by Steven A. Ahillen
As a business owner, you’ve probably heard a lot about the European Union’s General Data Protection Regulation (GDPR). April 16, 2022, marks the six-year anniversary of its enactment. This regulation has become a model for data privacy laws around the globe.
GDPR applies to any entity anywhere that processes personal data of individuals located in the European Economic Area (EEA). Non-European companies, including those in the U.S., must comply with its stringent requirements.
In contrast, the U.S. has no national data privacy statute. Data privacy in this country is governed by a patchwork of federal statutes and regulations (e.g., HIPAA) and state laws (e.g., the California Consumer Privacy Act). Additionally, every state has its own data breach notification law. The result is that when a business with customers in the U.S. experiences a data breach, the company has to determine its obligations in multiple jurisdictions. An online retailer must identify its obligations under the myriad laws of all 50 states plus Washington, D.C., Guam, Puerto Rico, and the Virgin Islands.
Different states’ data breach notifications laws contain similar features, but with numerous variations. Common requirements include notifications to affected individuals, state attorney general offices and credit reporting agencies. However, the timing, content and method of these notifications varies from state to state. Some states, including Missouri, require notice to affected individuals “as expeditiously as possible.” Other states set a hard deadline, such as Alabama’s 45-day rule. Indiana allows a business to notify its customers via email; Illinois does not (without prior customer consent). North Carolina requires notice to the Attorney General’s Office if a breach affects even one person, but Arizona only requires notification if at least 1,000 Arizonans are affected.
Even the definitions of “personally identifiable information” and “breach” are not universal. To make things more difficult, states frequently update their statutes. In 2021 alone, at least 22 states introduced or considered measures to amend existing security breach laws.
Every year, new bills are introduced in Congress to establish a universal federal data breach notification requirement. None has become law. In July 2021, Senator Mark Warner (VA) introduced a bill requiring notification of a data breach to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours with daily penalties for late reporting, but the proposed bill remains in committee. Senators Gary Peters (MI) and Rob Portman (OH) proposed a bi-partisan bill requiring reporting to the CISA within 72 hours without fines for violators. It received a favorable report from the Committee on Homeland Security and Governmental Affairs in October 2021, but no action has been taken since then.
Despite the obvious human toll, the COVID-19 pandemic was rocket fuel for e-commerce. Consumers around the globe made more purchases via the internet than ever before. Online purchasing habits are here to stay. Now, more than ever, there is a strong incentive for bringing greater uniformity to U.S. data breach laws. All businesses, large and small, will want to keep an eye on this developing area of law.
Steven A. Ahillen, litigation attorney with Danna McKitrick, P.C., assists clients with cybersecurity and data protection issues, mergers and acquisitions, employment law matters, and probate. He has experience with the transportation industry and in regulatory compliance and subrogation. Steve can be reached at 314.889.7141 or firstname.lastname@example.org.