The Sedona Conference and its Working Group 11 on Data Security and Privacy Liability (WG11) are pleased to announce that the Commentary on Proposed Model Data Breach Notification Law ("Commentary") has been published.

In 2002, California became the first U.S. state to adopt a data breach notification law, which became effective on July 1, 2003. Since then, a patchwork system of inconsistent data breach notification laws was gradually enacted in other states, with all fifty U.S. states now having enacted some form of notification law. Generally speaking, data breach notification laws require those affected by a data breach (or unauthorized access to data) to notify individuals, customers, and other parties about the breach, as well as to take specific steps to remedy the situation based on directives of the state legislature.

Data breach notification laws are typically viewed as having two main goals. The first is to timely notify individuals whose data was involved in a breach in order to give them the chance to mitigate damage and risks caused by the data breach. The second is to increase accountability of organizations and encourage them to strengthen data security. But the laws, as written, do not necessarily accomplish those goals for two chief reasons. First, there is a lack of uniformity among the various laws, making it challenging for breached entities to understand their obligations. The lack of uniformity also makes compliance more complicated and expensive. Second, most data breach notification letters do little to help consumers. The vague nature of the notices, combined with the fact that consumers are receiving more and more notices specifically telling them not to worry, can lead to fatigue and, eventually, data security apathy.

The Commentary addresses these two chief problems with current data beach notification statutes, and suggests eight areas where the current iterations of state data breach notification laws can be improved by greater uniformity and clarity: (1) definition of security breach; (2) definition of PII; (3) definition of risk of harm; (4) encryption, de-identification, and similar technologies; (5) method and form of notification; (6) timeline for notification; (7) credit monitoring; and (8) notifying law enforcement and regulatory authorities. Proposed model language for each of these eight areas identified above is included in the Commentary. Because of the interplay among them, it is essential to the formulation and subsequent use of this proposed language that the eight sections be considered as a whole.

This Commentary is intended to inform policy decisions at the federal or state levels as data breach statutes evolve. Even if a legislature declines to adopt all of the recommendations made herein, it may benefit from the analysis as to specific elements of such a law.

The mission of Working Group 11 is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages. 

To become a member of The Sedona Conference Working Group Series (WGS) and WG11, pelase visit our membership page.

Copyright 2024 The Sedona Conference
You are currently signed up to receive newsletters. To unsubscribe click here
If you would like to resubscribe to receive emails from The Sedona Conference click resubscribe