Summarizing Federal & State Data Breach Notification Laws
Jake Olcott | June 27, 2017
If your organization handles or works with a certain type of data, you have a legal obligation to protect that data. Generally speaking, this could refer to personal information like names, identifiers (i.e. social security numbers), health data, or financial data. If any such data is compromised, it’s not only your fiduciary responsibility to disclose the breach to those harmed—it’s also your legal obligation.
Every state in the U.S.—with the exception of Alabama and South Dakota—has a data breach notification law in place. There are a handful of federal laws protecting specific types of data as well. All that said, there are quite a few things that states differ on.
For example, some states have a very broad definition of personal information; for others it is well-defined. Some states require notification if customer data has been accessed, while others restrict notification to cases where there’s a risk of harm.
Additionally, the laws may change based on the type of data compromised and how the state believes a breach to be constituted. For example, is it enough that a bad actor penetrated the network or do they have to actually acquire the data? Beyond that, there are also different notice requirements—how should an organization notify the victims, and when?
To better understand federal and state security breach notification laws, take a look at these three links:
According to law firm BakerHostetler, the standard definition of personal information is as follows:
Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.
Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
Enforcement? Penalties? Is there a private right of action?
Knowing all of your legal obligations insofar as security breach notification laws are concerned is critical for prioritizing your cybersecurity initiatives. But keep in mind that simply knowing this legal obligation isn’t enough—you need a comprehensive cybersecurity program with initiatives that protect all data, including trade secrets and intellectual property.
Thus, consider that some of your sensitive customer data may be located outside your company, with critical vendors. Depending on your industry, state or federal regulations may mandate how you handle that information. For example, if you’re in the healthcare industry, HIPAA requires you to have contractual agreements with outside business associates dictating the terms of protecting sensitive information.
Therefore, in order to protect your customers and your data, you need to know what data is critical, who has access to it, and what those individuals and organizations are doing to protect it. If the data falls outside your organization, you’ll need to build a risk management program that takes this into account.
Make sure your vendor risk program is keeping your data safe.
Whether you’re just getting started with your vendor risk program or you’re reevaluating how you assess critical vendors, you’ll want to know the most critical things to ask. Download these 40 important vendor assessment questions today for free.
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...
During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...