Maryland? California? New York or was it Nebraska? Maybe it was Florida? Keeping data breach laws and regulations organized by state can be a very daunting and confusing task.
For example in Massachusetts, the notification letter cannot include the nature of the data breach, but Hawaii, Iowa, Michigan and a multitude of other states require that a description be included. North Carolina requires information on directing a person to remain vigilant by reviewing account statements and monitoring credit reports, while Oregon requires information on how to report suspected incidents of identity theft to local law enforcement or the attorney general.
While reading through each state’s mandated law, you will probably find your head spinning. I know I have on more than one occasion.
How do you uphold to 50 varying state laws? How do you keep them separated or grouped together? What about the U.S. territories? Puerto Rico has some very stringent regulations that you don’t want to leave out. Do you send 25-50 different letter versions?
Luckily, the answer is “no”. Some people would suggest that you could learn from other company mistakes and research the lawsuits and the specific state legislation you don’t want to get wrong. You could also go to every state’s legislation and attorney general page and keep a very long, extensive list of the requirements.
Unfortunately, both those options could hinder you and wreak havoc with the timeframe you have. It can also create a lot of room for error and typically during a data breach, time is of the essence.
I can say from experience and what has served us well here at ID Experts, is to take the highest common denominator and verify that all state requirements are included. If a specific state is an outlier from the others and requires something outside the norm, you may want to consider sending a specific letter to that state, but you don’t need 50 different letter versions.
For a data breach notification letter, you want to understand where your affected population resides and the specific states that were affected. From there, you can look at the most aggressive and the highest common denominator and incorporate them as a whole.
I’ve been writing data breach letters for many years now and I’m still shocked and surprised how some states can be on the forefront of privacy and security, while some have barely made a decision.
With all this said, what matters the most is peoples’ personal information. These laws, while often different, are making a strong impact and starting a positive change that is definitely overdue.
Senior Project Manager-Data Breach Response Team