Data protection has been a top priority for both governments and individuals in the United States. Particularly with the increased reliance on technology during the COVID-19 pandemics, it is more important than ever to secure confidential data.
The Obama administration began federal discussions about data breach notification regulations in 2011. Four years later, he called for stronger privacy data laws—stating the internet “creates enormous opportunities but also enormous vulnerabilities.” Since then, Each state has its own guidelinesSome laws governing data breach notifications are over 10 years old. Although they are similar in general, there are many disclosure regimes. Some have a more complicated breakdown and harsher penalties.
All those who deal with qualifying data need to be familiar with the legal and regulatory environment for potential breaches in their state. (Also see: Privacy and Data Protection in the USA 2020.
Making a Federal Case
On a federal level, a legal case can fall into a few different categories depending on the data that’s been accessed.
For health care, and the organizations and industries Who must adhere to the legislationThe Health Insurance Portability and Accountability Act, (HIPAA), and the Health Information Technology Act for Economic and Clinical Health(HITECH) both protect patient data and medical data. Gramm-Leach-Bliley Act, (GLBA), is crucial in protecting financial data. The National Conference of State Legislatures has also been established. A complete list of States and applicable breach notification laws.
Case Study: Ransomware Attack at the Hollywood Presbyterian Medical Center
The Hollywood Presbyterian Medical Center in Los Angeles opened in 2016. Faced a ransomware attackon its personal data. After promptly notifying consumers and patients, executives at the hospital announced they had paid the ransom—which was $17,000 worth of Bitcoin currency—stating the data was too great to lose.
This type of breach led to a federal case and support from the FBI investigation. Recent developments include the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) published an advisoryThis is to inform the public that the ransom demand by cybercriminals could be a violation U.S. law.
However, if the hospital had not made some form of announcement, it would’ve been in direct violation of the notification policies of HIPAA, HITECH and the Department of Human Health and Services (HHS). Similar to what happened with the patient data situation, a violation such as this has recently made headlines within the financial world.
Case Study: Mortgage Solutions’ Consumer Data Protection Penalty
2020: Mortgage Solutions Brokering Service You were subject to a $120,000 fineAfter the Federal Trade Commission (FTC), stated that the service failed to protect customer data, This civil penalty was imposed by the FTC on grounds that the service violated the Fair Credit Reporting Act, the GLBA and section five of FTC Act.
This case came about because of a claim that Mortgage Solutions had released sensitive personal data belonging to its customers—including income sources, taxes and health information—in response to negative Yelp reviews from consumers and mortgage applicants. (Also, read Massive Data Breach: The Truth You May Never Know.
California establishes breach laws
These acts are extremely useful for consumers and the public in helping them understand data breaches on a national level. However, states have their own data breach laws. California is an example of a state that is very thorough when it comes to implementing notification regulations.
California law requires that a state agency or business notify any California resident who is in violation of the law. UnencryptedPersonal information as defined was acquired or reasonably believed by an unauthorised person as soon as possible. The state clearly defines personal information. This includes biometric data and Social Security numbers. Companies must protect sensitive data, such as edge computing and the Internet of Things.
Californian companies that violate this act or fail to take any action may be subject to criminal prosecution. Penalties can reach up to $250,000. In particular, notification violations can lead to hundreds of thousands or even millions of dollars in fines, depending on the time frame and response. This notification violation is a recent one and not always part the law.
Learn from Europe
The European Data Protection Board, (EDPB), became effective January 2021. These guidelines are very strict.Data breach notifications Many countries in Europe are notoriously concerned about how companies use their data. For instance, in 2020, Ireland’s Data Protection Committee Facebook sent me an orderTo suspend the transfer of European user information to the United States. Failure to comply with this ruling could’ve cost Facebook up to $2.8 billion.
Europe is prepared for any breach that may be coming from any direction by these regulations and actions. According to the EDPB guidelines, companies must notify authorities and individuals whose data was affected by a breach. (It’s worth mentioning, however, that notification to a regulator only happens once the data controller—i.e., the company of business in charge of the data—has discovered the breach. It is possible that the breach was ongoing for weeks, even months, or even years.
The document also outlines the types of breaches, the penalties and fines associated with them, and how to comply with the General Data Protection Regulation (GDPR).
EDPB outlines some examples of breaches that could happen, including:
The main focus is on the U.S. learning from Europe.
While each State has its own set of rules and regulations for data breach notifications, the U.S. government should develop a comprehensive federal cybersecurity law. This would add another layer of protection to the ever-growing data universe. (Read also: The Best Way to Combat Ransomware 2021.
Companies must protect this information as the tech world changes and uses more data with every innovation. Companies that fail to do so could be subject to data breaches that will require them to adhere more closely with data breach notification laws. To stop this domino effect, the U.S. needs more federal regulation.