As of March 28, 2018, all 50 states, Puerto Rico, the District of Columbia, Guam, and the Virgin Islands have data breach notification laws. South Dakota’s governor signed its law on March 21, 2018, making it the 49th state to enact a law, with an effective date of July 1, 2018. And, Alabama became the 50th state when its governor signed the law on March 28, 2018, effective on June 1, 2018.
It’s noteworthy that the data breach laws passed by these last two states include provisions that are not in the mainstream of the other 48 statutes. For example, there is a risk of harm exception in the South Dakota law. If a breached entity “reasonably determines that the breach will not likely result in harm to the affected person,” notifications do not need to be issued. See SB 62. Although it was the last state in the union to pass a law, Alabama’s law immediately became among the most stringent and joins 13 other states that include prescriptive requirements for maintaining reasonable cybersecurity program. ACT 2018-396.
While the legal landscape of 50 separate data breach notification laws can seem fragmented, at their base level all 50 states generally cover the same information and all generally include a two-part analysis: 1) “has a data security breach occurred?" and, 2) if so, a determination must be made about the recipients, content and timing of the notice. The lack of a single approach for response is a source of frustration for multistate organizations and unfortunately, the European Union’s General Data Protection Regulation’s (GDPR) looming breach reporting requirements will not lessen those frustrations.
Under GDPR, notice to applicable regulators is required within 72 hours after “having become aware” of a personal data breach and notice to data subjects (and data controllers, as applicable) is required “without undue delay.” Article 33 and Article 34. A personal data breach is defined under GDPR as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” Article 4.
There are many notable similarities and differences between the GDPR regime and U.S. State data breach notice laws, examples of which are:
- Companies that are mere processors of personal data on behalf of another company notify the company for which they process personal data – and not data subjects or regulators.
- Companies that process personal data for their own purposes (and not solely for the purpose of another company) notify affected data subjects and regulators.
- If harm to the data subject is highly unlikely, notice may not be strictly required (although not all U.S. State laws contain this exception and reliance on the exception in both the U.S. and the E.U. carries inherent reputational and legal risk).
- The 72-hour clock for a data controller to provide notice to regulators under GDPR is shorter than all U.S. State data breach laws.
- Not all U.S. State laws require regulator notice (or, if regulator notice is part of the law, in many states a threshold number of individuals in that state must be affected before a notice to the regulator becomes strictly required).
- Under GDPR, notice is potentially required for breach of any personal data types (including name, email address, mailing address) while notice under U.S. laws is typically reserved for more sensitive data types, including SSN, credit card number, bank account information, driver’s license number, and similar.
- Under GDPR, notice may be triggered by mere damage to the data (even if there has been no unauthorized access) – e.g., in the event of a ransomware attack.
- The potential fines/penalties for a failure to comply with notice obligations under GDPR (the greater of 20 million Euro or four percent of global turnover) are far larger than those typically seen under U.S. State data breach notice laws.