This article by Alex Wall was originally published on the Compliance & Ethics Blog. Click here to view the original version of this article.
Privacy laws at the state and federal level are a changin’. The latest emerging data breach developments I’ve seen are: increasing stringency in state laws, varying penalties for noncompliance across state jurisdictions, and recent federal penalties. What these laws could mean for future enforcements can be angst-inducing.
With that in mind, I want to reiterate a few words of encouragement I have for privacy professionals ere working hard under strained resources in a constantly changing landscape: You are doing good and important work. In the privacy profession, we are charged with protecting our organizations and protecting consumers by determining best practices for protecting data, selecting what data can be used, and in what way we can use that data. This is no small task. When it comes to thinking about how data needs to be managed in rapidly evolving environments, privacy professionals are at the forefront.
Major Takeaway: Overall Increased Stringency and Complexity
As anyone in the privacy profession will likely opine, working with sensitive and regulated data does not appear to be getting any easier anytime soon. Consider:
- At a state level, data breach notification laws are becoming increasingly complex and stringent. More states are shoring up the parameters, which might require notifications to agencies and impacted individuals, including when and how these notifications take place.
- If you’re not compliant with state notification requirements, penalties for noncompliance in each state are similarly complex and vary widely. Some states may allow for several potential consequences and large maximum fines, while others may be more ambiguous in enforcement of penalties. Dealing with multi-jurisdictional data breaches could mean compounded penalties.
- Early January of 2017, the Office for Civil Rights (OCR) announced the first ever enforcement settlement for lack of a timely breach notification, and has issued similar enforcements in the weeks since. This enforcement should not be surprising because it aligns with the emphasis OCR placed on compliance with the Breach Notification Rules when they launched the Phase 2 audit program last year.
How State, Federal, Industry Specific, and International Breach Regulations Influence One Another
As multi-layered as state and federal data breach laws may feel, looking only at these two areas can miss a larger part of the picture–namely, the international and industry-specific regulations that may be top of mind for privacy professionals, depending on their organization.