Quirky Question #240, Breach Notification Laws
Our company has employees and operations in multiple states, and I’m concerned about complying with data breach laws in the various locales. What’s the status of the law on data breach notification?
Answer: By Melissa Krasnow
As data breaches continue to occur, breach notification laws are being amended or enacted. In the United States, state and federal breach notification laws should be monitored carefully regarding changes, as should breach notification laws in other countries (e.g., Canada).
As of July 15, 2014, 47 states (other than Alabama, New Mexico, and South Dakota) plus the District of Columbia, Guam, Puerto Rico, and Virgin Islands have breach notification laws. This article addresses changes in state breach notification laws.
State Attorney General or Regulator Breach Notification
One of the changes in state breach notification laws is that they increasingly require notification of a breach to a state attorney general or regulator in addition to the affected individuals. The breach notification laws require notification of affected individuals of a breach. The number of state breach notification laws requiring a company also to notify a state attorney general or regulator about the breach is increasing.
Eighteen state breach notification laws—California, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia, plus the Puerto Rico breach notification law—require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals.
The amendment to the Iowa breach notification law and the repeal and enactment of the Florida breach notification law each became effective July 1, 2014. The Florida and Iowa breach notification laws require notification to a state attorney general or regulator in addition to notifying the affected individuals where the breach affects 500 or more individuals in Florida or more than 500 Iowa residents, respectively.
The California, Hawaii, Missouri, and South Carolina breach notification laws also require notification to a state attorney general or regulator in addition to notifying the affected individuals where there are (1) more than 500 California residents; (2) more than 1,000 individuals in Hawaii; (3) more than 1,000 consumers in Missouri; and (4) more than 1,000 South Carolina residents affected, respectively.
The Connecticut, Indiana, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals.
Notification for Electronic and Paper Breaches
State breach notification laws cover breaches involving personal information in electronic format. The Iowa breach notification law also was amended to cover breaches involving personal information in both electronic and paper formats. Seven state breach notification laws—Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, and Wisconsin—cover breaches involving personal information in both electronic and paper formats. Interestingly, these state breach notification laws (other than the Alaska and Wisconsin breach notification laws) also require notification to a state attorney general or regulator in addition to notifying the affected individuals.
Kentucky Breach Notification Law
Kentucky enacted a breach notification law that became effective July 15, 2014. Kentucky also enacted unique provisions regarding cloud computing service providers (other than kindergarten to grade 12 educational institutions) that provide kindergarten to grade 12 educational institutions with account-based access to online computing resources. This law prohibits the processing of student data by cloud computing service providers for (1) any purpose other than providing, improving, or maintaining the integrity of the cloud computing services without express permission from the student’s parent, except for assisting an educational institution in conducting educational research as permitted by the Family Educational Rights and Privacy Act of 1974; and (2) advertising or selling, disclosing, or otherwise processing student data for any commercial purpose. This law also requires a cloud computing service provider that enters into an agreement to provide cloud computing services to a kindergarten to grade 12 educational institution to certify in writing to comply with the obligations in the immediately preceding sentence.
This answer was first published as an article on IRMI.com and is reproduced with permission. Copyright 2014, International Risk Management Institute, Inc.