Patchwork of state data breach notification laws makes compliance challenging for businesses operating in multiple states.
Southlake, TX (PRWEB) October 16, 2012
More than 232.4 million identities were exposed overall during 2011 according to Symantec’s Internet Security Threat Report, Volume 17. In response to alarming increases in data breaches, states continue to establish and amend their own breach notification laws, while data privacy and compliance professionals clamor for a single Federal data breach notification statute.
“Currently there is a patchwork of state data breach notification laws making it challenging for businesses operating in multiple states. We have just updated our State Data Breach Notification Law Chart to reflect recent state changes. It is available on our website as a convenient resource so companies can see at a glance each state’s reporting requirements,” said Robert J. Scott, Managing Partner, of Texas-based intellectual property and technology law firm, Scott & Scott, LLP.
As of September, 2012, 46 states and the District of Columbia have enacted some version of consumer data breach notification requirements. This disparate environment makes compliance under these evolving and sometimes divergent state notification frameworks both technically and logically challenging for organizations that find themselves cleaning up after a data breach.
Although there is some commonality among the state data breach laws, no one category of issue is addressed in any standardized way among the several states. Even the basic timing requirement for notification varies wildly, from the “no more than 7 business days after investigation concludes” language in the Maine statute to the purposefully vague “without unreasonable delay” language used by a handful of other states. See the Scott & Scott, LLP’s State Data Breach Notification Laws chart for a handy resource that highlights the differences between the various state laws.
A good, conservative approach when trying to comply to a multitude of statutory frameworks is to model the response to comply with the most restrictive and onerous of the state laws. However, this approach is not practical in all but the most straight-forward of breach events. Instead, careful consideration of the nature of the breach, the number of potentially affected individuals, and the states in which those individuals reside must be made before deciding on any course of action with respect to notification under state breach laws.
A complimentary copy of Scott & Scott, LLP’s State Data Breach Notification Law pdf can be downloaded at: http://www.scottandscottllp.com/main/uploadedFiles/resources/Publications/state_data_breach_notification_law.pdf.
Scott & Scott is an intellectual property and technology law firm dedicated to helping senior executives assess and reduce the legal, financial, and regulatory risks associated with information technology issues. An innovative approach to legal services, Scott & Scott believes that collaboration between legal and technology professionals is necessary to solve and defend against the complex problems our clients face, including privacy and network security, IT asset management, software license compliance, and IT transactions.