Data breach notification requirements are complex in the US, with various federal and state laws. Many of them contain broad requirements for the circumstances that breaches should be reported and the timeframe for doing so.
Indeed, some of these laws contain substantially different definitions for data breaches and what’s considered personal data.
As such, it can be hard to know whether you even need to report an incident, let alone how you should go about it.
We address these issues in this blog, bringing some much-needed clarity to the subject.
State laws on data breach notification
Personal information in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary.
The challenge of compliance for organizations that conduct business across all 50 states is therefore considerable.
You can find a summary of each state’s data breach notification laws on our website, along with links to the texts themselves.
It’s worth adding that organizations that collect personal data from individuals outside the US may also be subject to additional laws.
For example, despite being an EU regulation, the GDPR (General Data Protection Regulation) applies to any organization that collects EU residents’ personal data no matter where it is based.
Deadline for reporting data breaches
Under federal, state, and international laws, once organizations become aware of a breach they have a certain amount of time to report it to the relevant supervisory authority. Sitting on an incident without reporting it puts organizations at risk of legal and other ramifications.
Presently, there is no federal cybersecurity regulation covering the entire US that obligates organizations to alert the public of data breach alerts, and state law breach notification rules vary.
California was the first state to impose a breach notification law back in 2002. Companies that fall victim to cyber crime or a data breach must issue notifications when 500 or more California residents are affected, in as expedient a manner as possible.
New Mexico was the most recent state to issue a breach notification law. The state mandates that businesses have 45 days to issue notifications once a data breach is discovered, but only if 1,000 or more of the state’s residents are affected.
There are also industry-specific requirements that organizations must comply with. For example, the NYDFS (New York Department of Financial Services) Cybersecurity Requirements – one of the newer data breach regulations in the US, having come into effect in 2017 – states that organisations have 72 hours from becoming aware of the breach to report it.
That timeframe is becoming standard for data breach notification laws (the GDPR has the same deadline), but legislation created before this time is generally more lenient.
Under the HIPAA (Health Insurance Portability and Accountability Act), for example, covered entities have 60 days to inform federal authorities and affected individuals when 500 or more individuals are involved.
The GLBA (Gramm–Leach–Bliley Act) is vague in its timeframe enforcement, mandating that organizations notify customers of a security breach “as soon as possible.”
Likewise, the SEC (Securities and Exchange Commission) is also unclear in its notification requirements, saying that publicly traded US companies must deliver “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”
When to notify affected individuals
It’s not only regulators that you need to disclose data breaches to; you should also inform anyone affected by the incident.
Many organizations often use the opportunity to provide free credit monitoring services to affected individuals to help them manage the risks associated with the data breach and try to restore their reputation as an organization that cares about data protection.
However, there’s a key difference between notifying regulators and affected individuals. Whereas you always want to notify regulators as soon as possible to let them know you’re aware of the incident and have taken steps to mitigate the problem, such a prompt response to customers might be counterproductive.
That’s because new details may well come to light as you continue to investigate. Perhaps the incident was less or more extensive than you initially thought, or perhaps you’ve learned that the breach wasn’t caused by what you initially thought it was.
If you disclose the incident to affected individuals and then have to revise what you’ve said, you risk giving the impression that you don’t know what you’re talking about.
Customers may lose trust in you as a result, and if your revised estimates are more damaging than you initially said, you face prolonged reputational damage.
Learn about your requirements
As we’ve explained in this blog, data breach notification in the US is complex, but the key is to keep track of the data protection laws that you’re subject to.
The GDPR is particularly important here, because many organizations in the US assume that it only applies in the EU. However, ignoring its requirements could be incredibly costly, with violations attracting fines of up to €20 million (about $22 million).
Those who want to know how the Regulation affects them should take a look at of our GDPR training courses. Depending on how familiar you are with its requirements, you might prefer either our:
A version of this blog was originally published on April 27, 2018.