Know the Laws Governing Data Security Breaches in Your States
California was the first State to pass a data security breach law. Since then, 43 additional states, along with the District of Columbia, Puerto Rico and the Virgin Islands have passed laws that require public disclosure of data security breaches.
Most states require businesses that own, lease or store personally identifiable information to notify every individual whose personal data is stolen or misused. In some cases, businesses must also contact the major credit reporting agencies, State Attorney General, and the news media.
Data breaches do not always have to be disclosed. Exceptions include the loss of encrypted data, and the judgment of law enforcement authorities that the breach is not likely to result in harm to the individuals. In addition, disclosure is not required if it would interfere with an on-going investigation.
Because of the growing threat of identity theft, Congress is considering several laws that would regulate data security breaches from the federal level. As of this writing, however, data security is still regulated on a state by state basis.
If you store personally identifiable information, you need to be aware of your State's data security breach disclosure laws. To help with your research, the following pages contains links to current laws.
California
California led the charge on data breach and privacy laws, and the policies adopted by many other states are variations on the west coast theme. For that reason, I'll give them top billing.
The State of California has adopted four sets of laws to address privacy of medical information, credit reporting companies, state agencies, and businesses.
Like most of the states that followed suit, California law requires immediate disclosure of data breaches involving personal information. The State makes only two exceptions: encrypted data and publicly available government records. Unlike many states, California residents also have the right to take private action against companies that disclose their information.
New laws and summaries will be added in state by state order, so check back often to access the legislation for your specific state.
Alaska
Alaska's breach disclosure law requires immediate disclosure of data breaches. Like California, Alaska exempts publicly available government data. Disclosure may only be delayed if law enforcement determines that immediate action would interfere with their investigation. If an investigation determines that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.
Alaska's law also includes civil penalties of up to $500 for each state resident who was not notified of the breach.
You can access the full text of Alaska's breach disclosure law here.
Arizona
The Arizona breach disclosure law requires disclosure of data breaches without unreasonable delay. Arizona residents may be notified of breaches by phone. The law provides for civil and criminal penalities, but Arizona residents do not have the right of private legal action.
You can access the full text of Arizona's breach disclosure law here.
Arkansas
The Arkansas breach disclosure law requires immediate disclosure of data breaches. Arkansas exempts encrypted data laska exempts publicly available government data. Disclosure may be delayed if law enforcement determines that immediate action would interfere with their investigation. If the entity concludes that consumers are unlikely to suffer harm as a result of the data breach, then disclosure is not required.You can read the full text of the Arkansas law here
Missouri
Missouri's breach disclosure law requires disclosure of data breaches without unreasonable delay. Encrypted data is exempted, although the law does not specify an encryption standard. Notification may be delayed if law enforcement believes the notification will impede a criminal investigation. Breaches involving over 1,000 consumers must also be reported to the attorney general's office and all national consumer reporting agencies. Only the attorney general has the authority to bring an action in Missouri; residents do not have the right to take private action. The Missouri breach notification law was passed as part of an omibus bill. You can read the full text of the bill here.
Aucun commentaire:
Enregistrer un commentaire