In the United States, there are various federal and state data breach notification laws, although there is no comprehensive federal law. In May 2011, the Obama administration submitted a comprehensive cybersecurity proposal to Congress that includes a federal data breach notification requirement. This could vastly improve cybersecurity, but as of January 2012, no federal data breach notification legislation had been passed. Here we take a look at data security and the legislation that is being set up to address breaches. (For background reading, see The Basic Principles of IT Security.)

Making a Federal Case

At the U.S. federal level, there are laws and guidance requiring breach notification for specific types of data: the Health Insurance Portability and Accountability (HIPAA) Act and the Health Information Technology for Economic and Clinical Health (HITECH) Act for health care information, the Gramm-Leach-Bliley Act for financial information, and the Office of Management and Budget (OMB) guidance for personal information held by federal agencies.

According to the HITECH Act, health care service providers covered by HIPAA must notify patients "promptly" when their health information has been breached. The Department of Health and Human Services (HHS) and the media must be notified in cases where breaches affect more than 500 individuals. Vendors of personal health information have similar breach notification requirements, but must inform the Federal Trade Commission, rather than HHS.

According to guidance issued by federal banking regulators under the Gramm-Leach-Bliley Act, when a bank or other financial institution becomes aware of a data breach, it should conduct an investigation to determine the likelihood that the information has been or will be misused. If the bank determines that misuse has occurred or is reasonably possible, it should notify the affected customers as soon as possible.

Customer notice may be delayed if law enforcement determines that notification will interfere with a criminal investigation and provides the bank with a written request for the delay. The bank should notify its customers as soon as notification will no longer interfere with the investigation. However, notification cannot be delayed because of embarrassment or inconvenience to the bank.

According to OMB guidance, federal agencies are required to report all data breaches involving personally identifiable information within one hour of discovery/detection. However, agencies have discretion on reporting data breaches outside the agency. They can delay notification for law enforcement, national security, or agency needs.

California Dreaming

At the state level, there is a patchwork of 46 state laws (and the District of Columbia) on data breach notification. California enacted the first data breach notification law in 2002, and it has been used as a model for many other state laws.

Under the California law, companies must disclose a data breach to customers "as soon as possible, without unreasonable delay" in writing. If the notifying person or business can demonstrate that notification would cost more than $250,000 or affect more than 500,000 people, then a substitute notice in the form of a website posting and notification to major statewide media could be used. The statute exempts from notification any data breach in which the personal information was encrypted.

However, California, unlike many other states, does not include penalties for failure to promptly notify consumers of a data breach. The National Conference of State Legislatures maintains a list of state data breach notification laws and links to those laws.

Europe or Bust

In Europe, the European Union approved a data breach notification requirement in a 2009 amendment to its E-Privacy Directive. European Union member states had until May 25, 2011, to implement the amendment into national law.

The amendment requires "providers of publicly available electronic communications services" to notify national authorities about a breach of personal information that could result in substantial economic loss and social harm to customers "as soon as" they become aware of the breach. Also, the affected customers should be notified of the breach "without delay." The notification should include information about measures being taken by the company, as well as recommended actions for the affected customers.

Changes to the EU Data Protection Directive are expected in 2012, including a requirement that all companies, not just electronic communications service providers, notify national authorities and affected customers within 24 hours of a breach of personal information.

The U.K. Data Protection Act, which predates the EU E-Privacy Directive, has a comprehensive set of requirements for companies to protect data, although it does not contain a data breach notification requirement.

The U.K. Information Commissioner’s Office (ICO), which is in charge of implementing the act, has said that companies should report serious data breaches, defined as breaches that could cause potential harm to individuals, to the ICO. The agency said it would expect UK companies to notify it about breaches of unencrypted personal information on 1,000 or more individuals. ICO said that it is not its responsibility to inform affected consumers, but it may recommend that the company make the breach public "where it is clearly in the interests of the individuals concerned or there is a strong public interest argument to do so."

Data Breaches and Reporting

In response to highly publicized data breaches and public pressure, American and European legislators and regulators are considering requirements that all companies report data breaches to national authorities and affected consumers. However, as of January 2012, none of those efforts had resulted in comprehensive data breach notification laws and regulations in either the United States or the European Union.