Conducting business in our current technological landscape mandates that organization leaders know how to disclose a data breach to affected parties in a timely and accurate fashion. While the reputational damage associated with such a disclosure can be a bitter pill to swallow, covering things up or delaying the annnouncement could be more harmful. Especially because laws around the country and world are tightening to ensure that companies are quick and clear with their breach notifications.
Organizational leaders in the U.S. are thinking globally at the moment - many are preparing to honor European Union breach disclosure rules attached to the General Data Protection Regulation - but there are relevant laws already in place closer to home as well. Individual states have their own policies on disclosures and required preventive steps surrounding the protection of personally identifiable information for companies that operate in their borders.
Every state except two
While the actual data protection and disclosure laws differ in each U.S. state, almost every state has such a law. Only two states don't have rules specifically requiring data breach notification: South Dakota and Alabama. These two hold-outs, however, may soon change their respective policies.
Alabama's attorney general, Steve Marshall, submitted a bill, based on similar laws in other states, to the Alabama Legislature that would create a system of mandatory notifications in the case of a data breach. In his own AL.com article, Marshall said that the proposed rule would require disclosure of a breach to the affected consumers after a "reasonable time." When more than 1,000 people have been affected, businesses must then reach out to the attorney general's office.
As for South Dakota, the state may be even closer than Alabama to making its data breach rules official. According to Data Protection Report, a bill passed by the state judiciary committee requires disclosure of lost personal data unless the attorney general says the breach is unlikely to cause harm. The time limit on the disclosure period is 60 days following the discovery of a problem, extended only if members of law enforcement need the problem kept under wraps to continue their own investigations.
Tightening Colorado's rules
Colorado, a state with an existing set of data breach disclosure rules, plans to strengthen its own procedures. A new bill on the table is receiving a bipartisan push and would limit the notification window in the state to 45 days from the date of the breach. As with Alabama, the Colorado bill would require alerting the attorney general to large breaches, but the threshold is lower: only 500 people should the bill pass as is. The proposed law also calls for the secure disposal of data that isn't necessary, and companies must lay down their data destruction policies in writing.
A varied patchwork
Despite baseline similarities between states, the data protection rules adopted by various states do contain notable differences. The authors noted that Utah's disclosure laws contain provisions that allow businesses to withhold disclosing a breach if an investigation reveals the leaked data can't be used to harm the individuals involved, or if the information is encrypted or unreadable. Other states have different definitions of what counts as personal data. New Mexico, for instance, counts biometric information as personal information, but others don't.
It's recommended that when a breach happens, the breached company investigates their particular liabilities and consult with a lawyer to determine what they must do to comply with the nuances of their states' laws regarding disclosure.
Being prepared to cope with a potential breach is an important step for any modern company to take. Stay up to date with breach law and learn how to create a state of Breach Readiness in your company to prepare courses of action if a breach occurs with Identity Guard Business Solutions. Contact us for more information today.