Constantly updating technology coupled with the dynamic and evolving nature of data breaches may be stalling notification laws from becoming uniform across the United States.
The World Law Group (WLG), a network of 53 independent law firms, released the “Global Guide to Data Breach Notifications, 2013” in mid-November, a hundred-plus page report compiled as a go-to global resource for how breached entities are legally mandated to respond to incidents involving a loss of client information.
The report will be particularly helpful to breached organizations and consequently impacted clients in the U.S. who are unclear of their rights, especially since regulations vary across the states. Additionally, the report explores data breach notification laws in numerous other countries.
So far there are 46 states in the U.S. that have data breach notification laws – California has become a notable frontrunner in advancing notification efforts, but Alabama, Kentucky, New Mexico and South Dakota have yet to add even one. Some industries, such as banking and health care, are subject to federal requirements.
“They are not all uniform,” Mark Schreiber, a partner at Edwards Wildman in Boston who chairs the WLG Privacy Group and led the development of the Data Breach Guide, told SCMagazine.com on Tuesday. “It would be nice and helpful to everybody, companies and individuals alike, if there was uniform data breach standard in U.S., but there are multiple standards.”
States rely on those standards to define what constitutes a breach and whether a notification needs to be issued. This means that while some jurisdictions require an alert upon unauthorized access to personal information, other jurisdictions may only mandate a notice upon the unauthorized acquisition of the sensitive data.
“It's difficult, in terms of when notice must be given, the content of the notification, who needs to receive it and under what time deadlines,” Schreiber said. “At its core, it's difficult with hacking events. Hacking events aren't as easy due to the nature of the [attacks].”
Oftentimes it can take a breached entity what seems like forever to notify affected individuals, which typically results in feelings of ire among the directly impacted.
Schreiber said that sometimes law enforcement suggests a delay in the notification, so as not to impede an ongoing investigation, and he added that attacks are occasionally so embedded that the incident happened months or years ago and was only recently discovered.
Schreiber said that efforts to pass legislation to make data breach notification laws uniform across the U.S. have stalled through Congress a number of times now and he added that the endeavor continues to be challenging.
“It's too aspirational at this point, but I think we have yet to reach a plateau of breach notification mechanisms that are clear and serve individuals and businesses,” Schreiber said.
When asked to compare US regulations with that of the other countries explored in the guide, Schreiber said, “There's no best place for data breach notification laws.”