In light of the President’s recent call for enactment of the Personal Data Notification and Protection Act, containing a 30-day notification deadline, it’s worth noting that at present most state breach laws require state residents to be notified “without unreasonable delay,” which strikes me as a better compromise.
Only Florida (30 days), Ohio (45 days), VT (45 days) and Wisconsin (45 days) include firm notification deadlines – none of which recognize the full account of the lengthy forensics often necessary in a major breach to determine the scope, impact and individuals to be notified, particular if the data is being hosted by or at a third party service provider.
In connection, many state data breach statutes also contain a version of the following clause, which is not frequently discussed or considered during a breach. We’ll be examining what such language does and could be argued to mean for parties developing their data incident response plans. The below is taken from Nebraska’s data breach notification statute, but as noted many of the 47 states with breach disclosure laws contains similar such language.
“An individual or a commercial entity that maintains its own notice procedures which are part of an information security policy for the treatment of personal information and which are otherwise consistent with the timing requirements of section 87-803, is deemed to be in compliance with the notice requirements of section 87-803 if the individual or the commercial entity notifies affected Nebraska residents in accordance with its notice procedures in the event of a breach of the security of the system.”