Security breach notification laws

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Security breach notification laws or data breach notification laws are laws that require an entity that has been subject to a data breach to notify their customers and other parties about the breach and take other steps to remediate injuries caused by the breach. Such laws have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.[1]

The first such law, the California data security breach notification law,[2] was enacted in 2002 and became effective on July 1, 2003.[3] As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach of the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing.[4] California has since broadened its law to include compromised medical and health insurance information.[5]

The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws.[1]

A number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress.[6] In his 2015 State of the Union speech, President Obama proposed new legislation to create a national data breach standard that would establish a 30-day notification requirement from the discovery of a breach.[7]

The European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009, specific to personal data held by telecoms and Internet service providers.[8][9] This directive has to be implemented by national law until 25 May 2011.

Furthermore, the traffic data of the subscribers, who use voice and data via a network company, are saved from the company only for operational reasons. However, the traffic data must be deleted when they aren’t necessary anymore, in order to avoid the breaches. On the other hand, the traffic data are necessary for the creation and treatment of subscriber billing. The use of these data is available only up to the end of the period that the bill can be repaid based on the law of European Union (Article 6 - paragraphs 1-6 [10]). Regarding the marketing usage of the traffic data for the sale of additional chargeable services, they can be used from the company only if the subscriber gives his/ her consent (but, the consent can be withdrawn at every time).Also, the service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of that based on the above assumptions.Processing of traffic data, in accordance with the above details, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.


External links[edit]