Breach Notification Regulatory Trends from 2018
2018 was all about change, especially in the breach notification realm. The tightening of existing regulations and the addition of new ones have created a seismic shift toward greater complexity and stringency. Compliance has never been more critical—and never more difficult.
This article is the first in a series discussing the regulatory trends over the past year, and what they mean for privacy professionals who must continually adjust what compliance looks like under state, federal, and international laws.
Keeping up with these constantly changing regulations requires a privacy team to:
- Monitor any activity in proposed legislation
- Research and analyze the potential impact of proposed and recently passed legislation
- Reach out to regulators as needed to validate requirements
- Confirm details such as regulator contact information for breach notification submissions
An elevated view of the current regulatory landscape
Privacy professionals face a tsunami of personal data breach notification and recordkeeping requirements at all levels—U.S. state and federal laws, international data protection laws, and industry regulations. Add in contractual obligations to business partners, vendors, processors and controllers, and an intricate mosaic of overlapping regulations emerge.
Not only that, these laws are constantly changing. Following Alabama’s passage of the Data Breach Notification Act of 2018, all 50 states in the U.S. now have their own unique data breach notification law. With 50 general breach notification statutes now in play, legislative activity has reached a new high. In 2018 alone:
- 11 bills impacting breach notification obligations went into effect.
- There were 40+ active bills on our regulatory watchlist that had the potential to impact breach notification obligations.
There is also an ongoing conversation about a U.S. federal data breach notification law. Globally, the EU General Data Protection Regulation (GDPR) went into force on May 25th, and mandatory data breach notification and recordkeeping requirements under PIPEDA in Canada went into effect on November 1st.
As we analyzed this legislative activity in 2018, we have identified a number of continuing trends. Keep in mind that the overarching trend is toward increasing stringency and growing complexity in breach notification obligations.
Trend 1: The expanding scope of personal information
While the definition of personal information has been steadily expanding in the U.S., the expansion is typically the addition of specified data elements, either alone or in combination with other data. Internationally, we see quite a different approach. Under the GDPR in the EU and PIPEDA in Canada, personal information is defined as any information in any form relating to an identifiable individual.
Trend 2: Increasing specificity in notification timelines
Historically, state breach notification laws in the U.S. have been somewhat vague. Instead of specifying timelines during which individuals must be notified of a breach of personal information following discovery, they use language such as “in the most expeditious time possible without unreasonable delay.” In recent years, we’ve seen numerous states replace this ambiguous language with a specific outside limit by which time an individual must be notified following discovery of a breach. In 2018 alone, we saw eight states change their notification timelines to a specified number of days.
Trend 3: Specifying notification contents
Requirements around notification content has become more specific over the years. In 2018, four states added this specificity to their general breach notification statute: Alabama, Arizona, Colorado, and Delaware.
Trend 4: Requiring notification to the state attorney general
The offices of state attorneys general help consumers deal with the repercussions of a data breach, investigate data security lapses, and enforce data breach notification laws. Keeping abreast of data breaches is critical to performing this work. Thus it’s no surprise that in 2018, we saw several states add a requirement to notify the attorney general in the event of a breach.
With all the movement in state and federal data breach notification regulations, navigating the ever-changing data breach law landscape means staying on top of pending and recently passed legislation. Achieving compliance with these ever-changing regulations will be one of privacy’s biggest challenges in 2019 and beyond.
Stay tuned for the next post in this series, in which we discuss the first trend: the expanding scope of personal information. In the meantime, you can learn more by downloading the free ebook: Changing Data Breach Notification Laws: Regulatory Trends.
- Comparison Guide: PIPEDA, GDPR, and U.S. State and Federal Breach Requirements
- State Attorneys General Flex Muscles in Response to Proposed Federal Data Breach Notification Standard
- Too Much or Too Little? The Risks of Under- or Over-Reporting Incidents