According to the United States Government, “A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.” The news has been filled with massive company data breaches involving customer and employee information.
Notification Laws: Every state in the U.S., with the exception of Alabama and South Dakota, has a data breach notification law in place. The National Conference of State Legislators has a link to all the different state laws so you can see what your state requires. Keeping track of all these laws could be very confusing, not including all the international laws for multinational corporations. Currently, there is no federal law that covers general personal information data breaches. Both the Data Security and Breach Notification Act of 2015 and Personal Data Notification and Protection Act of 2017 have been introduced into the House of Representatives but that is as far as they got. For health information specifically, there are two rules at the federal level that cover notification to those effected which are the Health Breach Notification Rule and the HIPAA Breach Notification Rule.
Data Ownership: Discussion stemming from these breaches has brought up the topic of data ownership. The personal information that companies have residing in their databases has long been thought of as their property. This concept has been changing and evolving as our personal data has been proliferated into many databases with increasingly more personal information being collected and generated. Users of these websites and companies understand that organizations need their information to provide services, whether that’s a personalized shopping experience or hailing a ride. This point of ownership cannot be highlighted enough. The acquiring of personal information gained in a data breach is not just an attack on the company but is an attack on all this users whose personal information was stolen and could be sold or used for illegal activities.
Timing: Customers of these companies want to know if their information has been compromised, so they can evaluate if accounts or other identity fraud situations have occurred. There are several milestones in the data breach timeline. One is when the data breach actually occurred. This may not be known if the company does not have a digital trail and infrastructure to discover when this happened. This may be well before the next milestone of the company discovering a breach and assessing the extent of the breach. The next milestone would be the corrective action taken by the effected company or agency to ensure the data is now being protected. Currently, only eight states have a firm deadline for notification which is usually 30 to 90 days after discovery of the breach.
Encryption: California led the data breach notification law effort by passing, in 2002, a law requiring businesses and government agencies to notify California residents of data security breaches. In the California law, there is an exception to notifying those effected if the personal information is encrypted. The law defines the term “encrypted” to mean “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.” These broad terms for encryption do not include a particular levels of encryption but tries to leave open the increasing level of encryption by whatever the industry standard is at that time. Maybe if a breach occurs, a government or third party could evaluate the company’s encryption levels to determine if reporting is required.
The issue of data breaches is not going away. If Government agencies and companies do not respond in a fashion that customers find acceptable, users will start to become wary of sharing this valuable personal information and the insights that come with it will be lost.