Data breach notification laws require companies to implement formal data breach notification polices that cover the procedures for incident reporting and external breach notification. Except just four states – Alabama, Kentucky, New Mexico and South Dakota, every state in the U.S. has passed a breach notification law in the recent past, following the lead of California’s landmark breach disclosure law in 2003. . Breach notification laws require companies to notify their customers about security breaches that involve personal information.
Of course, with all the lobbying that goes on when drafting and passing a new law, there are variations among the laws passed by various states, with immediate discloser of a data breach to customers being the common thread. Some states permit private action against the companies and some don’t. States vary also in the penalties they impose on companies that fail to disclose data breaches with the stipulated time. An interesting fact to note here is that some tough state laws, such as California’s, do not exempt any security breach from the purview of the law, while some others distinguish between material and immaterial breaches.
At the federal level, data breach notification requirements are part of the Privacy Act, the Federal Information Security Management Act, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Credit Reporting Act, the Data Accountability and Trust Act, the Data Breach Notification Act and Personal Data Privacy and Security Act of 2009.
Since no single federal or state law governs the security of all types of confidential personal information, companies that deal with personal information of individuals must ensure they determine which state and federal laws and regulations they must comply with, and ensure they do everything to carefully adhere to the applicable laws.