Data breach notification requirements are complex in the US, with various federal and state laws containing different requirements for when security incidents must be disclosed.
Some even have substantially different definitions for what a ‘data breach’ or ‘personal data’ is.
As such, it can be hard to know whether you need to report an incident, let alone how you should go about it.
We address these issues in this blog, bringing some much-needed clarity to the subject.
State laws on data breach notification
There is no single set of data protection laws in the U.S., with the rules instead comprised of a patchwork of industry-specific federal laws and state legislation.
To complicate matters further, several states have created new laws in recent years to bolster data protection requirements. For instance, New York has created the SHIELD Act, while Colorado and California have both created data privacy legislation.
Elsewhere, the U.S. government is attempting to unify data protection requirements with its National Cybersecurity Strategy.
The decision to revise data protection laws follows the introduction of the EU GDPR (General Data Protection Regulation) in 2018, which radically shifted organizations’ requirements.
Organizations in the U.S. that process EU residents’ personal data are required to comply with the GDPR, and those that conduct business across state lines will face similar compliance challenges.
You can find a summary of each state’s federal data breach notification laws on our website, along with links to the texts themselves.
Deadline for data breach reporting
Under almost all relevant federal, state, and international laws, organizations must report a data breach to their supervisory authority once they are aware of it. Sitting on an incident without reporting it puts organizations at risk of legal and other ramifications.
The deadline for notifying supervisory authorities of a data breach varies between states. For many, there is either no deadline or organizations are broadly expected to notify without undue delay.
The most common deadline is 45 days, which is the case for Maryland, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin.
Iowa has the strictest notification requirements, stating that organizations must report incidents within 5 days.
Elsewhere, the deadline in Florida is 30 days and in South Dakota it’s 60 days, provided the organization is sure that it won’t affect a criminal investigation.
There are also separate rules for notifying affected individuals of data breaches, plus individual thresholds for the number of people involved in an incident before it must legally be disclosed.
Each of these requirements means that organizations must have comprehensive information about their legal requirements, and ensure that their incident response plans include provisions for incidents that affect people across different territories.
To make things even more confusing, there are also industry-specific requirements that organizations must comply with.
For example, the NYDFS (New York Department of Financial Services) Cybersecurity Requirements state that once a covered entity is aware of a security incident, it must be reported within 72 hours.
That timeframe is becoming standard for data breach notification laws, after a precedent was set by the GDPR. In most cases, new laws have a similar deadline.
But in the majority of cases, legislation in the U.S. remains lax. For example, the HIPAA (Health Insurance Portability and Accountability Act) states that covered entities have 60 days to inform federal authorities of data breaches in which 500 or more individuals are involved.
The GLBA (Gramm–Leach–Bliley Act) is even looser, stating that organizations must notify customers of a security breach “as soon as possible.”
Likewise, the SEC (Securities and Exchange Commission) is also unclear in its notification requirements.
It states that publicly traded U.S. companies must deliver “timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.”
When to notify affected individuals
There’s a key difference between notifying regulators and affected individuals of a data breach.
You should always notify regulators as soon as possible to let them know you’re aware of the incident and have taken steps to mitigate the problem, but such a prompt response to customers might be counterproductive.
That’s because new details may well come to light as you continue to investigate. Perhaps the incident was less or more extensive than you estimated, or you learned that the cause of the breach was not what you initially thought.
Regulators generally accept that organizations’ investigations are ongoing and that things are often more complex than they first seem.
However, individuals are often not so forgiving – particularly because publicly disclosed incidents can often make headline news and the organizations’ practices will be disseminated by the press.
If you disclose incorrect information to individuals and need to revise it, you may appear uncertain. And if your revised estimates are worse than expected, customers may lose trust in you, resulting in long-term reputational damage.
Learn about your requirements
The key to staying compliant with U.S. data breach notification laws is to keep track of applicable regulations.
The GDPR is particularly important here, because many organizations in the U.S. assume that it only applies in the EU. However, its requirements apply to any organization that processes EU residents’ personal data, which is particularly common for organizations that have an online presence.
GDPR compliance is also helpful for managing patchwork of U.S. data protection legislations. Its requirements are far stricter than any domestic laws, so achieving GDPR compliance will cover you for a range of other requirements.
You can learn more about the GDPR and the ways it can help you meet your data protection requirements by reading General Data Protection Regulation (GDPR) – A compliance guide for the US.
This free guide explains how and when the GDPR applies in the U.S. and the steps you can take to ensure your organization meets its transatlantic data processing practices.
You’ll also learn about the Regulation’s core principles and data subject rights, and the benefits of GDPR compliance.
We also provide tips on how to write your data privacy notice and give you tips on how to further your understanding of its compliance requirements.
A version of this blog was originally published on April 27, 2018.
