What are data breach notification laws? Many people have heard about, or have themselves been potentially victimized by a data breach. Your credit card information might have been hacked, or your personal identifying information might have been exposed in a data security breach. But many people do not realize that there are legal protections in place that require businesses and governments to notify potential victims when there is a data security breach.
What Are Data Breach Notification Laws?
At present, there are a few national standards in place regarding data breach notification of potential victims, but federal laws are limited at this time to financial institutions (the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6801, et seq., which requires notification when nonpublic personal information of a consumer is breached) and the healthcare industry (the Health Insurance Portability and Accountability Act, 45 CFR Sections 106.103, 164.400-414, and 42 U.S.C. Section 1320d, et seq., which requires notification when a patient’s protected health information is breached).
Laws Vary From State to State
Data breach notification laws vary from state to state. However, as a general rule these laws are written consistent with a typical format. Data breach notification laws typically:
- Outline who the law applies to (i.e., private entities, government entities, educational institutions, etc.). Oftentimes, data breach notification laws apply to government entities, private entities, and educational institutions.
- Provide a definition as to what is personal information for the purposes of the notification law. In most states, “personal information” includes data such as a person’s first and last name, Social Security number, driver’s license number, state-issued identification card number, account number, credit card or debit card number and security code, access code, or PIN necessary to access the account, credit card or debit card.
- Provide an explanation of what constitutes a data security breach. Typically, a data security breach involves an unauthorized breach of the security of a system thereby gaining access to personal information. The specific definition associated with breach notification laws can vary greatly by state.
- Include details concerning what is required for compliance with the data breach notification law. Examples include identification of the timeframe in which notifications must be made, whether the notification must be made in writing, and specific information that must be included in the data breach notification.
- Identify any exemptions to the data breach notification laws. In some states, if data is encrypted it might be exempt from state data breach notification laws.
- Address the penalties associated with a failure to comply with the law. Each state identifies the penalties associated with a failure to comply with the state’s breach notification laws.
Talk to a Data Breach Lawyer
Cybersecurity is as an area of law is constantly changing and evolving. Revision Legal has worked with a number of businesses in assessing data retention risks and providing legal counsel on data security breach notifications in all 50 states. If you have concerns about your exposure or have recently received a data breach notification, contact the experienced attorneys at Revision Legal straightaway. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact Revision Legal’s internet lawyers using the form on this page or call us at 855-473-8474.
Image credit to Flickr user Jim Kaskade.