The Evolving Landscape of Breach Notification Laws
Published On July 9, 2019
Blog Post by Jaymin Patel, ITRM Associate at Meditology Services
During a recent visit to SecureWorld Philadelphia 2019, I attended the presentation “A Survey of U.S. Domestic Security and Privacy Laws: The Evolving Landscape” by Jordan Fischer, Managing Partner at XPAN Law Group.
In 2016, the European Parliament, the Council of the European Union, and the European Commission issued the General Data Protection Regulation (GDPR) to strengthen and unify data protection for all individuals within the European Union (EU).
The GDPR has spilled over into the United States and has impacted the way companies deal with personal data breaches. GDPR has been a real game changer and has raised the bar when it comes to data breach notification and protecting personal data privacy.
Following in the footsteps of the GDPR, the U.S. has seen several states issue significant changes concerning their data breach notification laws. California’s California Consumer Privacy Act (CCPA), which will become effective from January 1, 2020, aims to give residents of California complete rights to all personal data that businesses collect from them. CCPA could potentially become the U.S. equivalent of the GDPR.
Several other states have introduced laws that largely reflect the CCPA. Massachusetts amended its state data breach notification law in January 2019 to adopt several key aspects from the CCPA including the requirement for free credit monitoring. Mississippi has also made efforts to amend their laws by deriving language from the CCPA. Hawaii introduced similar consumer rights and requirements which have an even broader reach than CCPA.
New Jersey has also attracted considerable attention with recent expansion of its data breach notification law. One of the updates states “Any business or public entity that furnishes an email account shall not provide notification to the email account that is subject to a security breach. The business or public entity shall provide notice by another method described in this section or by clear and conspicuous notice delivered to the customer online when the customer is connected to the online account from an Internet Protocol address or online location from which the business or public entity knows the customer customarily accesses the account.” This new law will become effective in September 2019.
Maryland is another state which has introduced similar rights for its residents. New Mexico has also adopted several key components from the CCPA including the right of deletion, right to opt out, etc. Washington and Colorado are among other states that are closely following these breach notification laws. Washington has expanded its breach notification requirements to more types of consumer information. The new law also has reduced the existing 45-day timeline to notify affected residents and the state attorney general of a breach to no later than 30 days following the discovery of a breach.
We are also seeing this trend among major cities in the U.S. For example, Chicago, with its Chicago Personal Data Collection and Protection Ordinance, aims to strengthen consumers’ control over their information. San Francisco has adopted an action plan through its Privacy First Policy to protect its residents from misuse and misappropriation of their data.
With all of these state efforts in progress, perhaps we will see a comprehensive federal law passed within the next couple of years.