2. Notification Rules
As a general rule, all business entities involved in interstate commerce that make use of electronically or digitally compiled SPII for more than 10,000 individuals during a 12-month period are required to notify said individuals in the event that their personal data have been compromised or stolen. Notifications may be given to an authorized third party, which includes the owner or the licensee to the SPII that was breached.
Exemption from the notification rule – A business entity becomes exempt from the notification rule only if the owner of the SPII breached or the authorized third party makes the actual notification regarding the data breach.
Another exceptional case exists if a federal law enforcement agency deems that the notification requirement will impede a criminal investigation or a national security activity. In line with this, the authorized federal agency shall issue a written notice to the business entity concerned that delay in notifying the affected individuals is necessary.
When should the notification be made? – All notifications shall be made immediately and without unreasonable delay after the discovery of the security breach. In addition, the FTC may request proof or evidence that notification was actually complied by the business entity.
When is a delay in notification considered as reasonable? – Under ordinary circumstances, unreasonable delay should not exceed 60 days from the date of discovery of the breach. Delay in notification is allowed only if the business entity has provided the FTC with ample justifications and evidence that a delay of notification will:
- Allow the entity to determine the extent or scope of the security breakdown.
- Prevent the business entity from making further disclosures or conduct risk assessments.
Be necessary in order to restore the integrity of the security system as well as to provide information about security incidents, threats or vulnerabilities as required by the Secretary of Homeland Security.
The FTC shall determine if such an extension for delay of notification is necessary and shall grant, in writing, an additional period of 30 days. Additional periods assessed as necessary by the FTC shall not exceed 30 days for each extension request.