Security breach notification laws


Security breach notification laws

Security breach notification laws have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information.[1]

The first such law, the California data security breach notification law, Cal. Civ. Code 1798.82 and 1798.29, was enacted in 2002 and became effective on July 1, 2003.[2] As related in the bill statement, law requires "a state agency, or a person or business that conducts business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the data, as defined, to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." In addition the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation." The law also requires any entity that licenses such information to notify the owner or licensee of the information of any breach in the security of the data.

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. [3] California has since broadened its law to include compromised medical and health insurance information.[4]

The National Conference of State Legislatures maintains a list of enacted and proposed security breach notification laws.[1]

A number of bills that would establish a national standard for data security breach notification have been introduced in the U.S. Congress, but none passed in the 109th Congress.[5]

The European Union implemented a breach notification law in the Directive on Privacy and Electronic Communications (E-Privacy Directive) in 2009.[6] This directive has to implemented by national law until 25 May 2011.

External links

References


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Security Breach Notification Laws — have been enacted in most U.S. states since 2002. These laws were enacted in response to an escalating number of breaches of consumer databases containing personally identifiable information. [ [http://www.ncsl.org/programs/lis/cip/priv/breach.htm… …   Wikipedia

  • Information security — Components: or qualities, i.e., Confidentiality, Integrity and Availability (CIA). Information Systems are decomposed in three main portions, hardware, software and communications with the purpose to identify and apply information security… …   Wikipedia

  • Data security — is the means of ensuring that data is kept safe from corruption and that access to it is suitably controlled. Thus data security helps to ensure privacy. It also helps in protecting personal data. Data security is part of the larger practice of… …   Wikipedia

  • Cyber-security regulation — In the United States government, cyber security regulation comprises directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cyber security regulation is to… …   Wikipedia

  • Data protection (privacy) laws in Russia — is a rapidly developing branch of the Russian legislation. All the basic legal acts in this field have been enacted most recently, mainly in the 2005 2006. The present article is an attempt to summarise the substance and main principles of the… …   Wikipedia

  • Ministry of Public Security of the People's Republic of China — Not to be confused with Ministry of State Security of the People s Republic of China. Ministry of Public Security of the People s Republic of China 中华人民共和国公安部 Agency overview Formed 1949 Jurisdiction …   Wikipedia

  • Marc Zwillinger — Marc Zwillinger, Founder of ZwillGen, PLLC Marc Zwillinger is an American lawyer who is considered to be one of the pioneers of information security law. He is reported to have created the first information security practice at any national law… …   Wikipedia

  • Datenpanne — Als Datenpanne oder Datenleck bezeichnet man einen Vorfall, bei dem Unberechtigte Zugriff auf eine Datensammlung erhalten. Wird der Begriff weit ausgelegt, so schließt er auch das unerwünschte Löschen von Daten (Datenverlust) ein.… …   Deutsch Wikipedia

  • Sécurité des données — En sécurité des systèmes d information, la sécurité des données est la branche qui s intéresse principalement aux données, en complément des aspects de traitement de l information. Sommaire 1 Rappel sur les données informatiques 2 Bref historique …   Wikipédia en Français

  • Identity theft — is a form of stealing another person s identity in which someone pretends to be someone else by assuming that person s identity, typically in order to access resources or obtain credit and other benefits in that person s name. The victim of… …   Wikipedia