Making a Federal CaseAt the U.S. federal level, there are laws and guidance requiring breach notification for specific types of data: the Health Insurance Portability and Accountability (HIPAA) Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act for health care information, the Gramm-Leach-Bliley Act for financial information, and the Office of Management and Budget (OMB) guidance for personal information held by federal agencies.
According to the HITECH Act, health care service providers covered by HIPAA must notify patients "promptly" when their health information has been breached. The Department of Health and Human Services (HHS) and the media must be notified in cases where breaches affect more than 500 individuals. Vendors of personal health information have similar breach notification requirements, but must inform the Federal Trade Commission, rather than HHS.
According to guidance issued by federal banking regulators under the Gramm-Leach-Bliley Act, when a bank or other financial institution becomes aware of a data breach, it should conduct an investigation to determine the likelihood that the information has been or will be misused. If the bank determines that misuse has occurred or is reasonably possible, it should notify the affected customers as soon as possible.
Customer notice may be delayed if law enforcement determines that notification will interfere with a criminal investigation and provides the bank with a written request for the delay. The bank should notify its customers as soon as notification will no longer interfere with the investigation. However, notification cannot be delayed because of embarrassment or inconvenience to the bank.
According to OMB guidance, federal agencies are required to report all data breaches involving personally identifiable information within one hour of discovery/detection. However, agencies have discretion on reporting data breaches outside the agency. They can delay notification for law enforcement, national security, or agency needs.
California DreamingAt the state level, there is a patchwork of 46 state laws (and the District of Columbia) on data breach notification. California enacted the first data breach notification law in 2002, and it has been used as a model for many other state laws.
Under the California law, companies must disclose a data breach to customers "as soon as possible, without unreasonable delay" in writing. If the notifying person or business can demonstrate that notification would cost more than $250,000 or affect more than 500,000 people, then a substitute notice in the form of a website posting and notification to major statewide media could be used. The statute exempts from notification any data breach in which the personal information was encrypted.
However, California, unlike many other states, does not include penalties for failure to promptly notify consumers of a data breach. The National Conference of State Legislatures maintains a list of state data breach notification laws and links to those laws.
Europe or BustIn Europe, the European Union approved a data breach notification requirement in a 2009 amendment to its E-Privacy Directive. European Union member states had until May 25, 2011, to implement the amendment into national law.
The amendment requires "providers of publicly available electronic communications services" to notify national authorities about a breach of personal information that could result in substantial economic loss and social harm to customers "as soon as" they become aware of the breach. Also, the affected customers should be notified of the breach "without delay." The notification should include information about measures being taken by the company, as well as recommended actions for the affected customers.
Changes to the EU Data Protection Directive are expected in 2012, including a requirement that all companies, not just electronic communications service providers, notify national authorities and affected customers within 24 hours of a breach of personal information.
The U.K. Data Protection Act, which predates the EU E-Privacy Directive, has a comprehensive set of requirements for companies to protect data, although it does not contain a data breach notification requirement.
The U.K. Information Commissioner’s Office (ICO), which is in charge of implementing the act, has said that companies should report serious data breaches, defined as breaches that could cause potential harm to individuals, to the ICO. The agency said it would expect UK companies to notify it about breaches of unencrypted personal information on 1,000 or more individuals. ICO said that it is not its responsibility to inform affected consumers, but it may recommend that the company make the breach public "where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so."