In the world of eCommerce, with its reliance on customer data, including sensitive and personal information, it’s critical that businesses protect this data from theft, corruption, and loss. However, with all of the facets of data breach regulations compliance today, it can be hard for merchants to keep on top of things.
Even if most of data breach statutes and updates contain similar components at a global level, there still are important differences to take into consideration locally, which means that a general compliance approach will not be enough.
Businesses must make it a priority to monitor these changes carefully, from US and LATAM’s institutions to Europe and APAC.
In this article, we’re going to explore what US businesses need to know about data breach notification laws.
States across the US have made significant updates to their regulations over the past 15 years, and they vary from state to state.
Since these requirements are in place to enhance the privacy rights and protection of your customers, it’s important to keep abreast of changes to protect your bottom line. To make it easier, we’ve put together a summary of some of the most recent updates.
In the U.S. today, every state has a breach notification law and in half of the states there are data security laws, twice as many regulations as in 2005.
Some of these data security updates include:
- The definition of information that is categorized as “personal” has been expanded, and now includes online account credentials, biometric data, government identifiers, and medical and insurance information.
- Merchants have deadline windows for breach notification, and states laws impose different deadlines, ranging from 30 to 60 days from the discovery. Washington’s Attorney General requires a 30-day deadline, while in Connecticut a report must be made without unreasonable delay but no later than 90 days after the discovery of a breach.
- Regulators have doubled the amount of content requirements for notification since 2015, and today increasingly detailed and individualized content is required. Additionally, regulators now publish the notice.
- Furthermore, regulators have tweaked the details, by specifying notice contents and wording; narrowing exemptions; adding state-specific and other unique requirements; as well as adjusting definition of “breach.”
- Despite all of these expanded requirements, currently very few breaches end up being litigated: there have been only 100 to 200 federal cases against a few dozen defendants per year, and none have been tried or certified.
Regulations related to data protection vary from state to state, so it’s easy to see this lack of uniformity being a challenge for merchants. Each state is entitled to choosing its own path and regulatory procedures. Therefore, even though notification in case of a breach is mandatory in all states, the notification process can get very complicated.
In California, for example, the California Consumer Privacy Act specifies that security procedures are implemented and maintained to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
In Alabama, only those merchants who discover a data breach that has affected over 1,000 individuals must notify Alabama’s Attorney General.
In New Hampshire, a security breach is defined as “an unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information” while ”good faith acquisition of personal information . . . shall not be considered a security breach” provided that the personal information is not used or subject to further unauthorized disclosure. New Hampshire also defines personal information quite narrowly: “an individual’s first name or first initial and last name in combination with . . . social security number, driver’s license number or other government identification number;”or account or credit or debit card number in combination with any required security code, access code, or password that would allow access to the account, when these data elements are not encrypted.
Merchants can do a deep-dive into each state’s regulations and requirements by visiting each state’s government websites, but it’s clear that there are significant challenges when meeting today’s legal requirements regarding data breaches.
Because many factors vary by state, including the process of notifying, enforcement, what factors are taken into consideration, the number of people affected, and the nature and gravity of the breach, it can be both difficult – and absolutely necessary – to stay up to date with all these regulations.
If you are also interested in learning what exactly should EU business know about data breach regulations, then make sure to read this article next.