Privacy Laws Are A Changin’: Three Data Breach Developments to Watch

By Alex Wall, Esq., CIPP/US CIPP/E
Senior Global Privacy Officer

Privacy laws at the state and federal level are a changin’. The latest emerging developments I’ve seen are: increasing stringency in state laws, varying penalties for noncompliance across state jurisdictions, and recent federal penalties. What these laws could mean for future enforcements can be angst-inducing.

With that in mind, I want to reiterate a few words of encouragement I have for privacy professionals ere working hard under strained resources in a constantly changing landscape: You are doing good and important work. In the privacy profession, we are charged with protecting our organizations and protecting consumers by determining best practices for protecting data, selecting what data can be used, and in what way we can use that data. This is no small task. When it comes to thinking about how data needs to be managed in rapidly evolving environments, privacy professionals are at the forefront.

Major Takeaway: Overall Increased Stringency and Complexity

As anyone in the privacy profession will likely opine, working with sensitive and regulated data does not appear to be getting any easier anytime soon. Consider:

  • At a state level, data breach notification laws are becoming increasingly complex and stringent. More states are shoring up the parameters, which might require notifications to agencies and impacted individuals, including when and how these notifications take place.
  • If you’re not compliant with state notification requirements, penalties for noncompliance in each state are similarly complex and vary widely. Some states may allow for several potential consequences and large maximum fines, while others may be more ambiguous in enforcement of penalties. Dealing with multi-jurisdictional data breaches could mean compounded penalties.
  • Early January of 2017, the Office for Civil Rights (OCR) announced the first ever enforcement settlement for lack of a timely breach notification, and has issued similar enforcements in the weeks since. This enforcement should not be surprising because it aligns with the emphasis OCR placed on compliance with the Breach Notification Rules when they launched the Phase 2 audit program last year.

How State, Federal, Industry Specific, and International Breach Regulations Influence One Another

As multi-layered as state and federal data breach laws may feel, looking only at these two areas can miss a larger part of the picture–namely, the international and industry-specific regulations that may be top of mind for privacy professionals, depending on their organization.

Two questions, in particular, we should raise:

  • How do these laws intersect with the Interagency Guidelines Establishing Information Security Standards?
  • What impacts, if any, can you see GDPR having on federal enforcements in 2018?

Interagency Guidelines Provide an Alternative to Complying with Some State Breach Notification Rules, Require that Every Institution Have an Incident Response Program

One of the nuances of the American breach notification structure is alternate compliance, or the ability to comply with a state breach notification law by complying with a different specifically-referenced standard. The Interagency Guidelines Establishing Information Security Standards (PDF) are one example of this, allowing financial institutions in certain states (and one territory) the ability to comply with state data breach laws by fulfilling their obligations to the FDIC and other banking regulators by complying with the Interagency Guidance instead. These Interagency Guidelines contain standards and contents of breach notification.

The Guidance states that “every financial institution should also develop and implement a risk-based response program to address incidents of unauthorized access to customer information in customer information systems,” and includes provisions regarding standard, timeline, and contents of the notification.

 Impact of GDPR on Federal Regulations: Following Europe’s Lead When it Comes to Data Privacy Protection

As the May 2018 deadline for General Data Protection Regulation (GDPR) compliance weighs heavily on the mind of every privacy professional, we may also assume that those setting Federal regulations are likewise taking note. Having been afforded the opportunity to attend many conferences sessions, meetings and webinars hosted by members of the Federal Trade Commission, I can see indications that the FTC is paying attention to the examples set forth in the European Union, especially in efforts to reconcile American and European standards per the EU-US Privacy Shield framework.  It is notable that the EU-US Privacy Shield framework may be undermined in spirit but is not actually subject to the Privacy Act and therefore executive action concerning same as explained by Hogan Lovell’s Julie Brill (former FTC commissioner).

And don’t forget, the GDPR has up to four percent global annual revenue penalties attached. This figure may embolden federal regulators to increase their own penalties. The GDPR may be driving a global movement in privacy.

[clickToTweet tweet=”Privacy Laws Are A Changin’: Three Data Breach Developments to Watch” quote=”Privacy Laws Are A Changin’: Three Data Breach Developments to Watch” theme=”style3″]


  1. This is a helpful article. The embedded graphic lists states/territories that have provided for compliance with their own state data breach laws.
    One question…is it the “blue” states or the “black” states that have these additional compliance requirements?
    Thank you.

Comments are closed.