Data breach notification laws
Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature.
Such laws have been irregularly enacted in all 50 U.S. states since 2002. Currently, all 50 states have enacted forms of data breach notification laws. There is no federal data breach notification law, despite previous legislative attempts. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. Similarly, multiple other countries, like the European Union General Data Protection Regulation and Australia's Privacy Amendment Act 2017, have added breach disclosure or data breach notification laws to combat the increasing occurrences of data breaches.
The rise in data breaches conducted by both countries and individuals is evident and alarming, as the number of reported data breaches has increased from 421 in 2011, to 1,091 in 2016, and 1,579 in 2017 according to the Identity Theft Resource Center. It has also impacted millions of people and gained increasing public awareness due to large data breaches such as the October 2017 Equifax breach that exposed almost 146 million individual's personal information.
Objectives
Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to provide companies with an incentive to strengthen data security. Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.Australia
Australia's Privacy Amendment Act 2017 came into effect in 2018. This amended the Privacy Act 1988, which had established a notification system for data breaches involving personal information that lead to harm. Now, entities with existing personal information security obligations under the Australian Privacy Act are required to notify the Office of the Australian Information Commissioner and affected individuals of all "eligible data breaches". The amendment is coming off large data breaches experiences in Australia, such as the Yahoo hack in 2013 involving thousands of government officials and the data breach of NGO Australian Red Cross releasing 550,000 blood donor's personal information.Criticism of the data breach notification include: the unjustified exemption of certain entities such as small businesses and the Privacy Commissioner not required to post data breaches in one permanent place to be used as data for future research. In addition, notification obligations are not consistent at a state level.
China
In mid-2017, China adopted a new Cyber security Law, which included data breach notification requirements.European Union
In 1995, the EU passed the Data Protection Directive, which has recently been replaced with the 2016 General Data Protection Regulation, a comprehensive federal data breach notification law. The GDPR offers stronger data protection laws, broader data breach notification laws, and new factors such as the right to data portability. However, certain areas of the data breach notification laws are supplemented by other data security laws.Examples of this include, the European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications in 2009, specific to personal data held by telecoms and Internet service providers. This law contains some of the notification obligations for data breaches.
The traffic data of the subscribers, who use voice and data via a network company, is saved from the company only for operational reasons. However, the traffic data must be deleted when they aren’t necessary anymore, in order to avoid the breaches. However, the traffic data is necessary for the creation and treatment of subscriber billing. The use of these data is available only up to the end of the period that the bill can be repaid based on the law of European Union. Regarding the marketing usage of the traffic data for the sale of additional chargeable services, they can be used from the company only if the subscriber gives his/her consent. Also, the service provider must inform the subscriber or user of the types of traffic data which are processed and of the duration of that based on the above assumptions. Processing of traffic data, in accordance with the above details, must be restricted to persons acting under the authority of providers of the public communications networks and publicly available electronic communications services handling billing or traffic management, customer enquiries, fraud detection, marketing electronic communications services or providing a value added service, and must be restricted to what is necessary for the purposes of such activities.
Data breach notification obligations are included in the new Directive on security of network and information systems. This creates notification requirements on essential services and digital service providers. Among these include immediately notifying the authorities or computer security incident response teams if they experience a significant data breach.
Similar to US concerns for a state-by-state approach creating increased costs and difficulty complying with all the state laws, the EU's various breach notification requirements in different laws creates concern.
Japan
In 2015, Japan amended the Act on the Protection of Personal Information to combat massive data leaks. Specifically, the massive Benesse Corporation data leak in 2014 where nearly 29 million pieces of private customer information was leaked and sold. This includes new penal sanctions on illegal transaction, however, there is no specific provision dealing with data breach notification in the APPI. Instead, the Policies Concerning the Protection of Personal Information, in accordance with the APPI, creates a policy that encourages business operators to disclose data breaches voluntarily.Kaori Ishii and Taro Komukai have theorized that the Japanese culture offers a potential explanation for why there is no specific data breach notification law to encourage companies to strengthen data security. The Japanese general public and mass media, in particularly, condemn leaks. Consequently, data leaks quickly result in losing customer trust, brand value, and ultimately profits. An example of this include, after a 2004 data leak, Softbank swiftly lost 107 billion yen and Benesse Corporation lost 940,000 customers after the data leak. This has resulted in compliance with disclosing data leaks in accordance with the policy.
While proving the Japanese culture makes specific data breach notification laws necessary is difficult to objectively prove, what has been shown is that companies that experience data breach do experience both financial and reputation harm.
New Zealand
New Zealand's Privacy Act 2020 came into force on December 1, 2020, replacing the Privacy Act 1993. Part 6 of the act makes notification of privacy breaches mandatory. Organisations receiving and collecting data will now have to report any privacy breach they believe has caused, or is likely to cause, serious harm.United States
Data breach notification laws have been enacted in all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands. As of August 2021, attempts to pass a federal data breach notification law have been unsuccessful.State laws
The first such law, the California data security breach notification law, was enacted in 2002 and became effective on July 1, 2003. The bill was enacted in reaction to the fear of identity theft and fraud. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach of the security of the data.In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information. Where bills differ most is at what level the breach must be reported to the state Attorney General. Some states like California publish these data breach notifications on their oag.gov websites. Breaches must be reported if "sensitive personally identifying information
has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates." This leaves room for some interpretation ; but breaches of encrypted data need not be reported. Nor must it be reported if data has been obtained or viewed by unauthorized individuals as long as there is no reason to believe they will use the data in harmful ways.
The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws. Alabama and South Dakota enacted their data breach notification laws in 2018, making them the final states to do so.
Some of the state differences in data breach notification laws include thresholds of harm suffered from data breaches, the need to notify certain law enforcement or consumer credit agencies, broader definitions of personal information, and differences in penalties for non-compliance.