With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.
Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.