Data Security Breaches: The State of Notification Laws

摘要

California's Security Breach Information Act (SBIA), which took effect July 1, 2003, was the first state law to impose a general obligation on businesses to notify the state's residents of data security breaches involving their personal information. Since then, at least 34 other states have enacted similar laws, many of them closely modeled on the SBIA. Most of the recent laws pair the notification obligation with a general duty to safeguard against security breaches. Some also include requirements related to the secure disposal of unwanted records. The most important variation on the SBIA has been the introduction of a risk-based exception, allowing affected entities to avoid notification based on their own assessment that the risk of harm is less than a statutorily defined standard. Each state's data security breach notification law typically applies broadly to any entity that does business in the state or maintains data files with the personal information of the state's residents, so the laws reach beyond state borders.rnIn this article, David L. Silverman of Stoel Rives examines the new laws, with attention to the variations among them and the policy objectives behind them. He then considers thernpotential for damages awards under the data security breach notification laws in light of recent decisions on negligence claims predicated on the loss of personal data to third parties. Mr. Silverman concludes his article by analyzing the prospects for new federal legislation in this area.