Regulatory Watch List: Breach Notification Timelines in Proposed State Legislation
Working with privacy and compliance professionals, one of the challenges we often hear about is how difficult it can be to keep up with ever-changing breach notification regulations. Think of it this way: in the US alone there are 48 separate state breach notification laws (along with Washington, D.C. and three territories), each with their own unique definitions, breach notification triggers, and compliance requirements.
At any given time, some of these laws will be the subject of proposed legislation that would impact notification obligations. In January of this year alone, we saw the introduction of five bills that would amend or create state breach notification law. North Carolina even pre-emptively announced proposed changes to their breach statute, with legislation expected to be introduced in May. This changing landscape creates an extremely complicated environment for organizations that need to quickly assess a privacy incident to determine if it requires notification, to whom, how, and by when.
One theme that emerges when reading through proposed legislation is an increased specificity in notification timelines – a trend we first identified in 2016 and have seen persist ever since.
State Breach Notification Timelines: Increasing Specificity
As we’ve seen in the media coverage of recent large data breaches at Equifax and Uber, the issue of timing is of interest to a wider audience than regulators, extending to the media and by proxy the general public. When did the incident occur? How long did it take to determine if it was a data breach? How long did it take to notify regulators and the public?
In the last few years, states have enacted legislation that increases the specificity of notification timelines, setting an outside limit for when individuals must be notified by. This legislation generally replaces more ambiguous language, typically “in the most expeditious time possible without unreasonable delay.” Last year we saw timeline specified in the enactment of privacy legislation in Maryland, New Mexico, and New York.
Following along with that trend, each of the bills below, all introduced in January, would impact data breach notification timelines for affected individuals:
- Colorado HB 1128 (Jan 01, 2018) changes timeline to no later than 45 days (Update: the final version of this bill reflects a 30-day notification timeline)
- Iowa HSB 526 (Jan 16, 2018) changes timeline to no later than 45 days
- Oregon HB 4147 (Jan 22, 2018) changes timeline to no later than 45 days
- Oregon 1551 (Jan 22, 2018) changes timeline to no later than 45 days
- South Dakota SB 62 (Jan 09, 2018) creates a new breach notification law with a timeline of no later than 45 days
- North Carolina Act to Strengthen Identity Theft Protections (announced Jan 08, 2018, pending introduction) changes timeline to within 15 days
There are a few notables in this list. First, the fact that South Dakota is included, as it is one of only two remaining states without a general breach notification law, following passage of New Mexico’s Data Breach Notification Act last year. If South Dakota’s SB 62 passes, Alabama will remain the sole holdout.
The second item of note is that, in addition to the specific timelines to notify affected individuals, two of those bills would impose timelines for providing notification to the state’s attorney general:
- Colorado HB 1128 requires notice be provided to the attorney general no later than seven days following discovery of a breach, regardless of the need to provide notice to affected individuals, if the unauthorized acquisition impacts 500 or more residents. (Update: note that this 7-day notification timeline is not present in the final version of the bill.)
- Iowa HSB 526 includes an interesting provision that, if a decision is made not to notify affected individuals based on a a determination of “no reasonable likelihood of harm,” then the written determination must be provided to the attorney general within five business days after documenting such determination.
Compliance Challenges: Keeping Ahead of Changing State Regulations
As state regulations focus on notification timelines, privacy, security, and compliance teams may find themselves racing the clock to stay in compliance. And if your organization is subject to the GDPR and its 72-hour notification requirement, this race just got a lot more intense.
When it comes to managing privacy incidents, efficiency and timeliness are key components for compliance. Using technology to streamline incident documentation, multi-factor risk assessment, and notification decisions can improve your team’s efficiency.
Tools to Stay Informed
The RADAR regulatory team continuously tracks changes in data breach notification laws and regulations to ensure that any changes are applied in RADAR prior to enforcement. RADAR customers have access to summaries of all data breach notification statutes within the RADAR Law Overviews, as well as a regulatory watchlist of active bills, along with an indicator of recent activity.
IAPP members also have exclusive access to the IAPP-RADAR Incident Response Center, with up-to-date overviews of U.S. and international data breach notification requirements — including GDPR. Click here to access the tool (login required).