3
|
Comply with Applicable Data Breach Notification Requirements.
A number of countries have laws requiring organizations to notify individuals and/or the government following a data breach. California was the first jurisdiction to enact a broad data breach notification requirement. Most U.S. states and territories now have data breach notification statutes, which typically apply broadly to organizations that acquire, own, or license computerized data including personal identifiable information of individuals who reside within that jurisdiction. Certain U.S. federal statutes also apply to certain types of organizations and protected information (e.g. the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the American Recovery and Reinvestment Act).
These statutes generally require notification to individuals whose personal identifiable information has been or may have been compromised. They may also require the government be notified, and certain statutes require notification to credit reporting agencies. Typically, notification must be made without “unreasonable” delay, but certain statutes require more prompt notification (for example, California requires notification to individuals within 5 days of detection of a breach for protected medical information). These statutes normally specify the appropriate method of notification, and some statutes describe the content required. If the breach warrants law enforcement involvement, any notification to individuals may be delayed if law enforcement determines the notification will impede a criminal investigation.
A number of individual European countries currently have data breach notification laws (including the Netherlands, which passed a law in January 2016 requiring data controllers to notify the Data Protection Authority of data security breaches). In addition, the European Commission’s ePrivacy Directive established breach reporting obligations for telecommunications service providers, and the General Data Protection Regulation (GDPR) – which becomes effective May 25, 2018 – will extend data breach notification requirements to all organizations (including a requirement to notify the relevant supervisory authority within 72 hours). Canada and Australia have also recently enacted data breach notification laws, but like the GDPR, they have not yet entered into force.
|