As recently as 2005, if a company or government agency had a security breach that compromised customers’ personal information, there was little chance those customers would hear about it. Times have certainly changed. The first U.S. law requiring notice of security breaches was enacted in California in 2002. It wasn’t until a much-publicized breach at ChoicePoint in 2005, however, that the issue received much attention and other states began to follow California’s lead. Over forty states have notice laws covering businesses, government agencies or both. Federal bank regulators have also published guidance to financial institutions as to when and how consumers should be notified of a security breach at their institution. These laws, and the bank guidance, vary from each other in many ways:

  • What types of companies or government entities are covered?
  • What types of personal information are covered?
  • What types of security breaches are covered?
  • How soon must notice be given?
  • What must the notice contain?
  • How must the notice be sent?
  • Is there any “safe harbors” for companies/agencies that have an alternative notice process?
  • What are the remedies and penalties for violations?

In Europe, the European Data Protection Supervisor has announced support for the creation of a security breach notification requirement for EU member states.

Companies that handle or store personal information can find information on LawServer about liability for security breaches, data security laws, special requirements for financial institutions and the special handling of credit reports.

If you have received a notice of a security breach, be sure to read about measures you can take to protect yourself from identity theft, such as monitoring your credit report, placing alerts on your credit file, or even freezing your credit file.