[BreachExchange] Data Breach Notification Laws Around the World Are Finally Starting to Tighten

[Destry Winant]

https://www.cpomagazine.com/2018/11/05/data-breach-notification-laws-around-the-world-are-finally-starting-to-tighten/

With so many examples of high-profile data breaches in the news, it’s
perhaps no surprise that U.S. states are taking increasingly
aggressive steps to tighten up their data breach notification laws.
Since June 1, eight U.S. states have either amended or enacted tougher
new data breach notification laws. Across the United States, there
seems to be growing acceptance of the idea that more steps need to be
taken to protect personal information from falling into the wrong
hands.

US states beefing up their data breach notification laws

The good news is that, in America, all 50 states (plus the District of
Columbia, Guam, Puerto Rico and the Virgin Islands) now have enacted
legislation requiring both private and governmental entities to notify
individuals of security breaches involving personally identifiable
information.

However, there is still no consensus on what “timely” really means in
the context of a data breach. For some states, “timely” is 30 days,
while for other states, it is 45 days or 60 days. And even when it
comes to “personally identifiable information,” there is not yet
consensus on what this term even means. For some states, it means the
combination of a name and a Social Security Number; for other states,
it can refer to driver’s license information or health insurance
information.

Particularly noteworthy is the fact that, rather than going after
hackers, amendments to existing data breach notification laws are
focusing on the responsibilities of the actual entities affected by
data breaches. The amended state laws are placing more responsibility
on them to contact customers in a timely manner after a breach has
been discovered, and to widen the scope of what constitutes a “data
breach.”

For example, an amended data breach notification law in Arizona
expanded the meaning of “personal information” and required all
victims of data security breaches to notify affected parties within 45
days. Previously, private corporations could have avoided reporting
data breaches of sensitive information by hiding behind the narrow
definition of “personal information.” An expanded definition is much
more stringent, and requires corporations to be much more vigilant, or
else they risk the oversight of the state attorney general.

In another example, Vermont has extended the scope of its data breach
notification laws to include “data brokers,” which are defined as
entities that sell or license data to third parties. And on September
1, Colorado enacted some of the most rigorous data breach notification
laws yet. Colorado legislators broadened the definition of “personally
identifiable information” and imposed a strict 30-day security breach
notification deadline for reporting affected parties of a data breach.

Why timely notification of data breaches is important

But is even 30 days too long to report a data breach? Just think of
what could happen in those 30 days – a criminal hacker could use
personal information as part of an identity theft scheme. Or a hacker
could use that personal information to open new credit cards in your
name, or to drain your existing bank account. In fact, the range of
negative outcomes is only limited by the scope of your imagination. In
a best-case example, hackers might just sell off your data to some
third-party advertiser, who will then try to show you targeted ads
based on what it knows about your age, gender, and income. In a
worst-case scenario, you might spend years trying to un-do all the
financial chaos that hackers have set into motion.

The European GDPR is still the gold standard for data breach notification

With that as context, it’s understandable why many people consider
even 30 days to be too long of a window to report a data breach. The
gold standard for data breach notification is the European General
Data Protection Regulation (GDPR), which went into effect in May.
According to the terms of the GDPR, the data breach notification
window is just 72 hours. Failure to report a data breach within that
time frame could result in a total fine of 10 million Euros, or up to
2% of a company’s total global turnover.

Moreover, the GDPR goes well beyond just forcing disclosure of a
breach. It also mandates what must be included as part of that
disclosure. For example, according to the GDPR, any notification must
include the following: a description of the breach; a summary of the
number of individuals and data records affected; the name and contact
information for a dedicated staff member who can handle inquiries on
the matter; a summary of the likely consequences of the breach; and a
listing of the active measures being put into place to mitigate any
adverse affects of the breach.

In many ways, the 72-hour rule is just plain old common sense. If your
home were burglarized, would you want to wait 60 days to file a report
with the police and set into motion ways to get your personal
possessions back? If you were mugged on the street and robbed in
daylight, would you wait 45 days to tell people about it? No, you’d
report the robbery immediately.

And that’s why the European GDPR is really so influential – it’s
starting to cause a real debate over what steps entities should take
to protect data privacy and personal information. Your personal
privacy and personally identifiable information obviously has a value
attached to it, or why else would hackers spend so much time to steal
this information? In short, data breach notification statutes are no
longer theoretical – they are now very much the topic of conversation
in state legislatures and federal government agencies.

Private corporations still lagging

The problem, quite simply, is that corporations have very little
incentive to report cyber breaches unless they obviously have to. For
example, Hong Kong-based mega-airline Cathay Pacific recently
disclosed a massive data breach affecting up to 9.4 million passenger
records. Within those records was information such as names, dates of
birth, passport information, numbers of expired credit cads, and
travel history. Yet, Cathay Pacific didn’t report a data breach that
occurred in March – six months ago! – until October.

That data breach incident, perhaps not surprisingly, has led to public
outcry over the “outdated” state of Hong Kong’s privacy laws, which
don’t’ mandate disclosure of these data breaches. In fact, Hong Kong’s
privacy laws have been amended only once, way back in 2010. Needless
to say, they do not include rigorous data breach notification
requirements.

Next steps

Now that we’ve had six months to ponder the implications and
consequences of the European GDPR, it looks like many of the initial
concerns of the GDPR – that it would stifle innovation and slow
economic growth – might have been overblown. If anything, the momentum
around tougher data breach notification laws appears to be growing.
Europe was the first domino to fall, and now it looks like the United
States will be next.

In fact, so many U.S. states are lining up to pass their own versions
of stricter data breach notification laws that it might only be a
matter of time before the United States finally adopts a far-reaching
federal privacy law. When that happens, nations around the world will
likely have no other option but to adopt similar laws of their own.