UK Companies can be affected by US Data Security Breach Notification Laws

When private information is compromised, the repercussions for your business can be serious and costly.

The USA has been ahead of the curve in protecting its citizens against data breaches and although there is no single federal law on data protection, 46 of the states have developed their own regulations. In fact it is easier to list the states without such laws – Alabama, Kentucky, New Mexico and South Dakota.

UK companies that deal with the US in any fashion may fall under these state laws without their knowledge. It is therefore, crucial to be aware of the rules that apply following a breach that results in loss of personal data.

California became the first state in the country to require data breach notifica­tion, which took effect in 2003. The California data security breach notification law established specific content for companies to notify Californians when their personal information is compromised, and still remains among the most insistent today. In general, most state laws follow the basic principles of California’s original law.

The California data security breach notification law requires any person or business that conducts business in California, to notify any resident of California whose personal information was, or is reasonably believed to have been, acquired by an unauthorised person as the result of a breach of security.

The type of personal information that triggers the requirement to notify individuals is un­encrypted, computerised information, consisting of an individual’s name, plus one of the following :

  •  Social Security number
  • Driver’s license or California Identification Card num­ber
  • Financial account number (including credit or debit card number)
  • Any medical information and health insurance information

Notice must be given to individuals “in the most expedient time possible and without unreasonable delay.” Notice to individuals may be delayed if a law enforcement agency determines that notification would impede a criminal investigation or in order to take measures necessary to determine the scope of the breach and restore reasonable integrity to the system. An entity that maintains the data but does not own it must notify the data owner immediately following discovery of a breach.

Notice may be provided to individuals in writing, electronically or by substitute notice (Substitute notice means using all of the following methods, available email addresses, conspicuous web site posting, notification of major statewide media, and notification of the California Office of Privacy Protection). Substitute notice may be used if :

  •  the cost of providing an individual notice is more than $250,000
  • more than 500,000 people would have to be notified
  • the organisation does not have sufficient contact information for those affected

The notice to individuals must be written in plain language. It must include the name and contact information of the notifying entity, the types of personal information involved, contact information for the credit reporting agencies in the case of a breach of Social Se­curity or driver’s license numbers, and also, if known at the time of notification, the date of the breach, and a general description of the incident.

Additional information that may be provided in the notice includes what the entity has done to protect individuals and advice on what individuals can do to protect themselves.

Organisations required to notify individuals of breaches affecting more than 500 Californians must also submit a sample copy of the notice to the Attorney General. In addition to the costs associated with these notification procedures, civil or criminal penalties may apply as well as multiple lawsuits including large scale class action suits.

To insure against the costs involved should a data breach occur please contact Adam Lawrence on 0118 9165 484 or complete one of our enquiry forms.



Author: Adam Lawrence | July 23rd, 2014

Contact the author

Adam Lawrence
Get in touch:   Reading: 0118 916 5480   London: 020 7036 8767