Data Breach Legislation Continues to Be a Moving Target

By: Arieanna Schweber | 11/12/2015

Compliance is a moving target for organizations today. Not only do we have State and National laws constantly in flux, but organizations must pay attention to industry regulators and regulations (HIPAA, SEC, the GrahamLeach-Bliley Act) in terms of compliance. Given the global nature of many organizations, laws such as the EU GDPR even have their impact on US organizations. Post-breach, the potential litigation net is even wider, with investigations and potential fines coming from the FTC, industry regulators, state attorney generals and the class action bar.

Staying on top of changes in requirements for preparedness and data breach response is an overwhelming task for organizations. In the middle of this year, there were 32 States with pending data breach legislation. Recent legislative changes to be aware of include:

  • California has updated Civil Code Section 1798.82 with new bills signed into law by Governor Jerry Brown: Bill 570 and Bill 964. Bill 570 added requirements to the existing data breach notification bill about the format of the notice and its content, while Bill 964 made further definitions to what constitutes “encrypted” data, which is exempt from data breach notification requirements
  • Japan amended its Personal Information Protection Act on September 3, 2015, which would impact organizations that do business over the Internet with people in Japan
  • New standard set in class-action suits - with the AvMed settlement, a precedent has been set that plaintiffs do not need to prove ascertainable damage in order to receive a settlement
  • Educational institutions and EdTech providers are now subject to new laws in several States that outline additional policies an procedures for handling student data

We recently released a whitepaper, Global Data Breach Notification Laws: Meeting Requirements and Mitigating Risks with Endpoint Security, intended to help security teams understand the basic requirements of data breach notification rules worldwide, including the specific expectations pertaining to mobile incidents, in order to develop effective risk management and compliance strategies.

Changes to the regulatory landscape, paired with increased data security risks, the rapid pace of change in technology and more complex employee demographics, has created a complex environment for IT data security. Learn how Absolute can help your organization navigate the choppy regulatory landscape and to mitigate data security risks here.

Financial Services