Data Privacy Laws Are Spreading
Thanks to the GDPR legislation in the E.U., data privacy laws are spreading like wildfire in the USA. Legislation codifying consumer-data protections and reporting has passed in three states and is under way in 20 others.
All 50 states have some requirements for data-breach notification, but the new laws expand consumer rights regarding their data and broaden businesses’ data-handling mandates. Widely included in passed and proposed legislation are consumers’ rights to access their own data, to have errors corrected, to restrict data use or delete it altogether, and to opt out of collection, among others. Such information is defined in a particular way in each jurisdiction’s law but normally includes at least the combination of a person’s name with another piece of data, such as a Social Security number, account number, or driver’s license/ID number.
Common business obligations under these laws include running risk assessments, stating the purpose of data collection, limitations on data processing and dissemination, and notification requirements to both the government and consumers, among others.
Do you know what your state’s data privacy laws require? Are you affected by the laws of other states? The National Conference of State Legislators offers a helpful resource through its website (www.ncsl.org; search data breach) that lists links to each jurisdiction’s data breach law. This information will prove helpful to business owners hoping to learn if such a law applies to their business and, if so, how to comply.
Cyber risk insurance can help businesses with some of the costs of notification, investigation and settlements if your company is found liable for a data breach. Your insurance agent or broker can help you find a policy that meets your cyber risk needs.