Data Breach Requirements
There are both State and Federal regulatory schemes that deal with data breaches and notification of those whose personally identifiable information may have been compromised. We are able to provide the resources that allow the identification of the individuals who need to be notified of a breach. We generally perform these services in conjunction with forensic experts who obtain the data that needs to be reviewed, cyber security experts and lawyers who specialize in data breach matters.
The sources of federal law that most frequently come into play are in the medical information area, HIPPA regulations (45 CFR Parts 160 and 164) and in the financial services area, the Gramm-Leach-Bliley Act (15 USC Sec 6801 et. seq.) and the regulations issued thereunder.
Notification of a breach is required pursuant to HIPPA without unreasonable delay and in no case later than 60 days following the discovery of a breach. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
Notification of a breach is required pursuant to the Gramm-Leach-Bliley Act to “the affected customer as soon as possible.”
Each state has its own regulatory scheme that must be followed in conjunction with breaches of the data of its citizens. It is wise to read the statutes together and comply with the most aggressive timeline of notification. Click on the State you are interested in and you will find a link to the State Law provisions regarding data breach.
newusa ( copy)