Complex Data Breach Notification Requirements
Blog summary [4-minute read]
- Summary of new breach notification regulations passed in January 2021
- Takeaways from new regulations, including notification timelines, notification obligations, and expanded definition of personal information
- IAPP Knowledge Net experts leveraging insights from 2020 into predictions for 2021
Read more below.
Time is of the essence
When a privacy incident occurs, organizations may have only hours to respond and risk assess the incident against a complex framework of compliance notification laws. To ensure a timely response in compliance with global breach notification laws requires a specific understanding of jurisdictional obligations and notification regulations.
However, over the past few years, data privacy laws – especially those with a breach notification component – have grown more stringent, specific, and numerous than ever before, requiring increasingly rigorous risk assessments for privacy incidents.
Often the primary barrier to efficient incident resolution occurs while delineating these regulations as they quickly evolve and often conflict, creating a complex landscape that challenges privacy incident response teams to stay ahead of breach notification obligations.
To prepare your organization for upcoming legislation, let’s review the latest regulations introduced in the United States to help find your footing for what’s to come in 2021.
New Regulations Introduced in 2021
Already in 2021, new data privacy regulations have been introduced in the U.S. What general trends we’re able to ascertain from these new regulations are pretty straightforward per our previous projections.
Bearing immediate attention to organizations that manage privacy data incidents, changes to notification timelines and additional notification requirements to attorneys general from Missouri, New Jersey, and Maryland have an immediate impact.
- Affected individuals: notification timeline changing from ambiguous to specific
- Missouri SB 222; specifies a 14-day timeline
- New Jersey S 1125; specifies a 5 business day timeline
- Attorney general: adding a notification or adding requirements to the existing notification
- Maryland SB 112; Specifies the contents to be included in a breach notification to the Attorney General
- Personal information: expanding the definition
- Maryland SB 112; expands the definition of personal information to include genetic information
Additionally, there are several changes in Maryland SB 112 that could be useful to keep an eye on to understand trends in regulation. These include:
- Changes the beginning of the 45-day timeline for notification to start when an entity discovers or is notified of a breach of security of a system.
- Changes the timeline regarding notification of breaches of personal information that the business does not own or license from 45 days to 10 days.
- Updates the methods of notification to the public regarding a breach.
- Specifies the contents to be included in a breach notification to the Attorney General.
Interestingly, this single bit of legislation includes several dimensions of the trends affecting the greater privacy landscape such as expanding the definition of personal information, attorney general breach notification requirements, and notification timelines. Organizations that fail to account for the complexity of new legislation may find it difficult to keep up with the changing tide.
Of course, the best educator is history.
What Changed in 2020
To get answers, we invited experts from the privacy, legal, and information to speak on the “Trends in Evolving Data Breach Regulations: The Year in Review (2020).” The event featured David Cohen CIPP/US, CIPP/E, Knowledge Manager IAPP, Deborah Rimmler, Counsel Dentons, and Mamood Sher-Jan, CEO, Founder RadarFirst.
What’s in the video:
- Summary of domestic and international breach laws passed in 2020
- Tips to operationalize changes in breach notification laws to ensure compliance
- Breakdown of specific breach notification timelines
- Predictions for the future of data regulation and breach notification
- How to stay informed and access up-to-date regulation records
Many organizations have found that consistency and efficiency are key to reducing breach risk and becoming compliant. To identify and improve efficiency gaps in your incident response process, download our latest whitepaper: 3 Challenges to Efficiency in Privacy Incident Response.
Topics: Breach Notification Laws