An Update on Data Breach Notification

gavel and computer

In a previous blog post, we outlined federal initiatives to pass a data breach notification law that would simplify the current myriad of state regulations. In the wake of the Target and Neiman Marcus data breaches, legislators and government officials called for a national data breach notification standard. While bills have been introduced, little action has been taken beyond Senate or House subcommittee hearings. While high-profile breaches that brought this issue into the consciousness of the American public and government, the need for transparency is even more pressing due to the high volume of unreported breaches: Our own analysis found that just in our home state of Massachusetts, 1 million residents had their PII compromised from healthcare breaches during 2007-2011. Yet, just because there has been little movement in the US federal government does not mean data breach notification has been a stagnant issue in other countries and on the state level. In this post, we are going to round up some interesting legislative initiatives happening around the globe and in US state governments.

Here are some recent events surrounding data breach notification laws and reform:

  • Last week, the government of New Zealand released a fact sheet that outlines proposed changes to data privacy laws. In the event of any material data loss, organizations would be obligated inform the Office of the Privacy Commissioner. For more serious breaches, entities not only have to notify the Privacy Commissioner but will likely have to disclose this information to affected consumers. Interestingly, there is no definition for what constitutes a material breach, or what makes a breach “serious.” It will be interesting to see how these proposals advance in the New Zealand legislative process and what sort of clarification comes in a final draft of a bill.

  • California already has a data breach notification standard that requires companies to disclose (to the government and consumers) of any breach of unencrypted information that affects more than 500 state residents. A new bill that was recently passed by the House and is being sent to the Senate, A.B. 1710, would heighten the standard for exceptions. Currently, entities do not need to report stolen information that is encrypted. This bill would mandate that businesses disclose all stolen information unless encryption meets NIST Advanced Encryption Standards. While many business groups are in opposition to this ruling, it would heighten the California laws to be one of the stricter state notification standards in the country.
  • Florida passed some major changes its data breach notification law in the state. The Florida Information Protection Act of 2014 makes entities disclose breaches within 30 days to consumers and, if the breach affects more that 500 Floridians, to the Department of Legal Affairs. This 30 day window is actually shorter than the current 45 days businesses have to notify consumers and the government about a breach. Perhaps the most interesting piece of these reforms is the expanded definition of personal information. Under the new rules, emails and usernames (when used in a password or security question login), and first and last names, when used in conjunction with health insurance policy numbers, are all considered forms of personal information. This bill was passed by the Florida legislature at the end of April, and is expected to be signed into law by Republican Governor Rick Scott imminently.

     

Data breaches are becoming increasingly commonplace on the nightly news cycle. Just in the past two weeks, we have learned of breaches affecting Lowe’s employees and internet retailer eBay. It becomes clear that no sector or company can claim complete immunity to the increasingly sophisticated threats facing enterprises today. While state initiatives indicate that legislators (and consumers) are increasingly aware of data security, the United States should follow the example of other nations and implement a national standard. A national data breach notification standard will simplify the processes that businesses must follow to ensure compliance with a multitude of varied state regulations, effectively cutting costs and logistical hurdles for businesses that suffer a breach. But, more importantly, as our Co-Founder and CTO Stephen Boyer concluded in an opinion piece published in SC Magazine in January, “Transparency and accountability will breed improved security, which will benefit all.”