- Security Breach Notification Laws
Security Breach Notification Laws have been enacted in most
U.S. states since 2002. These laws were enacted in response to an escalating number of breaches ofconsumer databases containingpersonally identifiable information . [ [http://www.ncsl.org/programs/lis/cip/priv/breach.htm State Security Breach Notification Laws ] ]The first such law, the
California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003. [ [http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html SB 1386 Senate Bill - CHAPTERED ] ] As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.The California law has been the model for the enactment of similar laws in other states. [ [http://infosec.uga.edu/policymanagement/breachnotificationlaws.php University of Georgia: EITS: Information Security ] ] California has since broadened its law to include compromised medical and health insurance information. [ [http://www.leginfo.ca.gov/pub/07-08/bill/asm/ab_1251-1300/ab_1298_bill_20071014_chaptered.html California AB 1298 (2007)] ]
The
National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws. [ [http://www.ncsl.org/programs/lis/cip/priv/breach.htm State Security Breach Notification Laws ] ]A number of bills that would establish a national standard for data security breach notification have been introduced in the
U.S. Congress , but none passed in the109th Congress . [ [http://www.rsa.com/blog/entry.asp?id=1173 Speaking of Security... | Blog Entry: Shannon Kellogg | Data security a: 1173 ] ]The
European Union is considering a breach notification law and has published a proposal on November 13, 2007. [ [http://ec.europa.eu/prelex/detail_dossier_real.cfm?CL=en&DosId=196419 PreLex - result of search ] ]External links
* [http://www.scottandscottllp.com/resources/state_data_breach_notification_law.pdf Breach reporting requirements by state]
* [http://www.lawserver.com/security-breach-notification Interactive map comparing U.S. security breach notice laws]References
Wikimedia Foundation. 2010.