As many as 47 states in the US have recently amended, passed or proposed data breach notification laws that require businesses to notify customers when a data breach compromises their sensitive information. The notification requirement will include all affected individuals rather than just those residing in the states.
Changes to the law in most states include the addition of medical information, health insurance policy numbers, and customer information pertaining to online accounts (email addresses, passwords, and security questions) in the category of personal information that, if breached, sends a notification to the affected individuals.
The data breach notification act requires individuals to be notified as soon as possible after the discovery of the breach. Here is the roundup of the recently amended notification laws:
Governor Beshear on April 10 signed into law H.B. 232 – it requires notifying the compromise of personally identifiable information of the Bluegrass State residents. The law also includes cloud service providers in contract with (K-12) educational institutes to maintain student data (names, emails, photo IDs, etc.) security and prohibit sale, processing, or disclosure of student data for commercial use.
The personally identifiable information includes first initial or first name and last name combined with data elements such as driver’s license number, social security number, and financial account numbers. Businesses in the state must disclose the breach of a system to residents whose personal information (unencrypted) is believed to be acquired by unauthorized individuals. The law goes into effect on July 15, 2014.
Retailers operating companies beyond and within the Golden State should be aware of Assembly Bill 1710, which if amended, in addition to limiting the types of customer personal information retailers can hold, will increase the cost of a data breach for retailers. The bill is accompanied by a 15-day notification rule; that is notifying affected individuals within 15 days of a data breach.
Notification must be made by email, by posting on the website of the company, and by notifying major media channels statewide.
The law would increase the financial exposure of retail companies that have suffered a breach. It would require retailers to provide credit monitoring services to customers for two years, grant a public prosecutor the authority to pursue civil penalties in the amount of $500 for each violation, and make the retailer bear the cost of notifications and replacing payment cards of affected individuals.
The act would also prohibit the sale of social security numbers. It’s noticeable the breach would be notified unless the data was encrypted in accordance with the Advanced Encryption Standard of the National Institutes of Standard and Technology.
Florida Information Protection Act of 2014 took effect on July 1 2014. The law includes notifying residents of the state when their personal information has been breached, which includes online account information (such as emails, passwords, credit card numbers), medical information, and health insurance policy numbers.
The act requires individuals to be notified at the soonest, but no more than 30 days after the breach is discovered or if the business believes data has been compromised.
Also, the Act requires a written notice sent to the state Attorney General, within 30 days of the breach, if the breach affects 500 or more individuals, unless the delay for an additional 15 days is accompanied by a good cause.
The General Attorney may also request the entity to provide a copy of its company policies pertaining to breaches, steps taken to mitigate the effects of the breach, and a police report, or computer forensics report. The Act also calls for businesses to take reasonable measures to secure and protect personal information in electronic form, but does not detail the measures. If the breach affects 1,000 individuals or more, a business must also notify all consumer reporting agencies that maintain files of consumers in Florida on a nationwide basis. Failure to notify the General Attorney may result in penalties up to $500,000.
Businesses operating in these states should carefully consider their data breach policies and take up measures to ramp up cyber security in order to avoid possible reputation damage and heavy fines associated with the failure to comply with the law.
Maintaining or implementing cyber intelligence, as a result of the law, will become more important than it ever used to be.