Earlier this year we identified five trends in state data breach notification laws, based on legislative activity in 2015 and 2016.
These trends included:
- Overall increased stringency and growing complexity (the overarching trend in data breach law for 2016)
- Expanded scope of personal information
- Increased specificity of timelines
- More specific notification contents
- Added requirement to notify state Attorney General
As many state legislatures are getting ready to convene in January, we revisited these trends and started thinking about what 2017 may bring.
Trending, Not Trendy
Identifying trends in data breach laws may cause some to flash back to the brief heyday of pet rocks or acid washed jeans – undeniably trendy phenomenon that burned out as quickly as they flared in popularity.
When it comes to legislative updates in state data breach notification laws, legislators don’t view protecting personal information as a trendy thing to do, but rather as the right thing to do. We don’t see that changing anytime soon.
Consider the upcoming amendment to the breach notification law in Illinois, HB1260, which has a January 1, 2017 effective date. This bill includes elements of the above trends – it expands the scope of personal information, adds a requirement to notify the state attorney general (for HIPAA-regulated entities), and specifies notification contents when online account credentials are breached. It also indicates an increased overall stringency and complexity.
So what will 2017 hold? A continuation of the trends we had previously identified, which may be better described as trending rather than trendy, meaning gradually changing or developing in one general direction over time. We fully expect these trends to continue and even pick up momentum in 2017.
Prepare and Remain Aware
At any given time, there are a number of active bills that could change what compliance looks like under state and federal data breach notification laws. Keeping up with these constantly changing regulations requires a good amount of work and attention to detail. In fact, attorneys from Littler had this to say in a recent publication:
“For multistate employers in particular, the continual amendments to data breach notification laws create a complex web of obligations, several of which may need to be followed at the same time in the event of a breach. Accordingly, employers should periodically review and, if necessary, update their security incident response plan to keep track of breach response requirements in each relevant state.”
The work of the RADAR regulatory team continues well into 2017 and beyond. With all the movement in state and federal data breach notification regulations, navigating the complex and ever-changing data breach law landscape means staying on top of pending and recently passed legislation. Privacy teams will need to:
- Continuously keep tabs on any movement in proposed legislation and analyze possible impact of proposed legislation.
- Stay aware of recently passed legislation, including effective dates, potential impacts on breach notification requirements, and new timelines for notification.
- Connect with state agencies to confirm analysis of select provisions in a bill and confirm notification details – such as state agency contact information – in the event a breach notification is advised.
If you’re a RADAR customer, the RADAR regulatory team researches laws, teases out relevant factors (including the information outlined above), and incorporates this data into the RADAR Breach Guidance Engine™ so our users can make informed decisions about incident risk and their notification obligations.
Interested in learning more? Click here to read the 2016 trends in data breach notification law ebook.