There is a growing trend in U.S. state legislation outlining a requirement to notify the state attorney general in the event of a data breach.
State attorneys general are the driving force behind this growing trend. Not only do their offices help consumers deal with the repercussions of a data breach, they also investigate data security lapses and enforce data breach notification laws. Keeping abreast of data breaches is critical to performing this work.
In 2019, four states added a requirement to notify the attorney general in the event of a breach: Arkansas, Massachusetts, Maryland, and New York (the SHIELD Act). The New York law imposes new data breach reporting requirements for covered entities under HIPAA. These covered entities must report to the state AG in the event of a data breach that requires notice to HHS under HIPAA.
With this increased vigilance, It’s no surprise that state AGs made inquiries following notification in 34% of incidents in the 2019 BakerHostetler Data Security Incident Report. “If a breach happens, you shouldn’t forget about the attorneys general. You should reach out early to us,” says Stacey Schesser, supervising deputy attorney general at the California Department of Justice.
A Notification “Sub-Trend” to Watch
One interesting sub-trend of this requirement is the varying number of impacted individuals that would trigger the notification obligation. In Arkansas, for example, notification is required only if 1,000 or more individuals are affected by a breach.
Arkansas has set another minor trend: defining timelines for notification to the AG. For Arkansas, that timeline to notify state AGs is 45 days, or at the same time as affected individuals. As a privacy professional, it’s critical for you to know these different thresholds per law, and act accordingly.
Forecast for 2020
Now that we’re in 2020, additional states require breach notification to their AG, with a threshold set based on the number of individuals affected:
- Illinois (SB 1624): 100 residents
- Oregon (SB 684): 250 customers
- Texas (HB 4390): 250 residents. (This act also requires notification to the state AG within 60 days.)
The legal experts at Foley Hoag named increased AG notification as one of the top state AG trends to watch in 2020. “Despite signs of momentum, Congress is unlikely to pass any major new national cybersecurity legislation this election year,” the article notes. “Companies are thus likely looking at another year where privacy and data security enforcement remains largely in the hands of state AGs.”
Why This Trend Matters to Privacy and Security Teams
Attorney general notification requirements add a layer of complexity to your privacy incident response program. In the event of a breach, this is a key deadline that you will need to track, and one more notification you may need to create and send. Adding to this complexity, the actual contact information and process for notifying a state attorney general can sometimes be difficult to identify.
To help manage the complexity and meet breach notification deadlines, consider privacy automation. Every incident in every jurisdiction must pass through a multifactor risk assessment that takes into account the most current version of applicable breach notification laws, including notification to the state AG. Technology takes makes this process consistent and efficient, so you can be sure you are meeting your obligations in all 50 states.
Read the other posts in the 2020 regulatory trends series:
- Trend #1: The Expanding Scope of Personal Information
- Trend #2: Increasing Specificity in Notification Timelines
- Trend #3: Specifying Notification Contents
And remember to download the free ebook: Trends in Changing Data Breach Notification Laws 2020.