In this post, we’ll get a bit more granular, digging into three key trends we observed across 2020 data breach regulations. Despite some regulatory delays due to COVID, there was still plenty of activity from which to draw trends.
Trend #1: Notification to Attorneys General
Historically, attorneys general would begin an investigation of a consumer privacy breach based on an individual complaint. Regulations did not specify notification to the attorney general or, if notification was specified, the criteria varied across states and the timeline was generally ambiguous.
But this has shifted in the last few years, as consumer privacy issues have escalated, requiring that attorneys general keep a closer watch on the breaches happening in their respective states and even work together across state lines to better protect consumer privacy. With that, we’ve seen a trend towards requiring more timely breach notification to the attorney general, with notification obligations increasing in specificity, frequently based on the number of affected individuals in that state and/or specific notification timelines.
2020 saw a continuation in this trend. Four more states joined the almost 30 others that now have a specific requirement to notify the attorney general, including:
- Illinois (>500 individuals)
- Washington D.C. (≥50 individuals)
- Texas (60 days, ≥ 250 individuals)
- Washington (45→30 days)
Greater specificity means more awareness and vigilance towards consumer protection. And while this is a good thing, for organizations with operations in multiple states, it means an added layer of complexity and risk of non-compliance when it comes to breach response. Nuances in each state’s laws must be taken into account when considering if an incident is a breach across each relevant jurisdiction, with different notification requirements in the case that it is.
What does this trend mean for privacy professionals, and what can they do to manage?
- Plan for additional notifications in your incident response operations
- Contact information and process for notifying an attorney general can sometimes be difficult to identify – have this information on hand ahead of time
- Identify contacts on your team (or outside) who have good relationships with attorney general in states where you operate, so they can be by your side in a crisis
- Stay up to date on recent attorney general judgements in states relevant to your business, as they are a great source of information for understanding your regulators’ expectations
- Have good records, both before and during an incident, because it’s going to be critical to prove compliance with the attorney general, and show that you were engaging in reasonable security measures
Trend #2: Specified Timeline for Notification to Individuals
Specificity isn’t just reserved to notifications to the attorney general. Similarly, U.S. states are continuing to add specific timelines to their data breach statutes concerning individual notifications, moving away from the previous, ambiguous timeline of “most expeditious.” We’ve been watching this one for a few years, and expect it will persist. This year, two states introduced specific notification timelines:
- Texas (asap→60 days)
- Washington (45→30 days)
Remember that it’s not just breach regulations at play here – timelines to notify business partners as defined in contractual data protection obligations are often as tight as 24 hours.
So how feasible is it for organizations to meet these deadlines?
Our annual report on Benchmarking Privacy Incidents provides unique privacy incident benchmarking data based on an analysis of thousands of incidents, giving us a glimpse into actual notification timelines.
We can see in the report that across industries the median incident response timeline, including discovery, investigation, risk assessment, and first notification decision, is 21.9 days, with variance across the financial, insurance, and healthcare sectors. Keep in mind that the anonymized data included in the privacy incident benchmark report represents organizations leveraging incident response automation best practices, including an automated risk assessment to efficiently determine notification obligations.
What does this trend mean for privacy professionals, and what can they do to manage?
- It’s important to have an automated and streamlined way to determine your notification obligations, particularly given that notification requirements to individuals differ across jurisdictions
- Put in place a single source of truth that the incident response team–privacy, security, compliance, and legal–can use to see all of the facts in one place
- Draft a company policy around voluntary notifications
- Analyze your average incident response timeline, so that you can gauge your own current benchmark against how you will fare as regulatory and contractual notification timelines continue to tighten
Trend #3: Expanded Definition of Personal Information
As Deborah said during our webinar:
“This is a trend that’s going to be a trend forever.”
As companies find innovative ways to attract and serve their customers and technology evolves, new types of personal information, or combinations of data not previously considered sensitive, have the potential to become personal information (PI).
Laws like GDPR and CCPA boosted the development of this trend. Once again, California took center stage this year with CPRA and its introduction of a category of “sensitive personal information,” similar to that of the GDPR. But this wasn’t just California’s year. Four additional U.S. jurisdictions expanded their definition of personal information in 2020 as well, including Oregon, Vermont, Washington, and Washington D.C.
Remember back in the olden days, when the historical definition of “personal information” was, for example, name in combination with Social Security Number, driver’s license or state ID card number, and financial account number with access code or password? Fast forward, the scope of PI has expanded significantly. A short list of data elements added to definitions of PI in 2020:
- Biometric data
- Full date of birth
- Genetic information
- Health insurance information
- Medical information
- Military identification number
- Online account credentials
- Passport number
- Private key that is unique to an individual and that is used to authenticate or sign an electronic record
- Student identification number
- Taxpayer identification number
- Any unique identification number issued on a government document commonly used to verify the identity of a specific individual
Biometric data is particularly interesting and, in many ways, controversial. There are six states (some listed above) that now have their own biometric statutes or expanding laws to include biometric identifiers: Illinois, Texas, Washington, California, New York and Arkansas. Illinois is of note, as it gives a private right of action and requires individual consent before collecting or disclosing biometric identifiers.
What does this trend mean for privacy professionals, and what can they do to manage?
- There is the potential increase in volume of incidents requiring assessment based on the broader scope of personal information
- It is essential to know what data you’re collecting, where it lives, and the level of sensitivity for that data
- Quickly risk assess your incidents with an automated system to save yourself from thumbing through different state’s definitions of PI and researching notification obligations.
- Leverage a system that manages your contractual obligations. You’re going to be looking at what other third-party data you have in your possession that may have its own whole set of reporting obligations, which tend to be stringent, 24 hours in many cases. Automation is key.
4 Key Ways to Stay on Top of Breach Laws in the New Year
Across all of this complexity, here are a few key ways that you can create efficiency in your processes in the new year while ensuring compliance with ever-changing regulations.
- Stay on top of any movement in proposed legislation with this free, global breach law library that includes laws in effect as well as a regulatory watchlist of pending and recently passed legislation; analyze the possible impact of these laws to your organization.
- Connect with state agencies to confirm analysis of select provisions in a bill.
- Confirm details such as state agency contact information in the event a breach notification is advised.
- Automate your risk assessment and incident response process, so that your team can continue to address the myriad responsibilities under its purview in parallel with analyzing incidents and doing due diligence in the case of a breach.
And speaking of the new year, it doesn’t take a fortune teller to foresee that many of the trends we covered in this post will persist into 2021. Legislative progress as well as new privacy and security paradigms will likely be impacted once again by the lingering implications of the COVID-19 pandemic.
Check out a recent Q&A that we hosted on this topic, featuring Alex Reynolds, Counsel at Davis Wright Tremaine, in conjunction with The Privacy Collective. We’ll also cover the highlights from that session in a future post focused on 2021 regulatory predictions.