Data breach notification laws, state and federal

A review with commentary for security C-Levels

State and federal data breach notification laws have changed and are expanding more than a little bit. CISOs and CSOs should start here to expand their knowledge of the increasingly restrictive notification requirements that apply to their organizations.

State Law Status and Trends

One challenge enterprises have faced with state data breach notification laws is the differences between the laws. "When you have an incident that affects consumers throughout the country, you have to craft a response that complies with all the state laws, which is a challenge. It's even impossible where there's an outright contradiction between two different laws," says Kristen J. Mathews, Partner, Privacy & Data Security Group, Proskauer Rose LLP.

While Massachusetts' breach notification law says the letter the company sends to affected individuals cannot inform as to the nature of the breach, most states require the opposite. "The only way to comply is to have a special letter for Massachusetts. In that letter, you delete the information about the nature of the breach," says Mathews.

A new challenge is states' broadening definitions of the personally identifiable information (PII) or protected health information (PHI) that triggers notifications. "While most states cover social security numbers, driver's license numbers and financial account numbers, we're seeing states add pieces to their definitions like health information, health insurance information and passwords," says Mathews. California's breach notification law now includes the username and password combinations for online accounts in its list of PII/PHI, notes Mathews. Such login data for any online account would qualify. Ultimately, there will be many more instances in which enterprises will have to notify.

[Lawmakers push for federal data breach notification law]

State laws are also increasingly requiring companies to notify their attorneys general. "If you have a breach, you have to notify consumers, but you also have to send a letter to the state attorney general. AGs review these notices and can decide to launch investigations of companies to see whether there was any wrong doing on their part that caused the incident," Mathews says.

But, perhaps the most disconcerting to enterprises is the state-level trending toward including deadlines for notifying affected consumers. "A lot of states are adding timing restrictions in the form of a number of days," says Mathews. For example, Florida now has a 45-day time limit. This can easily put companies in the position where they may not have concluded the research necessary to determine whether they must notify before the notification must go out.

Federal Law Status and Trends

In the new HIPAA Omnibus Final Rule effected September 23rd of this year, the federal government has made data breach notification requirements more restrictive. "The law used to say that you have to notify the patient if the incident poses a significant risk of financial, reputational or other harm to the individual," says Mathews. That is what the industry calls a risk of harm threshold. The law now states that you have to notify in all situations except those in which there is a low probability that the breach compromised the individual's information, Mathews clarifies. "With the new standard, it is even harder to avoid notifying your customers," says Mathews.

[Privacy commissioner backs mandatory data breach notification]

"The HIPAA Omnibus Final Rule says you have to do a risk assessment on every PHI breach," says Scott Pettigrew, CSO, HMS Holdings Corp. The rule offers four criteria that enterprises must use to perform that assessment. According to Pettigrew, the criteria include the nature and extent of the PHI involved and the likelihood of re-identification of the individual; the identity/role of the authorized person who used the PHI; whether an unauthorized person acquired or viewed the PHI; and the extent of the mitigation of the risk to the PHI.

The HIPAA Omnibus Final Rule establishes other requirements. A business associate or contractor who handles data with PII/PHI, such as when performing data processing on behalf of the enterprise must now also notify in case of a breach where someone could trace the compromised data back to the affected individual.

"The Omnibus Rule requires more stringent oversight by Health and Human Services (HHS). With every breach notification that affects more than 500 people, HHS must launch an investigation," says Pettigrew. Organizations will have to have proof that they performed a risk assessment. They will have to stand by any risk assessment results that lead them to withhold notification, explains Pettigrew.

The rule also bridles the state laws, permitting the more stringent ones to apply only as long as they are not contradictory to the federal law. Enterprises must update their procedures and train their workforces on all the new breach rules to satisfy the Omnibus Rule.

The Future of Data Breach Notification

A single federal law applicable to all PII/PHI would seem to benefit enterprises. Congress has been writing and circulating bills for years that would accomplish something like this. "Most of those bills would preempt the state laws, which would be very good for businesses because we wouldn't have to look at those state laws anymore. We would only have to follow one federal law to craft a notification," says Mathews. Unfortunately, congress is not passing these bills yet.

[Encryption would exempt ISPs from data breach notification to EU customers]

To stay abreast of state laws, a quick search on Google for "data breach chart" or "data breach notification chart" will return links to charts and indexes of state notification laws, including some hosted on attorneys' professional websites. For federal laws, look to HIPAA/HITECH and the HIPAA Omnibus Final Rule. For actual breaches, keep the appropriate attorney/privacy expert on speed dial.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachlegislationgovernment

More about CSOEUGoogleRoseScott Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Geer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts