Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States



Similar documents
Comparison of US State and Federal Security Breach Notification Laws. Current through August 26, 2015

DATA BREACH CHARTS (Current as of December 31, 2015)

FACT SHEET. Language Assistance to Persons with Limited English Proficiency (LEP).

Data Security Breach Notice Letter

United States Bankruptcy Court District of Arizona NOTICE TO: DEBTOR ATTORNEYS, BANKRUPTCY PETITION PREPARERS AND DEBTORS

US Department of Health and Human Services Exclusion Program. Thomas Sowinski Special Agent in Charge/ Reviewing Official

Exhibit B. State-By-State Data Security Overview

United States Bankruptcy Court District of Arizona

Model Regulation Service - January 1993 GUIDELINES ON GIFTS OF LIFE INSURANCE TO CHARITABLE INSTITUTIONS

VCF Program Statistics (Represents activity through the end of the day on June 30, 2015)

22 States do not provide access to Chapter 9 Bankruptcy

Rates are valid through March 31, 2014.


January An Overview of U.S. Security Breach Statutes

Required Minimum Distribution Election Form for IRA s, 403(b)/TSA and other Qualified Plans

STATE INCOME TAX WITHHOLDING INFORMATION DOCUMENT

Massachusetts Adopts Strict Security Regulations Governing Personal Information LISA M. ROPPLE, KEVIN V. JONES, AND CHRISTINE M.

Cancellation/Nonrenewal Surplus Lines Exemptions

How to Change Your Address with the Immigration Court and Government Attorneys

LIMITED PARTNERSHIP FORMATION

NAAB-Accredited Architecture Programs in the United States

MODEL REGULATION TO REQUIRE REPORTING OF STATISTICAL DATA BY PROPERTY AND CASUALTY INSURANCE COMPANIES

Audio Monitoring And The Law: How to Use Audio Legally in Security Systems. Today s Learning Objectives

False Claims Act Regulations by State

TABLE OF CONTENTS 1.00 ORGANIZATION AND AUTHORITY 1.01 TAX DIVISION AUTHORITY CRIMINAL ENFORCEMENT SECTIONS ORGANIZATION CHART...

Cloudy With a Chance Of Risk Management

FOR RELEASE: 3/23/00 IR IRS EXPANDS LOW-INCOME TAXPAYER CLINIC GRANTS, AWARDS $4.4 MILLION TO PROGRAMS IN 32 STATES

INTRODUCTION. Figure 1. Contributions by Source and Year: (Billions of dollars)

Chex Systems, Inc. does not currently charge a fee to place, lift or remove a freeze; however, we reserve the right to apply the following fees:

ENS Governmental Format Status (As of 06/16/2008)

VOLUNTEER INCOME TAX ASSISTANCE (VITA) A Reminder and Update About Potential CRA and Business Opportunities

Mandatory Reporting of Child Abuse 6/2009 State Mandatory Reporters Language on Privilege Notes Alabama

SUMMARY: Pursuant to section 552a(e)(12) of the Privacy Act of 1974, as amended, and the

Video Voyeurism Laws

Information About Filing a Case in the United States Tax Court. Attached are the forms to use in filing your case in the United States Tax Court.

Review of the Internet Crimes Against Children Task Force Program

Alaska (AK) Arizona (AZ) Arkansas (AR) California-RN (CA-RN) Colorado (CO)

Application for Automatic Extension of Time To File U.S. Individual Income Tax Return

Summary of Laws Regarding International Adoptions Finalized Abroad 50 States and 6 U.S. Territories

ANTI FRAUD BUREAUS ALASKA ARKANSAS ARIZONA CALIFORNIA

2016 Individual Exchange Premiums updated November 4, 2015

Health Insurance Exchanges and the Medicaid Expansion After the Supreme Court Decision: State Actions and Key Implementation Issues

How To Get A National Rac (And Mac)

Model Regulation Service January 2006 DISCLOSURE FOR SMALL FACE AMOUNT LIFE INSURANCE POLICIES MODEL ACT

APPENDIX B. STATE AGENCY ADDRESSES FOR INTERSTATE UIB CLAIMS

University of Massachusetts School of Law: Career Services Office State-By-State Online Job Search Resources

12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013

Expanding Your Business Through Franchising What Steps You Need to Take to Successfully Franchise Your Business. By Robert J.

Hail-related claims under comprehensive coverage

Alabama Commission of Higher Education P. O. Box Montgomery, AL. Alabama

TABLE 37. Higher education R&D expenditures at institutions with a medical school, by state, institutional control, and institution: FY 2011

2014 INCOME EARNED BY STATE INFORMATION

CPT Codes For Spirometry

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. The Board of Governors of the Federal Reserve System (Board), the Federal Deposit

RETAIL INSTALLMENT CREDIT AGREEMENT

TRAVEL VISA PRO ORDER FORM. For Concierge INDIA VISA APPLICATION SERVICE* go to the pages #2-4

Table A-7. State Medical Record Laws: Minimum Medical Record Retention Periods for Records Held by Medical Doctors and Hospitals*

Real Progress in Food Code Adoption

ADULT PROTECTIVE SERVICES, INSTITUTIONAL ABUSE AND LONG TERM CARE OMBUDSMAN PROGRAM LAWS: CITATIONS, BY STATE

SECTION 109 HOST STATE LOAN-TO-DEPOSIT RATIOS. or branches outside of its home state primarily for the purpose of deposit production.

Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common

50-State Analysis. School Attendance Age Limits. 700 Broadway, Suite 810 Denver, CO Fax:

Licensure Resources by State

CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. rny@crlaw.com Phone: (336)

Model Regulation Service April 2005 GUIDELINES ON CORPORATE OWNED LIFE INSURANCE

LexisNexis Law Firm Billable Hours Survey Top Line Report. June 11, 2012

National Bureau for Academic Accreditation And Education Quality Assurance PUBLIC HEALTH

HEALTH CARE INTERPRETERS: ARE THEY MANDATORY REPORTERS OF CHILD ABUSE? 1

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Impacts of Sequestration on the States

MEDICAL MALPRACTICE STATE STATUTORY

NOTICE OF PROTECTION PROVIDED BY [STATE] LIFE AND HEALTH INSURANCE GUARANTY ASSOCIATION

SHEEO State Authorization Survey:

Intercountry Adoptions Finalized Abroad

5% to 25%. This APR varies by state.

Centers of Excellence

STATE CONSUMER ASSISTANCE PROGRAMS UNDER PHS ACT SECTION 2793

FirstCarolinaCare Insurance Company Business Associate Agreement

State Insurance Information

ANTHONY P. CARNEVALE NICOLE SMITH JEFF STROHL

Model Regulation Service October 1993

Individual Continuing Education Courses NMLS Training and Continuing Education

Notices of Cancellation / Nonrenewal and / or Other Related Forms

Table 1: Advertising, Marketing and Promotional Expense as a Percentage of Net Operating Revenue

October 28, 2013 MORTGAGEE LETTER

BUSINESS ASSOCIATE AGREEMENT

How To Regulate Rate Regulation

Prompt Payment Laws by State & Sample Appeal Letter

Privacy Law Basics and Best Practices

FOREIGN LIMITED LIABILITY COMPANY REGISTRATION CHART

Transcription:

Data Breach Reporting: Summary of Governing Bodies with Reporting Requirements in the United States Introduction When it comes to Personally Identifiable Information (PII), privacy laws and regulations are constantly changing and complex. In the United States and around the globe, new requirements are making their way through legislative processes to become law. Additionally, evolving court rulings and consent decrees continue to change the regulating landscape. Currently, there are nine United States federal privacy laws with fourteen federal regulations spanning a variety of governmental agencies such as the Federal Trade Commission (FTC), Securities Exchange Commission (SEC), Federal Communications Commission (FCC), Internal Revenue Service (IRS), Food and Drug Administration (FDA), Federal Financial Institutions Examination Council (FFIEC), Department of Homeland Security (DHS) and Office of Federal Housing Enterprise Oversight (OFHEO). Federal regulations governing data disposal, authentication requirements and data breach reporting, have been created by the IRS, FCC, SEC, Electronic Commerce Research Applications (ECRA), Gramm- Leach-Bliley Act (GLBA), USA Patriot Act, ACH Operating Rules, the United Nations Convention on the use of electronic communications and state credit freeze laws. Additionally, a variety of federal court decisions ranging from TJ Maxx litigation to United States v. ChoicePoint, Inc. and multiple FTC administrative decisions and consent decrees all shape the scope of responsibilities for businesses, entities, employers and non-profits. Companies engaged in business-to-consumer transactions are regulated under consumer protection laws. Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. For example, seven states have their own privacy laws and nineteen have data disposal laws. To add to the complexity, states have their own regulations and consent decrees. Moreover, companies doing business internationally have yet another layer of responsibility to add to their diligence. Federal Privacy Laws Affecting Merchants Here s a look at the current roster of federal privacy legislation affecting employers, businesses, nonprofits and any organization handling personal data: 1. GLBA - Gramm-Leach-Bliley Act, Public L. 106-102, Sections 501 and 505(b), 15 U.S.C. Sections 6801, 6805. GLBA regulates the privacy of personally identifiable, nonpublic financial information disclosed to non-affiliated third parties by financial institutions. The Act requires administrative, technical and physical safeguards to protect the security and privacy of information and authorizes the states to pass consumer privacy protections that are stronger

than those contained in the Act. GLBA is aimed at financial intuitions, but the FTC has extended its application to other industries. While a company is not a financial institution, it is likely that the FTC would use GLBA requirements to measure the effectiveness of a company s Information Security Policy. 2. HIPAA: Health Insurance Portability and Accountability Act, 42 U.S.C. 1320d-2 and 1320d-4. 3. Sarbanes-Oxley Act: Pub. L. 107-204, Sections 302 and 404, 15 U.S.C. Sections 7241 and 7262. 4. FCRA/FACTA - Fair Credit Reporting Act. 5. HIPAA: Health Insurance Portability and Accountability Act, 42 U.S.C. 1320d-2 and 1320d-4. 6. Sarbanes-Oxley Act: Pub. L. 107-204, Sections 302 and 404, 15 U.S.C. Sections 7241 and 7262. 7. COPPA - Children s Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq. 8. E-SIGN - Electronic Signatures in Global and National Commerce Act, 15 U.S. 7001(d). 9. FISMA - Federal Information Security Management Act of 2002, 44 U.S.C. Sections 3541-3549. 10. Homeland Security Act of 2002: 44 U.S.C. Section 3532(b)(1). 11. Privacy Act of 1974: 5 U.S.C. Section 552a. Breach Reporting Requirements Here s a look at some of the various requirements that must be examined and constantly updated: 1. Notification to State Attorneys General of Data Breach Alaska: Notification Obligation - Any Entity to which the statute applies shall disclose the breach to each Alaska resident whose PII was subject to the breach after discovering or being notified of the breach. Notification is not required if, after an appropriate investigation and after written notification to the state attorney general, the entity determines that there is not a reasonable likelihood that harm to the consumers whose PI has been acquired has resulted or will result from the breach. The determination shall be documented in writing and the documentation shall be maintained for five years. Hawaii: Attorney General/Agency Notification - If more than 1,000 persons are notified at one time under this section, the business shall notify the State of Hawaii s Office of Consumer Protection of the timing, content, and distribution of the notice. Louisiana: Attorney General Notification - When notice to Louisiana citizens is required by the statute, the entity shall provide written notice detailing the breach of the security of the system to the Consumer Protection Section of the Attorney General s Office. Notice shall include the names of all Louisiana citizens affected by the breach. Notice to the state AG shall be timely if received within 10 days of distribution of notice to Louisiana citizens. Each day notice is not received by the state Attorney General shall be deemed a separate violation. Maine: Attorney General/State Agency Notification - When notice of a breach of the security of the system is required, the entity shall notify the appropriate state regulators within the Department of

Professional and Financial Regulation. If the entity is not regulated by the Department of Professional and Financial Regulation, the entity shall notify the state Attorney General. Massachusetts: Attorney General/State Agency Notification - Notice must be provided to the state Attorney General and the Director of Consumer Affairs and Business Regulation. Upon receipt of notice, the Director of Consumer Affairs and Business Regulation shall identify any relevant consumer reporting agency or state agency, and forward the names of the identified consumer reporting agencies and state agencies to the notifying entity. The entity shall, as soon as practicable and without unreasonable delay, also provide notice to consumer reporting agencies and state agencies identified by the Director of Consumer Affairs and Business Regulation. Missouri: Attorney General Notification - In the event an entity provides notice to more than 1,000 consumers at one time pursuant to this section, the entity shall notify, without unreasonable delay, the state Attorney General s office of the timing, distribution, and content of the notice. New Hampshire: Attorney General/Regulator Notification - An entity engaged in trade or commerce that is subject to N.H. Rev. Stat. 358-A:3(I) (trade or commerce that is subject to the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices) shall also notify the regulator which has primary regulatory authority over such trade or commerce. All other entities shall notify the state Attorney General. The notice shall include the anticipated date of the notice to the individuals and the approximate number of individuals in New Hampshire who will be notified. New Jersey: Attorney General/Police Notification - Any entity required under this section to disclose a breach of security of a customer s personal information shall, prior to disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities. New York: Attorney General/Agency Notification - If any New York residents are to be notified, the entity shall notify the state Attorney General, the consumer protection board, and the state Office of Cyber Security and Critical Infrastructure Coordination as to the timing, content and distribution of the notices and approximate number of affected persons. The state Attorney General s website has a form to be used for notifications. North Carolina: Attorney General Notification - In the event a business provides notice to an affected person pursuant to this section, the business shall notify without unreasonable delay the Consumer Protection Division of the state Attorney General s office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. The Attorney General s website contains a form to be used for notification.

Vermont: Notification Obligation - Any entity to which the statute applies shall notify affected individuals residing in Vermont that there has been a security breach following discovery or notification to the entity of the breach. Notice of a security breach is not required if the entity establishes that misuse of personal information is not reasonably possible and the entity provides notice of the determination that the misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont Attorney General or to the Department of Banking, Insurance, Securities, and Health Care Administration in the event that the entity is a person or entity licensed or registered with the Department. Virginia: Attorney General/Agency Notification - The state Attorney General must be notified whenever any Virginia residents are notified under the criteria above. In the event an entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the state Attorney General of the timing, distribution, and content of the notice. For health information, the entity must also notify the Commissioner of Health. 2. State Laws Requiring Reporting of Data Breaches to State Attorneys General State AK (1) CA (1) CT (2) FL (2) HI (2) IA (2) LA (1) ME (2) MD (2) MA (2) MO (2) NH (1) NJ (2) NY (1) NC (2) PA (1) SC (1) VT (2) VA (2) Attorney General (AG) Reporting Requirement Defined If any notifications are sent one (1) copy of same must be sent to AG prior to notification Require AG notification only if greater than 1000 notifications are being sent. Require AG notification independent of customer notification. Consultation with the AG and other authorities prior to notification of customer (and only if greater than 1000 notifications are being sent). Require AG notification independent of customer notification. Table Notes: 1. States with data breach laws requiring reporting to the state Attorney General ONLY if the breached company is licensed or conducts business in that state are denoted below with (1). 2. States with data breach laws requiring reporting to the state Attorney General REGARDLESS of where the breached company is licensed or does business are noted with (2).

3. Special State Reporting Requirements for Breaches Here are more examples of the difficulty in keeping up with the growing number of different state offices and departments that must be informed of data breaches: Maine Vermont New Hampshire New York Hawaii Virginia Massachusetts New Jersey California Connecticut Department of Professional and Financial Regulation Department of Banking, Insurance, Securities & Health Care Administration (BISHCA) CIO Department of Administration Consumer Protection Board Office of Consumer Protection Virginia Department of Health Office of Consumer Affairs and Business Regulation Division of State Police in the Department of Law and Public Safety State Department of Public Health State Insurance Commissioner 4. Notice to the Secretary of Health & Human Services (HHS) This form from the US Department of Health and Human Services is just one more example of breach reporting that must be done, and in this case, immediately. Again filing as required is meant to mitigate further penalties.

5. Breach Reporting to the US Secret Service Any of 24 different regional offices of the US Secret Service Electronic Crimes Task Force regional offices must be notified in the event of suspected or confirmed loss of personally identifiable data: Atlanta Dallas Miami Philadelphia Birmingham Houston Minnesota Pittsburgh Boston Kentucky New York San Francisco Charlotte Las Vegas Upstate New York Seattle Chicago Los Angeles Oklahoma South Carolina Cleveland Maryland Orlando Washington Metro 6. Card Brand Reporting Last, but certainly not least. In the event of loss or suspected loss of credit card information, all the affected payment card companies must be informed in timely fashion to mitigate further penalties. Visa Inc. MasterCard Worldwide American Express Company Discover Card

Conclusion Data breach reporting regulations are constantly changing and complex. The CSR Breach Reporting ToolKit solution relieves merchants of the time-consuming burden to ascertain which authorities at which governing bodies need to be informed. Time is of the essence to mitigate further penalties. CSR s team of Certified Information Privacy Professional (CIPP) experts keeps up with the latest changes to provide merchants with the most up-to-date services and greatest peace of mind.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information