Readers of our blog know that the NYDFS cybersecurity rules and the European GDPR are part of a trend in regulation towards onerous breach notification requirements with very short (i.e., 72-hour) deadlines. But there are other, less well-known examples.
Alabama and South Dakota recently passed data security statutes, which means there are now breach notification obligations for all 50 states. Alabama’s Data Breach Notification Act, effective on June 1, has a 45-day notification deadline, while South Dakota’s law, effective on July 1, requires notification to affected individuals within sixty days of discovery of a data breach.
South Carolina also recently expanded notification obligations by becoming the first state to enact a version of the Insurance Data Security Model Law. This law requires all licensees of the South Carolina Department of Insurance to notify the chief insurance regulatory official for the relevant state (here, South Carolina) within 72 hours after they determine that a cybersecurity event has occurred. More information about the Insurance Data Security Model Law is available in our previous post.
Other states are amending their statutes to shorten their breach notification requirements. For example, in Colorado, HB 18-1128 (the “Privacy Law”) will take effect on September 1, 2018, and provides for notification “in the most expedient time possible and without unreasonable delay, but not later than thirty days after the date of determination that a security breach occurred.” Similarly, Oregon recently amended its data breach notification law, effective June 2, to require that notification occur no later than forty-five days after discovery. Canada and Singapore have also recently passed new cybersecurity regulations. In Canada, the Digital Privacy Act, set to go into effect on November 1, 2018, requires businesses that experience data breaches to notify affected individuals and Canada’s Privacy Commissioner as soon as feasible. And the Singapore law includes criminal penalty for those who fail to comply with the regulations.
As we have indicated before, we believe that the trend towards more onerous breach notification obligations, with shorter and shorter deadlines (especially for notification to regulators) is likely to continue unabated for the foreseeable future.
The Davis Polk Cyber Portal has many resources to help clients quickly assess their various breach notifications obligations before and during a cyber event. The Portal is frequently updated to reflect changes in cybersecurity regulations and guidance across jurisdictions in real time. If you have questions about the Portal, please contact firstname.lastname@example.org.
The authors gratefully acknowledge the assistance of summer associate Alyssa Braver in preparing this entry.