Home>>  News & Events>> NetLib News

NetLib News

Legislative Update
Back to Listing
Tuesday, June 30, 2009

Notification Requirements:  They Could Cost You

Forty-four states have data breach notification laws, and those laws just keep getting tougher and tougher.  And now other countries are getting into the act.  This means that if new laws require to notify affected parties, a data breach will be even more expensive that it already was.

California's breach notification law is the mother of them all, being the first one enacted and the archetype for most of the others enacted after it.  California State Senator Joe Simitian, who authored that state's breach notification law, has an amendment in the works that would substantially add to the breach notification requirements.  The current law in California requires notification in the event of a breach, but does not specify what must be contained in the notification.  The amendments, if passed, will require that the following information be included in the notification:
 

  • The name and contacting agency of the reporting entity
  • The type(s) of information believed to be compromised
  • The date or date range of the breach
  • Any delays as a result of law enforcement investigations
  • A general description of the breach
  • The number of people believed to be affected
  • The numbers and contacts for any appropriate credit reporting agencies.


An additional amendment would require electronic notification to the State of California if the number of California residents affected by the breach exceeds 500.  In authoring the amendments, Simitian felt that the inclusion of this information would enable California residents to make more informed decisions about how to respond to the unauthorized access or use of their personal information.

Given, as mentioned above, that California was the pioneer in data breach notification laws, how long might it be before these amendments find their way into other state laws?  Moving across the country to Maine, we find that the legislature there has completed the amendment of its data breach notification law.  The changes are effective May 22, 2009.  In its original incarnation, section 1348 of the state's breach notification law stated that an investigation of a breach by police or other law enforcement authorities was a valid reason to delay notification.  It did not however, stipulate a time frame within which notification must be started after the police authorize notification.  The amended section 1348 will require notification within 7 days of police approval.  It has also changed the definition of a breach in section 1347, adding release or use of data to acquisition as a trigger for a notification requirements.

Crossing “The Pond,” we find a great deal happening in the United Kingdom regarding data breach notifications.  The British Parliament will consider legislation later this year that would create that country's first national data breach notification requirement.  According to government authorities in the UK, an ongoing review of the European Union's ePrivacy Directive has been a catalyst for the proposed legislation in the UK.  The fact that there were 138 reported data breaches in the 8 months from November 2007 through June of 2008 (in a country that doesn't require reporting) is also a motivating factor.  In one incident, 25 million records in the country's Revenue and Customs Department were compromised, and in another, data on more than 800,000 Scottish Ambulance rides was compromised.

The point is that an ounce of prevention is worth a pound of cure.  Protect your data in the first place, and the cost and inconvenience, not to mention loss of your customer’s confidence in your company by your customers, will not be an issue.