As of late 2014, 47 U.S. states had approved data
breach notification legislation, with Alabama, New Mexico and South Dakota the lone holdouts.
Not exact matches
Manitoba is now getting its own
legislation that will require
notification following a data
breach which will have many companies asking questions, says Judith Payne of Pitblado LLP.
Mandatory
breach notification under PIPEDA (the federal privacy
legislation that governs in most provinces) should be in effect sometime in 2018.
In addition to the
notification requirements under privacy
legislation, the organization could also have a broader legal duty under negligence law to notify an individual whose data has been
breached if that
breach could harm, or could materially increase the risk of harm to, that individual.
More recent
legislation requires
notification to the patient when there is a
breach of unsecured protected health information.3
As
legislation changes and the
breach notification requirements in Canada evolve, so too will the costs associated with damage from hackers,
breaches, cyber extortion, and other cyber-related crimes.
Prescribing the content of
notifications to individuals and reports to the Commissioner will align the federal private sector regime for mandatory
breach reporting with equivalent provincial
legislation, and those of Canada's major trading partners.
On Sept. 1, the federal government released proposed text for regulations to govern mandatory
breach reporting and
notification under Canada's federal privacy
legislation, the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Other «digital
legislation» produced by the ULCC includes the Uniform Electronic Evidence Act (1998, fairly widely adopted) and the Uniform Privacy Protection Act (Data
Breach Notification) of 2010.
Uniform
legislation on
breach notification should be able operate with all of them, since the Conference will probably recommend enactment to all.
We provide legal guidance on all aspects of relevant
legislation in the area, including data processing agreements, cross-border transfers of personal data, employment data treatment and data
breach notifications.
[63] The Working Group on Identity Theft recommends
legislation to make
notification of privacy
breaches mandatory in significant instances, using the jurisdictions» privacy commissioners or independent privacy review officers as the screens for the important decision whether the
breach is important enough to justify the costs to all parties of
notification.
NAR supports a single Federal standard for data
breach notification and will work to see that any
legislation enacted is narrowly tailored to protect small businesses from undue compliance burdens.