What is a data breach?
Data breaches are unauthorized access to and theft of sensitive data by cybercriminals. Bad actors may gain entry to an organization’s store of customer data through various techniques, including brute force attacks, phishing, or social engineering schemes. Ransomware attacks may encrypt sensitive data and only unlock access to vital systems if a company pays a ransom (and may not, even if the victim pays in full).
Organizations of all sizes experience data breaches, but professionals and small firms are especially susceptible due to the large amount of sensitive data they store for their customers and their lack of cybersecurity resources. Cybercriminals target sensitive data they can leverage for ransom or identity theft, such as usernames, addresses, phone numbers, social security numbers, and personal health information.
The importance of knowing data breach laws for your state
IBM reports that the average data breach costs each organization $4.45 million globally, an increase of 2% over 2022. Massive data leaks continue to crop up in the news, with the MGM Resorts and the MOVEit breaches being two of the most recent. The MOVEit breach is one of the broadest and most damaging breaches to date, with over 1000 organizations affected and over 60 million end users’ data exposed.
In response to this pervasive threat, federal regulatory bodies, all fifty states and Puerto Rico, and the EU have strengthened data breach notification laws. These laws, regulations, and strongly worded suggestions govern how, when, and to whom an organization must report a data breach. Failing to meet the state’s data breach compliance laws (many of which are in the process of changing or taking full effect early in 2024) can result in negative consequences such as fines, penalties, or even lost licensure.
Beyond staying compliant, it’s essential to try and follow state data breach laws because they are often informed by the latest best practices and thinking surrounding cybersecurity. Following the latest laws in your state and nationally helps to communicate to your clients that you care about keeping their most valuable data safe. Additionally, existing regulatory codes can guide your organization in creating a data breach response plan, which details who to notify and how to best respond to a breach.
Federal changes
This year, in response to high-profile breaches, federal regulators changed requirements on how and when to report a breach. The SEC changed their disclosure rules earlier in the year, and the update will take effect at the end of the year. Organizations that report to the SEC and that suffer a “materiel” breach (i.e., significant) must disclose it to the SEC within four days. Breaches involving national security may qualify for a special exemption under specific circumstances. Even then, disclosure must occur within 45 days.
Read more: Understanding the Updated SEC Cybersecurity Guidelines
The FTC updated its 20-year-old Safeguards Rule for non-bank financial organizations with long-term customer relationships. The list includes colleges, payday lenders, car dealerships, etc. The new rule states that organizations suffering breaches affecting 500 or more customers must notify affected customers immediately. The rule also updates what information should be contained in the notice. The FTC also updated the Health Breach Notification Rule (HBNR), which applies to health services vendors not covered under HIPAA rules. The update clarifies what qualifies as a breach and what information must be provided to consumers.
Less directly affecting professionals but potentially affecting their clients, the FCC updated breach compliance rules involving customer proprietary network information (CPNI), which covers the type of data that communications firms collect. The FCC broadened the definition of a breach and updated the notification protocols to include what information should be communicated to the FCC and law enforcement post-breach.
Most significant data breach law updates by state
Over a dozen states strengthened or updated their data breach laws in 2023. Following federal guidance, the trend is toward expanding the definition of a data breach and shortening the timeframe in which an organization must notify regulators, local government, law enforcement, and exposed customers. Below is a summary of significant updates.
California
California has recently expanded its data breach reporting rules, requiring businesses and state agencies to notify residents if an unauthorized person has acquired their unencrypted personal information. Notification samples must be submitted to the Attorney General for breaches affecting more than 500 people. Additionally, the state’s Consumer Privacy Act imposes disclosure requirements on firms that collect consumer data and allows consumers to opt out of data sales. This law applies to firms earning more than $25 million per year or having more than 50,000 customers.
California is committed to protecting data privacy, which is evident through the establishment of its regulatory body, the California Privacy Protection Agency. Its proactive approach is an example for other states to follow, especially with the growing concerns around data breaches and online privacy violations. California and the EU’s GDPR, continue to be leaders in the data breach compliance space and set the tone that other states (and federal regulators) tend to follow.
Colorado
The Colorado Privacy Act took effect in July. This Act defines “controllers” and “processors” of customer data, and several other states have followed suit. In essence, a controller uses customer data for specific purposes (i.e., marketing), and a processor is an entity that manipulates said data on behalf of a controller. The law also grants new rights for consumers to opt in and out of targeted marketing and data usage.
This act builds on existing notification breach laws, which dictate that all entities should have written policies for disposing of personal identifying information (PII), whether paper or electronic, and take appropriate measures to safeguard PII.
Oregon
The Oregon Consumer Privacy Act, effective July 1, 2024, mandates explicit consent for sensitive data processing, including personal information such as race, ethnicity, mental/physical condition, and precise geolocation. Controllers must provide detailed privacy notices to consumers, including data categories, processing purposes, consumer rights, third-party data sharing, and contact information. Oregon businesses and state agencies must notify affected individuals of data security breaches. The Attorney General must also be informed if more than 250 people are impacted.
Pennsylvania
Pennsylvania’s data breach notification law has been updated to include more types of personal information and new concepts such as “discovery” and “determination” of a breach. The amendments also establish specific deadlines for government entities, agencies, and schools to provide notice and require state agencies and their contractors to implement policies and procedures for the proper encryption and storage of personal information held on behalf of the Commonwealth.
Rhode Island
Senate Bill No. 5684 amended the Identity Theft Protection Act on June 27, 2023, requiring notification of a cybersecurity incident within 24 hours. Any security breach that poses a significant risk of identity theft must be reported to the attorney general and major credit reporting agencies, with a brief description of the incident and date. Remediation services must also be provided to affected individuals.
Texas
Under the Unauthorized Use of Identifying Information law, organizations are required to notify both consumers and the Attorney General of a breach if personal information is believed to have been acquired by an unauthorized person. If the breach affects more than 250 people, notification must be given within 60 days. If it affects more than 10,000 people, consumer reporting agencies must also be notified. Texas has updated these regulations, shortening the deadline for notifying the state attorney general about a breach to 30 days, effective from September 1st, 2023. The deadline for informing individuals remains at 60 days. Additionally, covered entities must now submit breach reports to the attorney general electronically using a form available on their website, and the attorney general’s office will publish these reports within 30 days.
Utah
Utah’s law mandates prompt notification of consumers in case of a security breach. Recently, a new entity called “Utah Cyber Center” was created under the Cybersecurity Amendments to oversee cyber policy matters. Companies have to report breaches affecting more than 500 residents to the state attorney general and Utah Cyber Center and those affecting more than 1000 residents to credit reporting agencies.
Virginia
The Virginia Consumer Data Protection Act (VCDPA) came into effect on January 1, 2023, intending to increase protection for citizens in the digital age. It extends consumer privacy rights, defines personal information comprehensively, and outlines data protection requirements for those who control or process personal data of at least 100,000 consumers or 25,000 consumers with over 50% of gross revenue from the sale of personal data. Some organizations are exempted from the VCDPA, including those subject to HIPAA, not-for-profit organizations, higher education institutions, financial institutions, and data subject to the Gramm-Leach-Bliley Act.
Read more: A Comprehensive Cyber Insurance Overview
McGowanPRO’s education and cyber liability insurance
To meet the challenge of adhering to various cyber breach security notification laws, McGowanPRO is here to help. We offer decades of experience, training, and educational resources to ensure your business stays compliant. Furthermore, we provide cyber insurance coverage in the event of a successful data security breach. As a family-owned business with deep roots in the insurance industry, we continuously evolve to fulfill the changing needs of our clients while delivering the best products, premiums, and customer service. Contact us today to discover how we can support you.
For a deep-dive into the latest cybersecurity compliance laws by state, download our ebook: Federal and State Guide to Data Breach Notification Laws.