Security Breach Notification Laws
Encyclopedia
Security breach notification laws have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer
databases containing personally identifiable information
.
The first such law, the California
data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
The National Conference of State Legislatures
maintains a list of enacted and proposed security breach notification laws.
A number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress.
The European Union
implemented a breach notification law in the Directive on Privacy and Electronic Communications
(E-Privacy Directive) in 2009. This directive has to implemented by national law until 25 May 2011.
Consumer
Consumer is a broad label for any individuals or households that use goods generated within the economy. The concept of a consumer occurs in different contexts, so that the usage and significance of the term may vary.-Economics and marketing:...
databases containing personally identifiable information
Personally identifiable information
Personally Identifiable Information , as used in information security, is information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual...
.
The first such law, the California
California
California is a state located on the West Coast of the United States. It is by far the most populous U.S. state, and the third-largest by land area...
data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information.
The National Conference of State Legislatures
National Conference of State Legislatures
The National Conference of State Legislatures is a bipartisan non-governmental organization established in 1975 to serve the members and staff of state legislatures of the United States...
maintains a list of enacted and proposed security breach notification laws.
A number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress.
The European Union
European Union
The European Union is an economic and political union of 27 independent member states which are located primarily in Europe. The EU traces its origins from the European Coal and Steel Community and the European Economic Community , formed by six countries in 1958...
implemented a breach notification law in the Directive on Privacy and Electronic Communications
Directive on Privacy and Electronic Communications
Directive 2002/58 on Privacy and Electronic Communications, otherwise known as E-Privacy Directive, is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive...
(E-Privacy Directive) in 2009. This directive has to implemented by national law until 25 May 2011.
External links
- Breach reporting requirements by state
- Interactive map comparing U.S. security breach notice laws (requires subscription)