Unfortunately, for many U.S. companies facing the reality of data breach occurrences and data breach notifications – i.e. reaching an agreement on what they are and what are you required to do once they occur – remains a very complex topic yet still poses potentially large economic risk(s) when they occur. Even more to the point, each state and its jurisdiction requirements within the U.S. differs in one way or another on how to legally handle data breach occurrences and the notification requirements that accompany them..
Just as important, even a local or regional business, dealing with a data breach, may need to satisfy requirements in all 50 states if that data breach impacts clients in all of those jurisdictions. Going beyond that point, this risk assessment process is also not simplified much by finding out which jurisdiction has the most onerous requirements — in almost every case, legal guidance is still required to determine if meeting the most onerous requirements is recognized as a means to meet the other states’ requirements.
To bring more information to bear on this issue, the Commercial Law League of America (CLLA) offers a great resource – e.g. an excel worksheet entitled a “STATE DATA SECURITY / BREACH NOTIFICATION LAWS (As of December 2011)” report.
This report offers information state by state regarding each state’s legislative reference, statute, effective date, definition of Personal Information (PI), Key provisions, etc. and would be a great added reading resource to keep in your organization’s library regarding risk management, information security. It would also be a great reference for HR departments writing privacy policies and procedures.
Click here to view and download this report. You may also want to read the latest Verizon “2012 Data Breach Investigations Report” for more details and information regarding this growing potential ongoing threat.
For additional reading on this matter, click here to view a recent report released by the U.S. Congressional Research Service and prepared for Members and Committees of Congress, entitled “Data Breach Notification Laws”.
If applicable, please pass this information along to those business continuity planning and/or organizational resilience planning team members in your organization so that they include data breaches and breach notification policies and procedures in their formal plans.