When

… do you get told your data was compromised?

The current rules

It depends on the state. An excellent document from Baker & Hostetler LLP (19 page PDF) starts with general definitions of “personal information” and “breach” then provides several lists including:

  States in Which the definitions are broader than the general definitions.

  States That Trigger Notification by Access
    (just improper access, nothing else required)

  States That Require a Risk of Harm Analysis

  States That Require Notice to Attorney General or State Agency

  States That Require Notification within a Specific Time Frame

  States That Permit a Private Cause of Action

  States With an Encryption Safe Harbor
    (if the data is encrypted they might not have to tell you there was a breach)

  States Where the Statute is Triggered by a Breach of Security
    (in Electronic and/or Paper Records no evidence of actual mis-use is required)

We made a single table summary (2 page PDF). See B&H (19 page PDF) for details.

The Proposed Federal Rules

In early 2015 the President proposed to create a single, strong national standard so Americans know when their information has been stolen or misused. (1/12/2015 in remarks at Federal Trade Commission Text  Video)

5/22/2016 Update:  EU Rules Change

The European Union has given regulators the ability to fine a company up to 4% of a companies world-wide annual revenue if that company does not disclose a breach of personally identifiable information (PII) within 72 hours. Does this apply to US companies that do business in the EU?

5/25/2016 Update:  US Notification Law Stalled

We don’t write this often, but sometimes getting a new bill stalled before it becomes law is a good thing.

Back in December 2015, the Financial Services Committee in the House of Representatives, passed the Data Security Act of 2015 (sometimes called the National Breach Notification Bill) by a 46-9 vote. The Energy and Commerce Committee in the House of Representatives created similar legislation: the Data Security and Breach Notification Act in a 29-20 vote in April 2016. Both are but a pale imitation of the EU rules and provides lesser protections than some existing state laws. It is unknown if either bill will be even brought to the floor of the House or if the Senate would pass it. More at Data Breach Today.

5/30/2016 Update:  Notification Laws Around the World

There is a great map of the world showing protections by country. Each country is identified as “heavy” (shown in red and the most protection), robust, moderate, limited (shown in green and the least protection) and none (shown in gray). Click on a country then select the next tab in the virtual book to see the laws for that country. Other tabs include breach notification, security, privacy and more.

[ This presentation is one of the best adaptions of a static, well-understood book-concept to the dynamic nature of the web. The entire book, for all countries, can be downloaded as a 12MB, 500+ page PDF. You can also download for just the current selected country. The site is well worth the gander if only to understand how some other sites fail to meet this excellent example. Remember: EU organizations will be required to report breaches within 72 hours or face massive fines starting in 2018. Perhaps public perceptions will change when those exposures move from the shadows into the light. -ed ]

Still Room For Improvement

Noted security researcher Brian Krebs suggested adding a disclosure of how the data was compromised. Not the nuts-and-bolts that might give crooks a better understanding on how to circumvent more security, but the general information that can be used now by other companies to help preclude copycat breaches. See 1/13/2015 Toward Better Privacy, Data Breach Laws at Krebs on Security.

Return to References

Home Page