State legislatures are starting to make data breach laws tougher in light of the increasing number of data breaches and the difficulty of legal recourse through the judicial system. On July 1, 2015, Connecticut Governor Dannel Malloy (D) signed a bill into law that provides more protections to Connecticut residents who are victims of stolen confidential information. The Bill broadened the definition of “personal information” to include medical and biometric data. Importantly, companies must pay for the theft prevention services for at least one year of each resident whose first name or first initial and last name, in combination with Social Security number, was breached or is reasonably believed to have been breached.   In addition, companies must provide notice to affected residents no later than 90 days after the day of discovery.  The bill also requires companies that store confidential information of Connecticut residents to comply with heightened security and equipment standards.

Many other states are following Connecticut’s lead. In 2015 alone, 32 states are introducing legislation to increase the protections afforded to its residents. It will be interesting to see how far some states will go—proposed legislation ranges from notification requirements to reimbursement of costs and large fines. Predictably, companies are complaining about the expense and difficulty to comply with varying State law.

Companies and their trade associations are lobbying the federal government to create a uniform federal standard through the Data Security and Breach Notification Act of 2015, which is currently being considered by Congress. This Act may preempt the collage of state laws and enforce a definition of personal information that is narrower than what many states use. The Act merely imposes a reporting requirement and does not require companies to have better cybersecurity. For the time being, consumers are better off with the state law.

Forrest James

 

 

Comments are closed.