With so many examples of high-profile data breaches in the news, it’s perhaps no surprise that U.S. states are taking increasingly aggressive steps to tighten up their data breach notification laws. Since June 1, eight U.S. states have either amended or enacted tougher new data breach notification laws. Across the United States, there seems to be growing acceptance of the idea that more steps need to be taken to protect personal information from falling into the wrong hands.
US states beefing up their data breach notification laws
The good news is that, in America, all 50 states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) now have enacted legislation requiring both private and governmental entities to notify individuals of security breaches involving personally identifiable information.
However, there is still no consensus on what “timely” really means in the context of a data breach. For some states, “timely” is 30 days, while for other states, it is 45 days or 60 days. And even when it comes to “personally identifiable information,” there is not yet consensus on what this term even means. For some states, it means the combination of a name and a Social Security Number; for other states, it can refer to driver’s license information or health insurance information.
Particularly noteworthy is the fact that, rather than going after hackers, amendments to existing data breach notification laws are focusing on the responsibilities of the actual entities affected by data breaches. The amended state laws are placing more responsibility on them to contact customers in a timely manner after a breach has been discovered, and to widen the scope of what constitutes a “data breach.”
For example, an amended data breach notification law in Arizona expanded the meaning of “personal information” and required all victims of data security breaches to notify affected parties within 45 days. Previously, private corporations could have avoided reporting data breaches of sensitive information by hiding behind the narrow definition of “personal information.” An expanded definition is much more stringent, and requires corporations to be much more vigilant, or else they risk the oversight of the state attorney general.
In another example, Vermont has extended the scope of its data breach notification laws to include “data brokers,” which are defined as entities that sell or license data to third parties. And on September 1, Colorado enacted some of the most rigorous data breach notification laws yet. Colorado legislators broadened the definition of “personally identifiable information” and imposed a strict 30-day security breach notification deadline for reporting affected parties of a data breach.
Why timely notification of data breaches is important
But is even 30 days too long to report a data breach? Just think of what could happen in those 30 days – a criminal hacker could use personal information as part of an identity theft scheme. Or a hacker could use that personal information to open new credit cards in your name, or to drain your existing bank account. In fact, the range of negative outcomes is only limited by the scope of your imagination. In a best-case example, hackers might just sell off your data to some third-party advertiser, who will then try to show you targeted ads based on what it knows about your age, gender, and income. In a worst-case scenario, you might spend years trying to un-do all the financial chaos that hackers have set into motion.
The European GDPR is still the gold standard for data breach notification
With that as context, it’s understandable why many people consider even 30 days to be too long of a window to report a data breach. The gold standard for data breach notification is the European General Data Protection Regulation (GDPR), which went into effect in May. According to the terms of the GDPR, the data breach notification window is just 72 hours. Failure to report a data breach within that time frame could result in a total fine of 10 million Euros, or up to 2% of a company’s total global turnover.
Moreover, the GDPR goes well beyond just forcing disclosure of a breach. It also mandates what must be included as part of that disclosure. For example, according to the GDPR, any notification must include the following: a description of the breach; a summary of the number of individuals and data records affected; the name and contact information for a dedicated staff member who can handle inquiries on the matter; a summary of the likely consequences of the breach; and a listing of the active measures being put into place to mitigate any adverse affects of the breach.
In many ways, the 72-hour rule is just plain old common sense. If your home were burglarized, would you want to wait 60 days to file a report with the police and set into motion ways to get your personal possessions back? If you were mugged on the street and robbed in daylight, would you wait 45 days to tell people about it? No, you’d report the robbery immediately.
And that’s why the European GDPR is really so influential – it’s starting to cause a real debate over what steps entities should take to protect data privacy and personal information. Your personal privacy and personally identifiable information obviously has a value attached to it, or why else would hackers spend so much time to steal this information? In short, data breach notification statutes are no longer theoretical – they are now very much the topic of conversation in state legislatures and federal government agencies.
Private corporations still lagging
The problem, quite simply, is that corporations have very little incentive to report cyber breaches unless they obviously have to. For example, Hong Kong-based mega-airline Cathay Pacific recently disclosed a massive data breach affecting up to 9.4 million passenger records. Within those records was information such as names, dates of birth, passport information, numbers of expired credit cads, and travel history. Yet, Cathay Pacific didn’t report a data breach that occurred in March – six months ago! – until October.
That data breach incident, perhaps not surprisingly, has led to public outcry over the “outdated” state of Hong Kong’s privacy laws, which don’t’ mandate disclosure of these data breaches. In fact, Hong Kong’s privacy laws have been amended only once, way back in 2010. Needless to say, they do not include rigorous data breach notification requirements.
Now that we’ve had six months to ponder the implications and consequences of the European GDPR, it looks like many of the initial concerns of the GDPR – that it would stifle innovation and slow economic growth – might have been overblown. If anything, the momentum around tougher data breach notification laws appears to be growing. Europe was the first domino to fall, and now it looks like the United States will be next.
In fact, so many U.S. states are lining up to pass their own versions of stricter data breach notification laws that it might only be a matter of time before the United States finally adopts a far-reaching federal privacy law. When that happens, nations around the world will likely have no other option but to adopt similar laws of their own.