The compliance landscape has been undergoing rapid changes throughout 2015, particularly in the US at the State level. While Federal legislation is still pending (and controversial), and International legislation such as the EU General Data Protection Regulation will impose drastic changes on many global organizations, the continued rapid pace of change in the US means that organizations must constantly stay on top of an ever-changing set of requirements.
In the US, many new regulators have been stepping up and new laws are cropping up all the time at the State level. Throughout the year we have been summarizing some of these shifts, with 6 State laws revised in the first three months of the year and a number of changes since then to those bills that were ‘in progress’, as well as other States filing their own updates. Right now, at least 32 states have data-breach notification laws on the docket.
In Illinois, the proposed legislation discussed earlier this year continues to make progress. SB1833 was approved by the Senate and the House and is now in the hands of the Governor for approval. This bill would put organizations under scrutiny post-breach as to the level of “reasonable safeguards” that were in place to protect data.
In New York, Bill A06866 was introduced to the Assembly to amend the General Business Law with a new section that requires organizations to "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity” for the entire lifecycle of that data. Organizations would be required to prove compliance post-breach or could be exempt from this if certified annually by an independent third-party. If found non-compliant, organizations could be fined up to $10 million, with “knowing or reckless” violations up to $50 million, or three times the aggregate amount of any actual losses. These penalties could be enforced even if no financial losses were accrued.
In Washington, House Bill 1078 was passed into law. As discussed earlier this year, this law strengthens data breach notification requirements, among which is a requirement to notify law authorities within 45 days of the suspected breach.
In Oregon, SB 601 was signed into law, including amendments that make reporting a breach to the AG office mandatory, allows for greater enforcement authority and expands the definition of personal information to include health and biometric data.
Many legislative changes in the past year have focused on open-ended references to proper safeguards, a definition which would likely be fluid in its interpretation from a legal standpoint. Many would agree that encryption is no longer enough; regulators now expect more and this definition of more will likely expand as the risks to data continue to evolve.
When it is found that your organization has failed to implement proper data protections, you could now find yourself subject to investigations and fines from multiple regulatory bodies for the same data breach event. Investigations and litigations related to a data breach can take years to resolve.
We recently released a whitepaper, Global Data Breach Notification Laws: Meeting Requirements and Mitigating Risks with Endpoint Security, intended to help security teams understand the basic requirements of data breach notification rules worldwide, including the specific expectations pertaining to mobile incidents, in order to develop effective risk management and compliance strategies.
Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. Learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.