State and federal data breach notification laws have changed and are expanding more than a little bit. CISOs and CSOs should start here to expand their knowledge of the increasingly restrictive notification requirements that apply to their organizations.
State Law Status and Trends
One challenge enterprises have faced with state data breach notification laws is the differences between the laws. "When you have an incident that affects consumers throughout the country, you have to craft a response that complies with all the state laws, which is a challenge. It's even impossible where there's an outright contradiction between two different laws," says Kristen J. Mathews, Partner, Privacy & Data Security Group, Proskauer Rose LLP.
While Massachusetts' breach notification law says the letter the company sends to affected individuals cannot inform as to the nature of the breach, most states require the opposite. "The only way to comply is to have a special letter for Massachusetts. In that letter, you delete the information about the nature of the breach," says Mathews.
A new challenge is states' broadening definitions of the personally identifiable information (PII) or protected health information (PHI) that triggers notifications. "While most states cover social security numbers, driver's license numbers and financial account numbers, we're seeing states add pieces to their definitions like health information, health insurance information and passwords," says Mathews. California's breach notification law now includes the username and password combinations for online accounts in its list of PII/PHI, notes Mathews. Such login data for any online account would qualify. Ultimately, there will be many more instances in which enterprises will have to notify.
State laws are also increasingly requiring companies to notify their attorneys general. "If you have a breach, you have to notify consumers, but you also have to send a letter to the state attorney general. AGs review these notices and can decide to launch investigations of companies to see whether there was any wrong doing on their part that caused the incident," Mathews says.
But, perhaps the most disconcerting to enterprises is the state-level trending toward including deadlines for notifying affected consumers. "A lot of states are adding timing restrictions in the form of a number of days," says Mathews. For example, Florida now has a 45-day time limit. This can easily put companies in the position where they may not have concluded the research necessary to determine whether they must notify before the notification must go out.
Federal Law Status and Trends
In the new HIPAA Omnibus Final Rule effected September 23rd of this year, the federal government has made data breach notification requirements more restrictive. "The law used to say that you have to notify the patient if the incident poses a significant risk of financial, reputational or other harm to the individual," says Mathews. That is what the industry calls a risk of harm threshold. The law now states that you have to notify in all situations except those in which there is a low probability that the breach compromised the individual's information, Mathews clarifies. "With the new standard, it is even harder to avoid notifying your customers," says Mathews.
Sign up for CIO Asia eNewsletters.