Advisen reports that Congress is currently evaluating President Obama's recent data breach notification proposal and is meeting with retailers to gather their feedback on the proposed regulations.
The president's proposal would require businesses to notify customers whose data was unlawfully accessed within 30 days of discovering the breach. (For a full write-up on Obama's initial data security proposal, see "What Obama's Focus on Cyber Security Means for You.")
The president's proposal isn't starkly different than current state laws. Many states presently require notification within 30 or 60 days. The main difference is actually about convenience. If Congress passes this law, businesses with private data would only have to know and follow one federal law rather than 47 slightly different state regulations.
That could be a relief for IT consultants, who are responsible for making sure their clients are compliant with state and federal data breach and data privacy laws. Let's look at this new data breach law proposal by examining...
- IT consultants' state data breach requirements.
- How IT consultant liabilities could change with new data breach laws.
An IT Consultant's State Data Breach Requirements
Keeping track of state data breach laws can be hard because each state sets its own requirements. While the laws are mostly similar, each law is slightly different. To help you, TechInsurance has compiled a state-by-state guide to data breach laws.
Here are some things to keep in mind when you look at your state laws:
- States define "protected data" differently, but it's usually defined as some combination of personal information (e.g., name and address, SSN, etc.).
- After a breach, you might be required to offer free credit monitoring to customers.
- Some states require you to report large breaches to the attorney general.
- You might be required to notify customers within a certain number of days.
- Most laws won't consider a loss of data to be a breach if the data was encrypted.
If clients hire you to manage their data security, make sure their data breach response plan is up-to-date with current data breach laws. If you're hired to perform a security audit or upgrade a client's security, ensure your clients know that these laws may change. Your data breach notification recommendations might be obsolete in a year or two if Congress or local lawmakers pass new regulations.
Liability Changes with New Data Breach Laws
While Congress might not get behind President Obama's proposal, retailers are generally in favor of replacing the current state-by-state system of data breach laws with a single national standard. With businesses behind it, we might see a new federal law in the next few years.
The current situation with 40 or more different state data breach laws poses a challenge for IT consultants. A federal law would simplify things for you, but any new laws could also have additional requirements.
As you go forward, the best strategy to stay on top of data breach requirements is to…
- Follow the TechInsurance blog for updates on any changes.
- Invest in Errors and Omissions Insurance to protect you from the cost of client lawsuits.
- Make sure your clients know that their data security requirements will change. If they hire you for a one-and-done security update, they'll need to know that their technology and policies will need to be updated as laws and tech change in the future.
If you have questions about cyber liability and covering your IT business risk, don't hesitate to talk with a TechInsurance agent.