Question

Assignment:

Review the Security Breach Notification of all 50 states.

Pick a state then summarize the compliance notifications mandated by the respective government. Then address the following:

• Do the laws make sense?
• Are the laws too lenient?
• Too strict?
• Are you comfortable with the law?

Answer 1

The Secuirty Breach Act of Albama contains notification requirements that apply to covered entities and their third-party service providers.

A covered entity generally must notify affected Alabama residents of a breach of security if two conditions are met: (1) SPII has been or is reasonably believed to have been acquired by an unauthorized person; and (2) substantial harm to affected individuals is "reasonably likely" to result.

Covered entities must notify Alabama residents, by mail or email, "as expeditiously as possible and without unreasonable delay," but not later than 45 days after being notified of a breach by a third-party agent or determining that a breach has or is reasonably believed to have occurred. There are exceptions/exemptions for law enforcement investigations and compliance with other similar laws. Notice to residents must at least include: (1) the estimated date of the breach; (2) a description of the SPII acquired without authorization; (3) a general description of remedial measures; (4) a general description of protective measures the individual may take; and (5) contact information for the covered entity.

Covered entities must notify the Alabama Attorney General (and national credit reporting agencies) under the same time constraints noted above if a breach involves more than 1,000 "individuals"—a term defined to mean Alabama residents. The notice must include: (1) "a synopsis of the events surrounding the breach"; (2) the approximate number of affected individuals; (3) any services being offered without charge to the individuals, and related instructions; and (4) contact information for the covered entity. Importantly, any information marked "as confidential" will not be subject to open records, freedom of information, or other public record disclosure laws.

A third-party agent must notify the covered entity of a breach impacting relevant SPII "as expeditiously as possible and without unreasonable delay, but no later than 10 days following the determination of the breach of security or reason to believe the breach occurred." The third-party agent must cooperate with—and provide information in its possession to—the covered entity, which then has the notification obligations noted above. The covered entity may contractually delegate its notification obligations to a third-party agent.

Are the Laws too lenient?
While most states require entities to provide breach notifications in the most expedient time possible and without unreasonable delay following the discovery of a breach,Albama passed legislation in 2018 requiring notification of affected individuals within 45 days of discovery of a breach.This can't be noted as leniency just because Colorado and Florida enacted a 30-day deadline for notification in US.
Some states consider any username and password to be sensitive data, Alabama’s law limits its definition to those usernames and passwords that would permit access to an online account affiliated with the covered entity where the online account is “reasonably likely to contain or is used to obtain” sensitive information.

Are the Laws too Strict?
Yes the laws are strict as Alabama's Act provides guidance on information governance protocols within a mandate that covered entities and third-party service providers "take reasonable measures" to dispose of records containing sensitive, personally identifying information when those records "are no longer to be retained pursuant to applicable law, regulations, or business needs" and nearly early every type of business is captured by the Act's definition of "covered entity," defined as a "person, sole proprietorship, partnership, government entity, corporation, non-profit, trust, estate, cooperative association, or other business entity" under the Act. As a result, businesses that acquire or maintain sensitive, personally identifying information for Alabama residents should immediately review their current information governance and incident response plans with their legal counsel to ensure compliance with the Act.
A violator could be subject to a $2,000-per-person penalty, capped at $500,000. Covered Entities that notify after the 45-day deadline could also be fined up to $5,000 per day.

Are you comfortable with the law?
Yes the laws are comfortable as the law applies to anyone who acquires or uses sensitive personally identifying information.
It also applies to anyone who maintains, stores, processes or is permitted access to sensitive personal identifying information for someone else.
These laws will help establish a baseline understanding regarding consumer attitudes toward data loss and firm
responses. They also have implications for business practices, regulatory policy, and the public. For example, companies can take note of
preferred ways to respond to customers and adjust other business practices; policymakers and regulatory agencies can review notification
methods and data breach laws to speed up notification and prevent
further harm with any stolen data.
Even though these laws are being followed,steps that would highly satisfy most respondents/citizens were (1) take measures to ensure that a similar breach cannot occur in the future (68 percent), (2) offer free credit monitoring or similar services to ensure that lost data is not misused and (3) notify consumers immediately . All three of these actions were valued more highly than receiving financial compensation for the inconvenience.