With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.
Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.
Several state laws have been amended in the last month or two. For example, on June 26, 2015, building on the momentum to have a reasonably mature information security program in place, Rhode Island amended its law to add a requirement that companies implement a risk-based information security program to safeguard personally identifiable information. On July 1, 2015, Connecticut revised its data breach notification statute to require companies to provide one year of identity theft protection to individuals whose information is compromised as a result of a data breach. In addition, a revised law in Wyoming went into effect July 1 that now sets forth minimum content requirements for the notices a company must provide to those affected by a breach. A number of states, such as Nevada and Oregon, have also amended their laws to expand the type of personally identifiable information that, if disclosed, trigger the notification requirements under their laws.
These are just a examples of some of the most recent changes that are being made by state legislatures while federal legislation on the subject in Congress continues to stall. More changes are certain to come, and thus, the compliance landscape in the U.S for companies is changing rapidly as it pertains to data privacy. As a result, companies face the challenge of continually reviewing and revising their information security policies and response plans to comply with the many and varied state law requirements in the U.S.
Compliance with these states laws protects companies on a two fronts. First, the state laws themselves incorporate a variety of enforcement mechanisms, such as creating a private right of action or deeming a violation of the law to be an unfair or deceptive trade practice under a separate law. Plaintiffs in data breach litigation have filed claims based on violations of the state data breach notification laws, claiming that notification that did not comply with statutory requirements caused them harm.
Second, the single most common claim in lawsuits flowing from a data breach is negligence, and the failure to comply with state law in advance of or immediately after a breach can be used by plaintiffs as evidence of a failure to exercise reasonable care. If a company waits until a data breach occurs to research the requirements of all the state laws that govern its response to the breach, it will be too late — especially since some laws dictate steps a company must take prior to the breach to protect personally identifiable information.
It isn’t just the US either. The trilogue negotiations, which are going on between the European Parliament, the European Commission, and the Council of Europe, are engaged in a full blown revamping of the data protection system in the EU. So far, there hasn’t been a general breach notice obligation in the EU like there has been in the US, but this can, and likely will, change.
With all the activity going on from a regulatory perspective, it is imperative for companies in this time of hyper-vigilance on this issue to stay abreast of the changing legal landscape and revise information security policies and response plans accordingly.