Security breach notification laws
Security breach notification laws have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.
The first such law, the California data security breach notification law SB 1386, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
The European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009. This directive has to implemented by national law until 25 May 2011.
- Breach reporting requirements by state
- Interactive map comparing U.S. security breach notice laws (requires subscription)
- State Security Breach Notification Laws
- SB 1386 Senate Bill
- CSO Online: Interactive map comparing breach notification laws
- California AB 1298 (2007)
- Speaking of Security... | Blog Entry: Shannon Kellogg | Data security a: 1173
- Amendment of Article 4 lit 3-5 of Directive 2002/58/EC (E-Privacy Directive) by Article 2 lit 4 c) of Directive 2009/136/EC.