Out-Law News 3 min. read

US to create new data breach notification rules

US businesses will be required to notify consumers within 30 days that there has been a breach of the security of their personal data under plans outlined by US president Barack Obama.

The proposal is part of a package of measures Obama said are needed "to protect the identities and privacy of the American people".

"We’re introducing new legislation to create a single, strong national standard so Americans know when their information has been stolen or misused," Obama said in a speech in Washington on Monday. "Right now, almost every state has a different law on this, and it’s confusing for consumers and it’s confusing for companies -- and it’s costly, too, to have to comply to this patchwork of laws. Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late. So under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days." 

"In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans – even when they do it overseas," he said.

Hong Kong-based data protection law expert Paul Haswell of Pinsent Masons, the law firm behind Out-Law.com, said the US plans are a response to a series of major data breach incidents that have been reported in the media. This includes the hacking of Sony Pictures and the data breach experienced by US retailer Target, which resulted in approximately 110 million of its customers' personal data being stolen, he said.

"I'm not sure the US plans will convince other jurisdictions to follow suit, but it is a good example of how recent events can dictate policy and then law," Haswell said. "The first question organisations often ask when a breach occurs is whether notification is required, but currently there is no duty under Hong Kong law to notify such incidents to either regulators or the public. From experience, it seems that companies in Hong Kong are not notifying unless they think they will get caught."

Peter Bullock of Pinsent Masons said, though, that it is "sensible" for businesses to tell customers about data breach incidents even if not obliged to do so under the law.

"This approach allows businesses to retain an element of control over the reporting of these incidents which they might not have should customers or employees blow the whistle," Bullock said.

In Europe, planned reforms to EU data protection rules would introduce a general personal data breach notification requirement for the first time. Some businesses operating in the EU are already subject to sector-specific data breach notification rules, including telecoms providers.

Data protection law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture partner of Pinsent Masons, said it is likely that other countries will also implement new data breach notification laws, but that prompt for doing so would not be the US taking action in this area.

"For Singapore, while what happens in US and Europe has some influence, it will not be binding, so to speak," Tan said. "What will push this over the line is some kind of incident or an international trade requirement."

Tan said privacy regulations around the world are being introduced "in waves", with "basic data protection laws" being enacted for the first time in many jurisdictions in recent times and with specific data breach notification rules likely to be the next step for many of these countries.

"Notification of data breach is currently only best practice in Singapore but it is only a matter of time before it becomes law," Tan said.

Last year, new data protection laws came into force in Singapore. Those laws require companies to take steps to preserve the security of personal information, but they do not force businesses to own up to data breach incidents.

Data protection expert Marc Dautlich of Pinsent Masons said that companies that suffer a data breach covering more than one jurisdiction cannot really, in practice, avoid notifying consumers of such incidents in countries where no breach notification rules apply if they are subject to such a requirement in other countries.

Among the other measures outlined by Obama are plans to give US consumers free access to information about their credit which is held by financial institutions. He said this would help consumers identify whether they have been the victim of identity fraud at an earlier stage.

Obama also said a new Consumer Privacy Bill of Rights would be drafted. He said this would serve to "to both protect personal privacy and ensure that industry can keep innovating".

"We believe that consumers have the right to decide what personal data companies collect from them and how companies use that data, that information; the right to know that your personal information collected for one purpose can’t then be misused by a company for a different purpose; the right to have your information stored securely by companies that are accountable for its use," Obama said. "We believe that there ought to be some basic baseline protections across industries. So we're going to be introducing this legislation by the end of next month, and I hope Congress joins us to make the Consumer Privacy Bill of Rights the law of the land."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.