Data breach prevention and response are again at the forefront
of the public consciousness with the recent news of a massive data
breach by Yahoo. The call for federal breach notification
legislation was revived by the FTC on September 27, 2016, five days
after the Yahoo breach was announced. During testimony before the U.S. Senate Committee on
Commerce, Science and Transportation, the FTC reiterated "its
longstanding, bipartisan call for federal legislation that would
(1) strengthen its existing data security authority and (2) require
companies, in appropriate circumstances, to provide notification to
consumers when there is a security breach." Just twelve days
prior, John Carlin, assistant attorney general for national
security at the Department of Justice, called for a unified federal breach notification
law, referring to the existing spread of 47 state laws as
Yahoo reported the largest data breach to date, affecting at
least 500 million user accounts. The tech giant is not alone in
experiencing a significant data breach as many American companies
have suffered high profile data breaches in the last couple years.
In light of major hacking events becoming increasingly prevalent in
the news, consumers, regulators and legislators alike are focusing
more intently on data breach response and prevention standards.
Earlier this year, the FTC reported receiving 490,220 identity theft
complaints from consumers during 2015—a 47% year over year
Past attempts at federal breach legislation have stalled. In
January 2014, the Data Security Breach Notification Act of 2014
was introduced in the Senate but did not move past referral to a
Senate subcommittee. The following year, President Obama addressed the FTC and announced the
introduction of new federal data breach notification legislation,
among other measures to protect individual privacy and guard
against identity theft. The Personal Data Notification and Protection Act of
2015 was introduced in the House of Representatives two months
later in March 2015, but it also did not move past subcommittee
Currently, data breach notification laws exist at the state
level— with 47 states plus D.C. each having their own breach
notification law. Thus companies storing the personal information
of residents of multiple states—an increasingly common
situation thanks to Internet commerce—may need to comply with
dozens of separate breach notification standards in the event of a
It remains to be seen whether federal breach notification
legislation will be enacted in the coming months or years. In the
meanwhile, U.S. companies should understand that data breaches are
here to stay—and will only become more prevalent.
Accordingly, companies should be proactive in establishing
functional policies to respond to a breach, and actively engage in
table-top exercises to ensure they are ready to address breach
incidents swiftly and appropriately.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
This is a friendly reminder to all covered entities that, by March 1, 2017, they must report to the Secretary of Health and Human Services any breaches of unsecured protected health information (PHI) that were discovered in 2016 and involved fewer than 500 individuals.
On February 16, the New York State Department of Financial Services (NYDFS) issued cybersecurity regulations for banks, insurance companies and other financial institutions subject to NYDFS jurisdiction.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).