Three Data Breach Developments to Watch: Increasingly Complex State and Federal Privacy Laws

In a recent webinar I had an opportunity to discuss some of the emerging developments I’ve seen in privacy laws at the state and federal level. The topics covered in the webinar – increasing stringency in state laws, varying penalties for noncompliance across state jurisdictions, and recent federal penalties and what they could mean for future enforcements – can be angst-inducing.

With that in mind, I want to reiterate a few words of encouragement I had for privacy professionals out there working hard under strained resources in a constantly changing landscape: You are doing good and important work. In the privacy profession, we are charged with protecting our organizations and protecting consumers by determining best practices for protecting data, selecting what data can be used, and in what way we can use that data. This is no small task. When it comes to thinking about how data needs to be managed in rapidly evolving environments, privacy professionals are at the forefront.

The thirty-minute webinar “Three Data Breach Compliance Developments to Watch in 2017” is now available to view on-demand.

Major Takeaway: Overall Increased Stringency and Complexity

As anyone in the privacy profession will likely opine, working with sensitive and regulated data does not appear to be getting any easier anytime soon. Consider:

At a state level, data breach notification laws are becoming increasingly complex and stringent. More states are shoring up the parameters which might require notifications to agencies and impacted individuals, including when and how these notifications take place.
If you’re not compliant with state notification requirements, penalties for noncompliance in each state are similarly complex and vary widely. Some states may allow for several potential consequences and large maximum fines, while others may be more ambiguous in enforcement of penalties. Dealing with multi-jurisdictional data breaches could mean compounded penalties.
Early January of 2017, the Office for Civil Rights (OCR) announced the first ever enforcement settlement for lack of a timely breach notification, and has issued similar enforcements in the weeks since. This enforcement should not be surprising because it aligns with the emphasis OCR placed on compliance with the Breach Notification Rules when they launched the Phase 2 audit program last year.

How State, Federal, Industry Specific, and International Breach Regulations Influence One Another

As multi-layered as state and federal data breach laws may feel, looking only at these two areas can miss a larger part of the picture – namely, the international and industry-specific regulations that may be top of mind for privacy professionals, depending on their organization.

Two questions in particular were raised by webinar attendees:

How do these laws intersect with the Interagency Guidelines Establishing Information Security Standards?
What impacts, if any, can you see GDPR having on federal enforcements in 2018?

Interagency Guidelines Provide an Alternative to Complying with Some State Breach Notification Rules, Require that Every Institution Have an Incident Response Program

One of the nuances of the American breach notification structure is alternate compliance, or the ability to comply with a state breach notification law by complying with a different specifically-referenced standard. The Interagency Guidelines Establishing Information Security Standards (PDF) are one example of this, allowing financial institutions in certain states (and one territory) to the ability to comply with state data breach laws by complying with the Interagency Guidance instead. These Interagency Guidelines contain standards and contents of breach notification.

state and territories with Interagency Guidance

The Guidance states that “every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems,” and includes provisions regarding standard, timeline, and contents of the notification.

Impact of GDPR on Federal Regulations: Following Europe’s Lead When it Comes to Data Privacy Protection

As the May 2018 deadline for General Data Protection Regulation (GDPR) compliance weighs heavily on the mind of every privacy professional, we may also assume that those setting Federal regulations are likewise taking note. Having been afforded the opportunity to attend many conferences sessions, meetings and webinars hosted by members of the Federal Trade Commission, I can see indications that the FTC is paying attention to the examples set forth in the European Union, especially in efforts to reconcile American and European standards per the EU-US Privacy Shield framework.

And don’t forget, the GDPR has up to 4% global annual revenue penalties attached. This figure may embolden federal regulators to increase their own penalties. The GDPR may be driving a global movement in privacy.