User:Svn38/Security breach notification laws

Article Draft
This is an edit to the Wikipedia page Security breach notification laws. The original article covers a more global aspect of breach notification laws inclusive of Australia, China, European Union, Japan, New Zealand, and the United States.

My edits to this article are focused on the United States.

Security breach notification laws - Wikipedia

United States
Attempts to pass a federal data breach notification law have been unsuccessful; however, as of 2020, all 50 states have enacted data breach notification laws. While data breach notification laws are in place in all 50 states, the reporting of ransomware attacks may not follow suit in requiring notification as unauthorized access to a system or network may not be considered a breach. For example, the State of New Jersey’s definition of security breach covers “unauthorized access,” which would cover Ransomware. Other states, such as Maryland, use language to define a breach as “unauthorized acquisition of computerized data."

Assumptions of notification laws
The premise of data breach notification laws is that by making organizations provide public notice, it will incentivize organizations to invest in better cybersecurity or face consequences of financial penalties and damage to image. While there is some marginal evidence supporting stock price decreases after breach notifications, the lasting negative impact to an organization is short-lived. This efficacy debate is still unclear.

Federal Law
As of 2020, there is no federal data breach notification law. The first proposed federal data breach notification law was introduced to Congress in 2003, but it never exited the Judiciary Committee. Similarly, a number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress. In fact, in 2007, three federal data breach notification laws were proposed, but none passed Congress. In his 2015 State of the Union speech, President Obama proposed new legislation to create a national data breach standard that would establish a 30-day notification requirement from the discovery of a breach. This led to President Obama's 2015 Personal Data Notification & Protection Act (PDNPA) proposal. This would have created federal notification guidelines and standards, but it never came out of committee.

Chlotia Garrison and Clovia Hamilton theorized that a potential reason for the inability to pass a federal law on data breach notifications is states' rights. As of now, all 50 states have varying data breach notification laws. Some are restrictive, while others are broad. While there is not a federal law on data breach notifications, some states have data privacy laws with data breach provisions. Some notable examples include: the Federal Trade Commission Act (FTC Act), the Financial Services Modernization Act (Gramm-Leach-Bliley Act), and the Health Insurance Portability and Accountability Act (HIPAA).

With the May 12, 2021 Executive Order on Improving the Nation’s Cybersecurity, all cybersecurity service providers shall share and report all data related to breaches, incidents, and potential incidents providing critical cybersecurity threat intelligence. Further, information and communications technology (ICT) providers shall report cyber incidents within specific time periods. The order goes a step further requiring the reporting of known vulnerabilities in the critical software supply chain. With the introduction of this executive order, there is growing support from the White House Administration to have the U.S. Congress extend breach reporting requirements beyond the 2021 executive order establishing reporting requirements for federal government agency contractors and suppliers.

Individuality of State Laws
With each state legislating their own security breach notification laws, the differences in wording result in different interpretation of the law leading to confusion in implementation to comply with state requirements. This variation in language within state legislation on breach notification include, but are not limited to the defining attributes listed below.


 * Definitions of personal information and breach,
 * Who must comply (businesses, government agencies, non-profits, and other organizations),
 * The form of data (e.g. is it limited to computerized data, or is inclusive of paper date),
 * Exemptions in reporting (e.g., data that was breached in encrypted form may not need to be reported),
 * When notification is required, what event(s) constitute a breach,
 * Content of the breach notification to the public, see Figure 1,
 * How soon must the breach be reported,
 * Can individuals bring a lawsuit against the breached entity, see Figure 2,
 * The method of notification (physical mail, telephonic, electronic, or a substitute method based on limitations with cost, number of effected parties, or insufficient contact data), and
 * Who shall receive the breached notice.

While data breach notification laws are in place in all 50 states, the reporting of ransomware attacks may not follow suit in requiring notification as unauthorized access to a system or network may not be considered a breach. For example, the State of New Jersey’s definition of security breach covers “unauthorized access,” which would cover Ransomware. Other states, such as Maryland, use language to define a breach as “unauthorized acquisition of computerized data."

There is continued discussion on whether disclosure is an effective regulatory mechanism on its own. In addition to state attorney general’s actions, some states allow individuals to sue breached organizations directly for damages.

State Law Evolution
The first such law, the California data security breach notification law, was enacted in 2002 and became effective on July 1, 2003. The bill was enacted in reaction to the fear of identity theft and fraud. As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach of the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. California has since broadened its law to include compromised medical and health insurance information. Where bills differ most is at what level the breach must be reported to the state Attorney General (usually when it affects 500 or 1000 individuals or more). Some states like California publish these data breach notifications on their oag.gov websites. Breaches must be reported if "sensitive personally identifying information has been acquired or is reasonably believed to have been acquired by an unauthorized person, and is reasonably likely to cause substantial harm to the individuals to whom the information relates." This leaves room for some interpretation (will it cause substantial harm?); but breaches of encrypted data need not be reported. Nor must it be reported if data has been obtained or viewed by unauthorized individuals as long as there is no reason to believe they will use the data in harmful ways.

The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws.

Some of the state differences in data breach notification laws include thresholds of harm suffered from data breaches, the need to notify certain law enforcement or consumer credit agencies, broader definitions of personal information, and differences in penalties for non-compliance.

Existing laws are evolving across the states, requiring more entities to report data breaches and decrease reporting times. There is momentum from lawmakers to create stricter data breach reporting requirements extending requirements further into both the government and private sectors.

Debate over federal or state laws
Advocates of a state-by-state approach to data breach notification laws emphasize increased efficiency, increased incentives to have the local governments increase data security, limited federal funding available due to multiple projects, and lastly states are able to quickly adapt and pass laws to constantly evolving data breach technologies.

A challenge with each state having its own security breach notification laws comes down to the provisions that define the law. Security breach notification laws define who must comply, definitions of personal information, what events or activity constitute a breach occurring, and what are the requirements for reporting. An example of the varying notification requirements across states can be seen in Figure 3. The category of "No explicit deadline" is overloaded with definitions including "as soon as practical", "as soon as possible", "without unreasonable delay", "immediately", and others. Navigating the combinatorics of the variations to the attributes make it difficult for organizations to comply consistently across states. A federal security breach notification law would provide a uniform standard.

Most scholars, like Angela Daly, advocate for federal data breach notification laws emphasize the problem with having varying forms of data breach notification laws. That is, companies are forced to comply with multiple state data breach notification laws. This creates increased difficulty to comply with the laws and the costs. In addition, scholars have argued that a state-by-state approach has created the problem of uncompensated victims and inadequate incentives to persuade companies and governments to invest in data security.