The phrase “data breach” is terrifying.
Not only for the question of your security, but especially now that there are extremely strict legal regulations regarding how your company notifies affected customers and when you do so.
The team at 1ST Secure IT has put together this handy guide the latest legal updates about data breach reporting.
Alabama's New Legislation
The State of Alabama put Bill SB 318 into law on April 3, 2018 and it took effect on May 1.
This new law requires that companies inform customers within 45 days of a breach of their personal data.
Under Alabama state law, personal data is considered a person’s first name or first initial with last name if combined with any of the following:
- Social security number
- Personal medical information
- An employment id number/password/biometric data used for login
- A username/email address/password that provides access to online accounts
- A credit or debit card number/CVC code found on the back of a credit card/a PIN
- Any government issued identification number like a driver’s license number.
This law exempts information “reasonably determined that the breach will not likely result in harm to the affected person”, information that has been made public, encrypted information, redacted information, or any other unusable data.
Failure to alert customers within the allotted 45 days results in a fine of $5,000 per day and the potential for the state’s attorney to file suit.
If 1,000 Alabamans are affected, then the attorney general must be notified, as do credit reporting agencies.
South Dakota's New Legislation
South Dakota’s new law SB62 is nearly identical to the legislation in Alabama.
There are, however, a few key differences.
Firstly, companies have 60 days to notify those who are affected, not 45.
Next if 250 South Dakotans are affected, the state’s attorney must be notified in that same time frame.
Credit agencies do not have to be notified.
Lastly, the fines are much higher in South Dakota, set at $10,000 per day plus state’s attorney fees, and a potential $10,000 for each violation.
Federal Laws On The Subject
Alabama and South Dakota were the last two holdouts.
Now, every state in the Union has their own laws about data breach reporting.
But in February, a bill called The Data Acquisition and Technology Accountability and Security Act began being passed around Capitol Hill.
This bill would overrule the laws each state has developed for itself.
While many states and professional organizations support the idea of a single unified set of rules and regulations to best protect Americans, it is facing opposition from those who feel it would make things harder for state governments to protect their citizens.
Believe it or not, Canada does have internet, and that means that the data of Canadian customers is also something that is to be protected.
Under new Canadian laws, beginning November 1st, companies will have to follow protocols for informing people when their data has been leaked.
The issue is, those protocols have not been released by the government yet.
As of now, the regulations are somewhat fleshed out.
The law requires that companies determine how harmful the data that has been breached is, and how it could be misused.
Does it pose a real risk of significant harm?
If so, they must inform the customers who have had their data leaked, as well as the Privacy Commissioner of Canada.
They must then notify any company that can help mitigate harm to affected individuals.
Companies based in British Columbia, Alberta, and Quebec are all covered by their own provincial legislation that has already been established.
Surprisingly, though, Ontario – the most populous province in Canada and home to nearly 40% of the country's population – has no such regulatory framework.
It is currently proposed that companies will have to keep a 24-month record of breaches.
This same proposal also suggests that companies notify customers of a breach they will have to disclose:
- The circumstances of the breach
- When it occurred
- The compromised data
- What steps are being done to minimize any risk to the affected customers
- What steps the customer can take to protect themselves
- Contact information to answer any questions about the incident
- Information about the internal complaints process, and how to file a complaint with the Privacy Commissioner.
Contact 1st Secure IT
Of course, these are only some of the many different data breach reporting regulations on this planet of ours.
Many European nations have their own set of laws around data breach reporting, as do some Latin American countries like Uruguay.
If you're doing business with people based in foreign countries, it's a good idea to be familiar with their data breach regulations. That way, when you're writing your disaster response plan, you can be sure you're prepared for all the potentialities.
If you're wondering whether your company is liable in different jurisdictions, we can help.
Contact 1st Secure IT today and keep your customers and your data secure in an uncertain digital world.