Introduction to US State Data Breach Notification Laws

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> In Lesson 10.1,
00:00
we're going to look at and discuss an introduction
00:00
>> to US State Data Breach Notification Laws.
00:00
>> It's an extremely important topic.
00:00
As I previously stated earlier in the course,
00:00
there are 50 different
00:00
US State level data breach notification laws.
00:00
Each of the US territories have
00:00
their own data breach notification laws,
00:00
Guam, Puerto Rico, and the US Virgin Islands,
00:00
as well as the District of Columbia.
00:00
The reason that they started to
00:00
pass these laws as early as
00:00
2002 in California was that, again,
00:00
the US lag say over-arching
00:00
data privacy law that really defines what
00:00
>> those data breach notification law requirements are.
00:00
>> We do know that you have laws
00:00
like HIPAA that had been amended by
00:00
high-tech that require breach notifications to
00:00
the US Department of Health and Human Services and
00:00
to affected individuals in compliance with the law.
00:00
But there isn't a consistent law
00:00
that really defines this and
00:00
has national standards for data breach notification laws.
00:00
We have several learning objectives.
00:00
We're going to talk about
00:00
an overview and then we'll talk about
00:00
key takeaways for these different states.
00:00
Now when we look at these laws,
00:00
again it's quite unique that these laws,
00:00
whether they're 50 state-level laws,
00:00
three US territorial laws,
00:00
or the District Columbia,
00:00
that these laws are similar and dissimilar.
00:00
We know that California,
00:00
when it passes the first US data breach notification law,
00:00
it did that in response to
00:00
the proliferation and use of
00:00
identity theft and identity fraud.
00:00
To do that, again,
00:00
the state enacted its data breach notification law
00:00
to provide those protections
00:00
to those individuals and provide guidance to
00:00
those states license to
00:00
operate within their respective states,
00:00
in this case, California.
00:00
Now some of those things that are common,
00:00
key takeaway is when we look at these laws is
00:00
the time or the manner in
00:00
which covered entities have to report,
00:00
notify either affected State residents
00:00
or government entities like
00:00
the State's Attorney's General.
00:00
The way they define personal information,
00:00
although they may classify it as personal information,
00:00
personally identifiable information,
00:00
sensitive personal information, or private information.
00:00
Now lots of times we're talking about
00:00
a last name and first name, or first,
00:00
initial and combination of one of the three criterion.
00:00
A social security number,
00:00
a state identification number, or driver's license,
00:00
or some type of financial account information,
00:00
credit card debit card numbers,
00:00
in combination with some type of access information.
00:00
To whom this notified.
00:00
Again, at the state level,
00:00
and majority of the cases,
00:00
notice the State Attorney General that's responsible for
00:00
enforcing these laws and odds for notification.
00:00
But you may find in states like New Jersey where
00:00
the state police is
00:00
the entity to whom you would provide those notifications.
00:00
Again, these laws themselves tend to apply to
00:00
an unauthorized breach or access to unencrypted data.
00:00
Normally, these laws are consistent in the way
00:00
that the information is encrypted and
00:00
those encryption keys and not been
00:00
compromised and it doesn't
00:00
necessarily constitute a breach.
00:00
They also have other safe harbor provisions
00:00
and good-faith provisions.
00:00
Given that those covered entities conduct
00:00
a risk analysis and
00:00
determining a low probability of harm.
00:00
The manners in which you notified
00:00
the states themselves tend
00:00
to require you to first attempt to notify in writing.
00:00
Then if it becomes
00:00
disproportionate or you have a certain number
00:00
of residents that can't be identified because
00:00
of inaccurate contact information,
00:00
then should you use substitute methods
00:00
like the telephone, email.
00:00
You can post the notifications
00:00
to your public facing website,
00:00
or in certain cases,
00:00
you can use the major media outlets
00:00
within those respective states.
00:00
The majority of these cases is
00:00
the State Attorney General that enforces civil penalties.
00:00
Like I said, there may be cases and
00:00
that's why you have to look at each law
00:00
individually in which you
00:00
are those states in which you are
00:00
operating to ensure you're compliant.
00:00
There's a requirement to determine and conduct
00:00
an analysis of risk of harm.
00:00
Now there are requirements
00:00
also know as you look at these different laws
00:00
themselves that require on the part of
00:00
third party entities themselves,
00:00
that they have a notification requirement to notify
00:00
the primary customer to whom they are providing support.
00:00
Then also in many cases these states require
00:00
a notification without unreasonable delay
00:00
or as soon as possible.
00:00
There are some states so they have requirements,
00:00
and territories like Puerto Rico that says that no,
00:00
you have 10 days in which to notify.
00:00
Then if the breach itself has
00:00
been released by the press and you have 24 hours.
00:00
It's coming upon us that got
00:00
privacy professionals working and supporting
00:00
private sector organizations and
00:00
institutions and companies as well as
00:00
those government entities out to comply with
00:00
these different state data breach notifications.
00:00
Now familiar with them because time is of the essence.
00:00
We want to make sure we're mitigating harm to
00:00
individuals and we're providing the proper notification,
00:00
which requires us to be familiar
00:00
intimately with the different laws.
00:00
Never shuffle websites that
00:00
use constantly and I've used them in a pass and
00:00
support of private sector companies
00:00
themselves that were really conducting
00:00
an investigation to determine if they had suffered from
00:00
a security incident or confirmed data breach.
00:00
I tend to use first
00:00
the National Conference of State Legislatures website,
00:00
but I've also used the Davis Right To Remain website,
00:00
and other websites like Foleys website, Baker, McKenzie.
00:00
I encourage you to use those because you
00:00
can really find a synopsis of
00:00
these different laws that
00:00
it helped you and help your organizations,
00:00
institutions, and companies responding
00:00
to them in a timely fashion.
00:00
Question 1 asks,
00:00
which US States,
00:00
Territories, and Districts have
00:00
enacted data breach notification laws?
00:00
The appropriate answers are A, B, C,
00:00
and D. Question 2 asks,
00:00
which US State enacted
00:00
the first US State-level data protection notification law
00:00
or data breach notification law.
00:00
Excuse me. The appropriate answer
00:00
is D. In summary,
00:00
all 50 States, the District Columbia,
00:00
the three territory of Guam, Puerto Rico,
00:00
and the US Virgin Islands,
00:00
have enacted their own data breach notification laws,
00:00
and they've done so.
00:00
First of all, as we discussed previously,
00:00
the 10 amendment allows them to do
00:00
so if there's no conflict with
00:00
the US constitution or
00:00
conflict with existing federal statutes.
00:00
Provide better protection to
00:00
their respective state residents.
00:00
We know that this multitude laws creates
00:00
a lot of confusion for those companies struggling
00:00
to comply with these laws that may be in
00:00
conflict if they're operating
00:00
in one or more of the States,
00:00
Territories, or the District of Columbia.
00:00
We know there's similarities when we look at how
00:00
these data breach notification laws
00:00
establish requirements for those companies,
00:00
organizations, and institutions
00:00
that must comply with them.
00:00
We talked about definitions of personal information.
00:00
We talked about what constitutes
00:00
a breach or how it defines a breach.
00:00
We talked about the time and method of
00:00
notice to whom you must
00:00
notify affected persons or state,
00:00
regulatory or law enforcement entities.
00:00
We talked about the need and the applicability of
00:00
these law so unencrypted or data itself.
00:00
Personally identifiable information or
00:00
information that has not
00:00
been rendered unreadable or unusable.
00:00
We talked about the fact
00:00
that in the majority of these cases,
00:00
it is the State Attorney General that enforces law,
00:00
but there are other state entities at also have
00:00
the responsibility of enforcing these laws themselves.
00:00
We also know that, again,
00:00
the penalties themselves vary and
00:00
the time for notification
00:00
>> varies too based on the state.
Up Next