As concerns about data privacy and the protection of personal information grow, state regulators are enacting laws to address breach notification requirements – specifically, whether, when, how and to whom notifications of a breach must occur. California, New Jersey, Washington and Illinois are among the latest states to enact legislation that will significantly impact businesses operating in those jurisdictions.
These laws typically define the nature of information and types of organizations covered under the law, methods and timing to notify affected parties, and requirements to notify regulators.
The types of data covered is far-reaching. For example, Illinois enacted a biometric privacy law –recently held up in a state supreme court case – that gives individuals the right to sue if their biometric data is collected without consent. The law in Washington state covers hard copy records, as well as digital ones.
While no two laws are the same, one thing is clear: Privacy is here to stay. Existing statutes and case law have reinforced the notion that the data subject, not the data collector, is the owner of the data. And there is every reason to expect that privacy requirements will only grow more complex and rigorous over time. California was the first state to model its regulation after the General Data Protection Regulation (GDPR), the EU’s sweeping privacy regulation, but it will not likely be the last.
In many cases, once laws are signed, they go into effect on an accelerated timeline. For example, a Massachusetts law signed in January went into effect just three months later despite significant changes, including a requirement to provide complimentary credit monitoring when a breach involves a social security number. In Nevada, implementation is required beginning Oct. 1, 2019 – just five months after the regulation was passed. In California, businesses have until Jan. 1, 2020 to comply, although amendments are continuing to be made there, so the final details remain unclear.
The cost of inaction or noncompliance can be severe. While the structure of penalties varies from state to state, they are trending well past warnings and slaps on the wrist. In California, for example, fines are levied per record breached. In Arizona, the maximum fine is $500,000 per breach event while Alabama can impose a fine of $5,000 per day for failure to comply with its notification law.
Not all regulatory details are settled. It is likely that case law will ultimately determine the intricacies of how different laws are interpreted (e.g., what constitutes a breach or which types of data are covered data). Likewise, it is impossible to prevent every possible future breach. For organizations to sufficiently protect themselves, it will be important to demonstrate good faith efforts to identify and remedy risks. The extent to which an organization can show regulators that they did the work up front and put controls into place based on industry standards and best practices, will determine the strength of their case for reduced penalties.
It is impractical and inefficient for organizations to revamp data privacy programs each time a new law goes into effect. Organizations with a presence in multiple jurisdictions should instead think holistically about their privacy programs by taking the following steps:
For more information on this topic, or to learn how Baker Tilly specialists can help you with privacy and data protection program development, contact our team.