The phrase dynamic data breach notification is rather ambiguous, especially when details such as personal information are introduced into the equation. In general, however, a dynamic data security breach may take place when there is unauthorized access to sensitive Personally Identifiable Information (PII) that could compromise the confidentiality or integrity of data. Dynamic data breach notification involves mandating that the company holding the PII notify those whose PII was compromised.
Just a few specific sectors of the private-sector economy are currently required by federal law to notify consumers when a dynamic data breach may have compromised their personal information, or PII. These include certain financial institutions covered by the Gramm-Leach Bliley Act and certain health care entities covered by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act). There is no comprehensive federal law governing the protection of data held by private actors. However, certain sectors are subject to Cybersecurity obligations that may include data security. Nor is there any comprehensive federal law requiring notification of breaches of such private dynamic data.
In nearly all of the hearings related to data breach notification, various Members of Congress raised the possibility of a federal data breach notification law. Bills were introduced in the 113th and earlier Congresses that would include some form of federal notification requirement for dynamic data security breaches. Around 47 countries currently have data breach notification laws.
According to the National Conference of State Legislatures (NCSL), around 47 countries in the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands have actually passed laws requiring notification of security breaches involving personal information. Three states have however not passed such laws: Alabama, New Mexico, and South Dakota. California in 2002 became the first state to pass such a law. Businesses have complained about the patchwork of numerous, separate data breach notification laws they are required to comply with, citing burdensomeness and inefficiency.
Business groups representing the financial and retail sectors, such as the Financial Services Roundtable and the National Retail Federation, have recently called for passage of a federal dynamic data breach notification law. Some state regulators, state attorneys general, and certain consumer groups have voiced concerns that a federal law could pre-empt state laws and prevent states from mandating stricter notification standards. A stronger federal data breach notification law, by contrast, appears to be more attractive to consumer groups. A number of businesses have called for enactment of a federal notification law as it may result in cost savings, by potentially
Data breach notification laws include several components and address topics such as
- Which entities must comply with the law;
- What information is being protected, and how a security breach or data breach is defined;
- What degree of actual harm must occur, if any, for notice to be triggered;
- How and when must notice be delivered;
- Are there any exceptions or safe harbours;
- To what degree does this pre-empt state law and how does the law relate to other federal laws; and
- What penalties, enforcement authorities, and remedies for those harmed does it create?