July 20, 2023
1 p.m. - 2 p.m. Eastern Daylight Time (EDT)
Data breach notification laws are typically viewed as having two main goals. The first is to timely notify individuals whose data was involved in a breach in order to give them the chance to mitigate damage and risks caused by the data breach. The second is to increase accountability of organizations and encourage them to strengthen data security. But the laws, as written, do not necessarily accomplish those goals for two chief reasons. First, there is a lack of uniformity among the various laws, making it challenging for breached entities to understand their obligations. The lack of uniformity also makes compliance more complicated and expensive. Second, most data breach notification letters do little to help consumers. The vague nature of the notices, combined with the fact that consumers are receiving more and more notices specifically telling them not to worry, can lead to fatigue and, eventually, data security apathy.
In order to address these two chief problems with current data beach notification statutes, Working Group 11 on Data Security and Privacy Liability (WG11) drafted The Sedona Conference Commentary on Proposed Model Data Breach Notification Law (“Commentary”), now open for public comment (and available for download here).
The Commentary suggests eight areas where the current iterations of U.S. state data breach notification laws can be improved by greater uniformity and clarity: (1) definition of security breach; (2) definition of PII; (3) definition of risk of harm; (4) encryption, de-identification, and similar technologies; (5) method and form of notification; (6) timeline for notification; (7) credit monitoring; and (8) notifying law enforcement and regulatory authorities. Proposed model language for each of these eight areas identified above is included in the Commentary. Because of the interplay among them, it is essential to the formulation and subsequent use of this proposed language that the eight sections be considered as a whole.
In this webinar, members of the Commentary drafting team will present their proposed areas where the current iterations of U.S. state data breach notification laws can be improved by greater uniformity and clarity – and solicit your input. They will also discuss how the Commentary can inform policy decisions at the U.S. federal and state levels as data breach statutes evolve. The webinar is scheduled for 60 minutes, during which time you may ask questions of the panel, who will endeavor to address all that time allows.