As the issues of cybersecurity and data protection have become matters of acute interest to business owners, C-level executives, institutional advisers, Expert Webcast is pleased to share with you an article prepared by our regular thought leadership contributor, James Westerlind of Arent Fox LLP, Survey of Data Breach Notification Statutes within the United States and its territories.
This Survey provides answers to the key initial questions that a company should have with respect to state data breach notification statutes if it learns that the personal identifiable information that it maintains for its customers or employees, or on behalf of other companies that it does business with, has been, or likely has been, breached or used in an unauthorized manner. Namely:
(1) Which statutes in a particular jurisdiction apply?
(2) Who must comply with the notification requirements?
(3) What data is covered by the statutes?
(4) What constitutes a data breach?
(5) Who must be notified pursuant to the statute?
(6) When must notice be sent?
(7) In what form or manner must notice be sent?
(8) Are there any exemptions?
(9) Who may enforce the requirements and what penalties may be imposed for violations?
(10) Are there any industry-specific requirements?
This Survey is a useful tool and guide for data security planning and response purposes. If your company experiences a data security incident, one of the first things that you must consider is the potential scope of the incident and whose personal identifiable information may be implicated. If you have customers whose personal identifiable information may have been breached who reside in multiple jurisdictions in the U.S., you will have to analyze the data breach notification rules of each of those jurisdictions and comply with each. While most of the statutes are similar, many have particular nuances that differ, and a failure to comply may result in additional problems and liability for the company. This Survey is intended to make this task easier for you.