The world of information technology has vastly expanded over the past few decades. Consumers can now shop online, pay bills, check bank accounts, and update information all with the click of a button. Information can be aggregated from different sources. Businesses manage global HR systems, from hiring through the administration of retirement and pension benefits, online. These consumers entrust personal information to many different types of businesses on a daily basis and expect companies to safeguard their information during collection, retention, and disposal.
Despite growing awareness of the need for strong data security, however, data breaches continue to occur at an alarming rate. According to the Identity Theft Resource Center ("ITRC"), in 2010 there were 662 reported data breaches, affecting over 16 million records. Major data breaches in 2011 by companies like Sony, Epsilon, and Wellpoint have triggered multi-million dollar, class action lawsuits alleging a failure to safeguard personal information and/or a delay in the notification of the breach. The Sony PlayStation data breaches alone compromised personal information of more than 100 million individuals and resulted in more than 50 class action lawsuits and potential actions by state attorneys general. Sony has estimated that the breaches will cost the company $170 million by the end of fiscal year 2011.
With growing sophistication of hackers, the number of data breaches are on the rise. In turn, lawsuits are being filed at an unprecedented rate, making it more important than ever for companies to be prepared for a data breach. This guide will provide a brief overview of the laws governing data breach notification to help companies improve data breach preparedness and response and minimize the risk of liability in the aftermath of a data breach.
Data Breach Notification Laws
Forty-six states and the District of Columbia have enacted legislation requiring notification of security breaches involving personal information. Only Alabama, Kentucky, New Mexico, and South Dakota do not have data breach laws. While adoption of a preemptive, federal standard has been a goal of many key businesses, and a variety of bills have been introduced, at present the matter is left to state law, creating complexities in terms of breach notifications due to differences in the applicable legal requirements.
When a data breach occurs, a company must notify every individual whose personal information was breached. Notification of a breach is governed by the laws in the state where the individual whose data was breached resides. This means that multiple state laws could apply to the same breach, depending on where affected individuals reside. States have differing thresholds for triggering a company's breach notification obligation, but most state laws contain five main components:
Please click here to read or download the entire article.
For more information about LexisNexis products and solutions connect with us through our corporate site.