Get ready for a new wave of breach notification laws

March 1, 2011 by ofonseca

According to Privacy Rights Clearinghouse, at least 500 million sensitive records have been breached since 2005, and a survey by the Samuelson Law, Technology & Public Policy Clinic at the University of California, Berkeley has shown that even with notification letters, 28% of consumers don’t understand the potential consequences of these breaches.  It’s a serious problem that just about every state in the country continues to address.

Years ago, California ushered in landmark privacy legislation with AB 700: Security Breaches (2001) that is now modeled by most other states.  Now that California has a new governor, a new bill SB 24: Data Breach Notification (2011) is being re-introduced which further strengthens notification requirements when data breaches occur, establishing added standard information that all businesses must provide to consumers about the breach.

But California is just one state.  Along with national data privacy laws such as FACTA, HIPAA, and COPPA, there are currently 48 different data breach notification laws in just about every state.  No wonder it’s tough for businesses to surf the tidal wave of legislation, especially if a company does business in different states.

A new law expected to be passed in 2011, the Data Accountability and Trust Act, or DATA, would supersede all state laws, to provide one standard across the board.  Provisions include requiring companies to notify consumers about breaches within 60 days, alert customers to specific information that has been compromised, report breaches to the credit bureaus if more than 5,000 accounts are compromised, and provide two years of credit monitoring to consumers and a toll-free number to call for more information about the breach.

For businesses that don’t comply with these new regulations, stiff penalties will be added to the burdensome costs of breaches (and how can you even tabulate costs like the loss of public trust?)  The new regulations headed our way in 2011 provide one more reason for businesses to protect themselves from breaches, swiftly take action when a breach has been detected, and stay informed about the legal currents that are taking shape.