In November we discussed the standards in place for whether and when a consumer must be notified of a data breach. The current answer is that almost all states have laws requiring notification, but the format and timing of the notification vary from state to state. The Obama Administration may be moving towards preparing a federal standard for all states to follow. Today, President Obama is expected to announce significant legislation that will require companies to notify their customers of a data breach within 30 days of discovering the breach. The Personal Data Notification and Protection Act is set to require this single and clear “30-day Shot Clock” benchmark as a means to address the variability in state regulations with respect to data breach notification requirements.
While bipartisan support is anticipated, it is not clear when Congress will take up the proposed legislation. Further, advocacy groups are already reporting that the federal standard should not be less strict in method and timing for notification than other state law standards now in place.
We will keep you updated with developments concerning this important legislation as it is proposed and makes its way through Congress. For now, as Spencer Fane noted before in the November 6, 2014 entry all companies should have a detailed data breach response plan with a predetermined risk assessment protocol in place.
For questions about this privacy law and data breach issues, please email or call Bryant Lamer at blamer@spencerfane or 816.292.8296.