Today we’re continuing our series of data breach notification law trends. If you missed the first part of the series, check out our discussion of the biggest trend in 2016, as well as our post focused on the expanding scope of personal information.
This week, we’ll delve into something that has companies racing the clock when a breach occurs – timeline requirements for notifications.
Increasing specificity in notification timelines for individuals
Many state breach notification laws have ambiguous timelines when it comes to notifying an individual following a breach of personal information.
Currently, it’s typical to see a notification timeline defined as “in the most expeditious time possible without unreasonable delay.” Depending on the circumstances of a breach or an entity’s culture of compliance, the timing of when individuals are actually notified can vary widely.
In response, many states are replacing this ambiguous phrase with an increasingly specific notification timeline or outside limit by which time an individual must be notified (generally consistent with the needs of law enforcement). An entity must notify individuals within this timeline to be compliant with the state’s breach notification law.
States that have recently changed their notification timelines include:
- Connecticut (SB 949) Last year, Connecticut updated its notification timeline for affected individuals from “without unreasonable delay” to a specific timeline of no later than 90 days after discovery of a breach.
- Washington (HB 1078) Washington also updated its notification timeline last year from "most expedient" to no more than 45 calendar days after discovery.
- Rhode Island (SB 134) In June of this year, Rhode Island’s Identity Theft Protection Act of 2015 will go into effect. This act replaces an existing notification timeline of “most expedient” with a timeline of no later than 45 calendar days after confirmation of a breach.
- Tennessee (SB 2005) Signed into law March of this year, SB 2005 will go into effect in July. This bill replaces a “most expedient” timeline with a timeline of no later than 45 days from discovery.
What this means for privacy and security teams
As states continue to condense the timeframe between discovery of a breach and required notification to affected individuals, it’s increasingly critical that processes and systems are in place to streamline incident response. Privacy and security teams may find themselves racing the clock to remain compliant with multiple timelines across multiple jurisdictions.
Interested in following the rest of this series? Subscribe to our blog to receive the rest of our regulatory trend blog posts in your inbox the minute they’re posted.