Pin Me

Data Breach Notification Laws: How States are Following California’s Policies

written by: Greg Brian•edited by: Bill Bunter•updated: 11/25/2009

Having our private data breached is obviously one of the worst nightmares to deal with in the cyber world, and the U.S. federal government has and still is lax on the issue.

  • slide 1 of 4

    Ultimately, California became the first state in the nation to have any foresight in helping inform people when data breaches happen to them. When California passed the first state data breach law in 2003 for companies to inform consumers about their personal information being compromised, 45 states eventually followed suit to date of this article. And, along the way, a basic blueprint was put forth in how a data breach should be handled with a consumer.

    Here’s what you need to know as most of America implements the crux of California’s law:

    States with a data breach law must notify you in writing

    · This generality of legalese might fool those who feel comfortable living in a state with a data breach law. Almost all states with this law give the above heading of saying they’ll notify you in writing if your personal data has been compromised at a company you’re involved with for business or as an employee.

    · What they don’t always tell you is that California and many other states hold the right to only notify you within a supposed reasonable period of time. That doesn’t always translate to notifying you immediately, which might disturb consumers who expect quick action when their personal information managed to get into the hands of someone unknown.

    · Why the above happens is because California made sure they’d be free from legal action taken against them if they fail to comply within a timely manner. Yes, this means that they really don’t have to notify you at all about a data breach. The meaning of the law existing seems to give a stamp of approval on corporate ethics to let you know of a data breach by sheer goodwill rather than fear of legal repercussions.

    Keep in mind, however, state attorneys general can prosecute companies if the companies have the hubris to ignore the most serious federal statutes.

    How soon is soon in notifying someone with a data breach?

  • slide 2 of 4

    Images

    California set a precedent for data breach laws...
  • slide 3 of 4
    State Data Breach Laws Take from California's Data Breach Law with Many ExemptionsMany state data breach laws have exemptions that may limit whether notification will be done in the first place. Public governmental information and encrypted info are exempt in California and most other states, making data breach laws more limiting than they seem...
  • slide 4 of 4

    · California carved the mantra of “within a reasonable period of time” when notifying people with a data breach. What they consider unreasonable delay or a reasonable period of time is filled with enough semantics to be argued in a court of law for time infinitum. But the same idea was applied to the data breach laws in every other state.

    · Despite the above blanket statement, other states decided to go their own way and make any delay of notification a civil criminal act. Since 2003, most states enacted this procedure along with federal prosecution if companies refuse to notify reasonably. Some states had their data breach laws in limbo for several years over this matter alone. As of this writing, California and only a few other states still hold fast to the initial provision that a company can’t be sued by a consumer if the company refuses to pass on information in a timely manner.

    Exemptions, exemptions, exemptions

    · You can’t explore state laws without realizing exemptions are always going to be part of the process. It’s no different in state data breach laws where the loopholes may end up hurting you in the long run. How these exemptions hurt you will depend on what particular type of personal information belonging to you was breached in a company.

    · If you think you’re protected with breached governmental data that’s openly displayed to the public, then think again. California set the bar for most states to not notify you if someone steals info on you that the government keeps on any website. Of course, this once again pins down the U.S. Gov’t itself as being lax on securing our data they store. Nevertheless, it’s understandable that an independent company shouldn’t be held responsible when the information was the result of governmental requirement.

    · The term “immaterial breach” has created protracted legal arguments in states setting up their data breach laws the last few years. Many states won’t notify you if a data breach is immaterial or, in other words, one that probably wouldn’t hurt you. However, give points to California for not worming out of this one. They consider a data breach serious, no matter how immaterial it may be. Although, in more stoic legalese, they just say there’s no such thing as an immaterial breach.

    · One last exemption: Encrypted data that sometimes gets lost and into the wrong hands generally isn’t covered in any state. Some might say this and the other two exemptions above narrow it too much in making state data breach laws all that effective. Obviously, some help in protecting our personal information is better than none. The greatest solution would be a Federal law that successfully prevents it rather than having it effectively announced to us. As of now, we have a long way to go while data thieves get smarter by the minute.

    ______

    As always, check with the details of your particular state data breach law so you’ll know the latest on your rights before something happens. You can check the latest by going to this website:

    http://www.ncsl.org/IssuesResearch/TelecommunicationsInformationTechnology/SecurityBreachNotificationLaws/tabid/13489/Default.aspx