading Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception.
Virginia The state of Virginia recently expanded its breach notification statute to include income tax information among the types … Continue Reading. Then there were two.
Previously, data breach notifications filed with the Massachusetts attorney general were only available through public records requests. Practical solutions for data protection challenges with a strong emphasis on UK issues. Registration opens in the fall. Whether you work in the public or private sector, anywhere in the world, the Summit is your can't-miss event. The call for proposals is open. Submit your ideas today and help advance Canadian privacy practice!
For more than a year now, we have been hearing that the spate of highly-publicized data breaches could lead to federal data security and data breach legislation. On March 25, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade took action that brings us closer to seeing that prediction become a reality. In this post, we take a closer look at the bipartisan legislation approved by the subcommittee—the Data Security and Breach Notification Act of DSBN — and discuss five key provisions that are likely to be at issue as the legislation moves forward.
These timing requirements are likely to be debated as the bill moves forward. Similar to other data breach bills that Congress has debated in the past decade, the DSBN would preempt state data security and breach notification laws. Many organizations would welcome eliminating the patchwork of state laws that currently exists.
Under current law, organizations that suffer a security breach must look to the notification requirements in 47 states and the District of Columbia to determine whether to notify individuals, law enforcement, state regulators, consumer reporting agencies or the media. This can be a complicated and often lengthy process. And state data security laws and regulations require organizations to assess their security measures against the expectations of multiple regulators.
However, some members of Congress and some consumer groups oppose preempting state laws unless the federal standard provides the highest level of consumer protection and can be adapted via administrative regulations to address new threats. And members of Congress have debated whether federal legislation should preempt common law causes of action—such as breach of contract and negligence. The current version of the bill preempts state statutory and regulatory law. Many members of Congress have raised concerns with the inclusion of a risk of harm trigger. They argue that such a trigger would unnecessarily erode consumer protections in those jurisdictions—including California, Texas and New York—that require notice to be issued in the event that personal information is compromised, regardless of whether the compromise creates a risk of harm.
On the other side of the debate, some members of Congress argue that the lack of a risk of harm trigger leads to over notification, numbing consumers and making it less likely that they will take needed precautions in the event of a breach that poses true risk.
The definition of what constitutes personal information is a key element for determining whether a particular security incident is governed by breach notification laws. Some members of Congress believe that an expansive definition of personal information will lead to over notification.
Other members maintain that an overly narrow definition could harm consumers by causing them not to receive notice about breaches that could lead to risk of identity theft or other financial harm. The DSBN definition differs in three significant ways:.
Which entity is required to provide notification has become a hotly contested issue. Typically, state laws require that data owners provide notification when their data is breached, regardless of where the breach occurred. Some organizations have questioned whether it makes sense to require data owners to provide notice when the systems of another entity were breached.
These organizations argue that requiring processors to provide notification would create greater incentives for processors to improve their security measures. Other organizations, however, argue that consumers may be confused if they receive data breach notifications from processors with which they have no direct relationship.
For many stakeholders, resolving the issue of who has direct liability for providing notice will be a priority.
The DSBN would establish security and notification requirements for most business entities and nonprofit companies except for certain healthcare and financial sector entities. This is likely to be a major point of debate among lawmakers, telecommunication companies, the FTC and the Federal Communications Commission.
Momentum appears to be building for the enactment of federal data security and breach notification legislation. Both the President and key members of Congress have put these issues at the top of their agendas, and we are seeing a more widespread effort by policymakers to focus on specific legislative solutions rather than general oversight of breach incidents. At the same time, though, there are lingering areas of dispute, such as those identified above. Disagreements over the scope of federal legislation and its preemptive effects have plagued prior legislative attempts.
Unless members of Congress and the President are willing to compromise on these core issues, the DSBN may stall like other efforts. If you want to comment on this post, you need to login. Privacy Digest A roundup of US privacy news. IAPP Communities Meet locally with privacy pros, dive deep into specialized topics or connect over common interests.
Find a Privacy Training Class Two-day privacy training classes are held around the world. See the complete schedule now.