When a data breach occurs it is important to understand the breach notification laws in your State and what you have to do to abide by them. After contacting your legal counsel, the next stop you can make is the National Conference of State Legislatures which maintains a list of enacted and proposed security breach notification laws.
In general, most state laws follow the basic tenets of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
Some important considerations to these laws include, but are not limited to:
1. The time allotted to inform consumers of a data breach.
2. Whether or not there are penalties – civil or criminal – for a failure to disclose.
3. What kinds of breaches, if any, are exempt from reporting.
4. Whether or not there is a private right of action – or the ability for the consumer or employee to pursue a case on their own.
Federal agencies, such as the Federal Trade Commission, are currently reviewing ways to better protect consumer privacy. Their findings are likely to influence how state legislature votes on some key data breach notification and privacy acts on the floor in 2011. Some of the proposals include requirements for a reasonable effort to be made to avoid a data breach with the use of encryption, designated individuals to lead privacy departments and education throughout the organization, and data security risk assessments prior to a breach.
With the recession driven boom of cybercrime, identity theft and security breaches that is likely to continue to expand in 2011, Congress will probably enact some version of these proposals sooner rather than later. That being said, it is better to be prepared and embrace the current and proposed laws before a data breach occurs.