According to JD Supra, four states have changed their data breach notification laws in the wake of 2014's onslaught of data breaches. Here's what IT consultants need to know about new state requirements:
- California. For data breaches involving Social Security, driver's license, and California ID card numbers, businesses have to offer 12 months of free credit-monitoring services to the affected parties.
- Florida. Notifications have to be made sooner (30 days, rather than 45), and the definition of a breach has been expanded to include access to logins, passwords, and security questions. In addition to civil penalties and fines, businesses can now face unfair trade practice suits from the FL attorney general.
- Iowa. If a breach involves more than 500 Iowa residents, business owners now have to notify the state attorney general within five days of notifying the user.
- Kentucky. Kentucky was one of four states not to have data breach laws until it enacted this new law, which requires IT professionals to notify customers of a breach of non-redacted / unencrypted data that they believe could lead to an identity theft.
Do we see any patterns in these changes to state data breach laws? Yes: states keep expanding their definitions of "data breach" to include more types of information. And new laws ask more from IT consultants.
Regardless of where your business is located, you'll have to follow data breach notification laws for each resident's state. In the world of ecommerce, a small business's customers can come from anywhere in the country (or world), so if a breach happens, make sure you follow the proper laws for any of the 47 states with data breach notification requirements.
Data Breach Laws and Third-Party Liability
These laws are only about data breach notification – they usually only apply after there's been a data breach – but some states are also expanding their laws to outline your obligation to protect user data and prevent breaches.
For example, California's recently updated data breach law includes a note about third-party cyber liability. It states that businesses with data for CA residents must require any third parties who have access to that data to agree in their contract to "implement and maintain reasonable security measures."
What does that mean for IT professionals?
We'll spare you the legalese and cut to the chase. Many IT companies use third-party services, whether it's a SaaS company like Salesforce that maintains your client's sales records or simply a cloud storage company. According to CA law, you'll have to include language in the third party's contract that says it will properly protect your client's data.
California has a reputation for being ahead of the times when it comes to data security laws. It's already enacted a law requiring kill switches on smart phones (see our post, "Addressing (Some) Physical Exposures for Data Breaches"). In the next few years, we may see more states adopting California's third-party liability requirements.
Questions Going Forward: The Future of Data Breach Laws
Forty-seven states currently have 47 slightly different data breach laws. That can be a headache, but the laws are usually more similar than they are different. If a client's data is exposed, sit down and review these laws for yourself and make sure you…
- Inform customers within the right timeframe determined by state law.
- Report the breach to the proper authorities (if required).
- Offer credit monitoring (if required).
You've probably noticed there's been a whirlwind of data breach laws discussed and enacted after Target, Home Depot, and other data breaches. Laws are often passed months after public outcry. This creates a unique challenge for IT professionals because they have to keep up with their liabilities and legal responsibilities as they change. Given the current anxiety about data breaches and identity theft, we'll probably see more states changing their laws and more discussion about federal standards for data security.
To keep up with changes in data breach laws, follow our IT risk management blog.