Security breach notification laws
This article needs to be updated.May 2014)(
The examples and perspective in this article deal primarily with the United States and do not represent a worldwide view of the subject. (June 2019) (Learn how and when to remove this template message)
Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.
Such laws have been irregularly enacted in all 50 U.S. states since 2002. Currently, all 50 states have enacted forms of data breach notification laws. It should be noted though, that there is no federal data breach notification law, despite previous legislative attempts. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. Similarly, multiple other countries, like the EU and Australia, have added data breach notification laws to combat the increasing occurrences of data breaches.
The rise in data breaches is evident, as the number of reported data breaches has increased from 421 in 2011, to 1,091 in 2016, and 1,579 in 2017 according to the Identity Theft Resource Center (ITRC). It has also impacted millions of people and gained increasing public awareness due to large data breaches such as the October 2017 Equifax breach that exposed almost 146 million individual's personal information.
The first such law, the California data security breach notification law, was enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach of the security of the data.
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information. Where bills differ most is at what level the breach must be reported to the state Attorney General (usually when it affects 500 or 1000 individuals or more). Some states like California publish these data breach notifications on their oag.gov websites. Breaches must be reported if "sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates." This leaves room for some interpretation (will it cause substantial harm?); but breaches of encrypted data need not be reported. Nor must it be reported if data has been obtained or viewed by unauthorized individuals as long as there is no reason to believe they will use the data in harmful ways.
A number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress. In his 2015 State of the Union speech, President Obama proposed new legislation to create a national data breach standard that would establish a 30-day notification requirement from the discovery of a breach.
he European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009, specific to personal data held by telecoms and Internet service providers. This directive has to be implemented by national law until 25 May 2011.
Furthermore, the traffic data of the subscribers, who use voice and data via a network company, is saved from the company only for operational reasons. However, the traffic data must be deleted when they aren’t necessary anymore, in order to avoid the breaches. On the other hand, the traffic data are necessary for the creation and treatment of subscriber billing. The use of these data is available only up to the end of the period that the bill can be repaid based on the law of European Union (Article 6 - paragraphs 1-6 ). Regarding the marketing usage of the traffic data for the sale of additional chargeable services, they can be used from the company only if the subscriber gives his/her consent (but, the consent can be withdrawn at every time). Also, the service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of that based on the above assumptions. Processing of traffic data, in accordance with the above details, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.
On February 22, 2018, Australia’s Privacy Amendment Act 2017 became effective. Entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of all “eligible data breaches.”
New Zealand’s Privacy Act 2020 came into force on December 1 2020, replacing the 1993 act. The act makes notification of privacy breaches mandatory. Organisations receiving and collecting data will now have to report any privacy breach they believe has caused, or is likely to cause, serious harm.
- Bisogni, Fabio (2016). "Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?". Journal of Information Policy. 6: 154–205. doi:10.5325/jinfopoli.6.2016.0154. ISSN 2158-3897.
- Murciano-Goroff, Raviv (2019). "Do Data Breach Disclosure Laws Increase FIrms; Investment in Securing their Digital Infrastructure?"". Workshop on the Economics of Information Security: 1–39.
- Garrison, Chlotia; Hamilton, Clovia (2019-01-02). "A comparative analysis of the EU GDPR to the US's breach notifications". Information & Communications Technology Law. 28 (1): 99–114. doi:10.1080/13600834.2019.1571473. ISSN 1360-0834.
- "Security Breach Notification Laws". www.ncsl.org. Retrieved 27 January 2019.
- Bisogni, Fabio; Asghari, Hadi (2020). "More Than a Suspect: An Investigation into the Connection Between Data Breaches, Identity Theft, and Data Breach Notification Laws". Journal of Information Policy. 10: 45–82. doi:10.5325/jinfopoli.10.2020.0045. ISSN 2381-5892.
- Ronaldson, Nicholas (2019-05-01). "HACKING: THE NAKED AGE CYBERCRIME, CLAPPER & STANDING, AND THE DEBATE BETWEEN STATE AND FEDERAL DATA BREACH NOTIFICATION LAWS". Northwestern Journal of Technology and Intellectual Property. 16 (4): 305. ISSN 1549-8271.
- SB 1386, Cal. Civ. Code 1798.82 and 1798.29.
- SB 1386 Senate Bill Archived 2007-06-13 at the Wayback Machine
- Scott Berinato (12 February 2008). "CSO Disclosure Series - Data Breach Notification Laws, State By State". CSO Online. Retrieved 11 May 2016.
- "AB 1298 Assembly Bill - CHAPTERED". Retrieved 11 May 2016.
- "RSA Blogs". RSA.com. Retrieved 27 January 2019.
- "The Personal Data Notification & Protection Act" (PDF). Obamawhitehouse.archives.gov. Retrieved 4 May 2018.
- "Amendment of Article 4 lit 3-5 of Directive 2002/58/EC (E-Privacy Directive) by Article 2 lit 4 c) of Directive 2009/136/EC". Retrieved 27 January 2019.
- "New specific rules for consumers when telecoms personal data is lost or stolen in EU". Digital Single Market. 5 November 2016. Retrieved 11 May 2016.
- "EUR-Lex - 32002L0058 - EN - EUR-Lex". eur-lex.europa.eu. Retrieved 27 January 2019.
- Green, Paul. "Australia's mandatory Data Breach Notification laws: Are You Ready?". Business Aspect. Retrieved 30 November 2020.
- "Transitioning from Privacy Act 1993 to Privacy Act 2020". Retrieved 29 November 2020.