Data breaches happen more often than you think. Remember the Equifax data breach of 2017? About 147 million people had their personal information, including Social Security numbers and birth dates, stolen. Unfortunately, Equifax only disclosed the breach six weeks later. By that time, the hackers sold the data to criminals for fraud purposes. This is a classic case of why we need data breach notification laws.
A data breach is an incident where private and sensitive information about individuals, customers, clients, or employees is accidentally or deliberately accessed, used, disclosed, or stolen by unauthorized and illegal parties. Data breaches compromise privacy, trust, and reputation of the organizations that hold and process the data. The personal information could be anything from names, addresses, phone numbers, email addresses, to bank account details, credit card numbers, medical records, and even biometric data like fingerprints and facial scans.
Data breach notification laws set out the requirements and procedures that organizations must follow when there is a data breach that exposes sensitive information. These laws aim to ensure that organizations notify the affected individuals as soon as possible and give them enough details about the breach to take action to protect themselves from harm. Data breach notification laws also impose penalties on organizations that fail to comply with these requirements.
In the US, data breach notification laws are complex because they are regulated by different federal and state laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the General Data Protection Regulation (GDPR). Each law has its own requirements, standards, and thresholds for breach notification, and organizations must comply with all of them.
HIPAA requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services, and the media for breaches of unsecured protected health information (PHI) affecting more than 500 individuals. Covered entities must provide notification within 60 calendar days of the discovery of the breach, while business associates must notify the covered entities they work with. HIPAA also requires covered entities to conduct a risk assessment to determine the potential harm and provide free credit monitoring services to the affected individuals for at least one year.
GLBA requires financial institutions to provide notice to their customers and regulators in the event of a breach of personally identifiable financial information (PIFI). GLBA defines PIFI as non-public personal information that a financial institution collects, directly or indirectly, from its customers or about its customers in the ordinary course of business. GLBA requires financial institutions to provide notice only if the breach results in a significant risk of harm to the affected individuals.
GDPR requires all data controllers to notify their supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals. Data controllers must also notify the affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms, such as identity theft, financial loss, or reputational damage. GDPR defines personal data as any information relating to an identified or identifiable natural person, such as their name, address, email, ID number, or online identifiers.
The penalties for noncompliance with data breach notification laws can be severe. Organizations may face fines, lawsuits, reputation damage, and loss of customer trust. For example, Equifax paid $700 million in settlement to compensate victims of the data breach and improve its security practices. Marriott International faced a $123 million fine from the UK Information Commissioner's Office for failing to protect the personal data of millions of hotel guests. Uber paid $148 million to settle claims that it concealed a data breach that affected 57 million users.
Therefore, it is crucial for organizations to have a robust data breach response plan that includes identifying the type of data that could be breached, assessing the risks of a breach, implementing security measures to prevent a breach, training employees on how to detect and report a breach, testing the plan regularly, and partnering with legal, IT, and cybersecurity experts to handle the breach effectively.
In conclusion, data breach notification laws are important to protect individuals' privacy, security, and trust in the digital age. Organizations must comply with the legal requirements and ethical obligations to secure and manage sensitive data appropriately, and to notify individuals affected by a breach promptly and transparently. Data breaches may be inevitable, but the harm they cause can be mitigated through proper preparation and communication.