As each month of 2021 passes, more and more states are joining the bandwagon of establishing more extensive regulations on cybersecurity — and many of them are adding data breach notification laws specifically. Taken together, this new wave of laws and bills could have major ramifications for enterprises and the way they handle future cyberattacks.
From Connecticut to California
Many of the new regulatory changes target specific sectors where consumer data breaches have been on the rise. In California, for example, the Department of Public Health updated its data breach regulations for health facilities, as of July 1.
Under the new regulations, health facilities must report data breaches to the CDPH within 15 days of their discovery. Failure to comply will result in a fine of at least $15,000, according to Health IT Security.
Importantly, the regulations allow for some flexibility for health care organizations with limited cybersecurity resources, such as rural hospitals.
"The penalty may be adjusted based on the penalty adjustment factors described in the adopted regulations. In addition, CDPH may modify the penalty for small and rural hospitals if they submit a request to CDPH. CDPH may also adjust the penalties for primary care clinics and skilled nursing facilities under specified conditions," said Cassie Dunham, the agency's acting deputy director.
To process of updating data breach regulations in California began all the way back in 2018, making their final implementation a major milestone for the state.
In Connecticut, meanwhile, took things one step further, with Governor Ned Lamont signing two new laws that would affect overall business standards statewide, according to Jones Day Jones Day. The new "Act Concerning Data Privacy Breaches," in particular, looks to impact businesses by expanding the legal definition of "personal information" and setting a time limit of 60 days to report a breach to the state. The previous limit was 90 days.
The other legislation, "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses," offers a more business-friendly approach — the carrot to "Act Concerning Data Privacy Breaches"' stick. The law defends companies against tort claims alleging a failure to prevent a data breach, under the condition that they adopt industry best practices for cybersecurity.
The new law makes Connecticut the third state to pass a so-called "safe harbor law."
Creating "data rights"
It's not just more liberal or coastal states where new data breach legislation is taking hold. In Ohio, for example, Republican state lawmakers, joined by Lieutenant Governor Jon Husted, announced plans for proposed legislation that would include a set of "data rights" for Buckeye state residents, according to Government Technology Magazine.
Amongst the data rights included in the bill would be the right to request that companies delete personal data and not sell it for profit. Notably, this proposal would put enforcement power with the state's Attorney General, and not expand the "private right of action."
While the proposal, if passed into law, would give extra regulatory powers to the state, it still has support from much of the state's private sector. According to JobsOhio president and CEO J.P. Nauseef, the proposal could help Ohio businesses build consumer trust, a competitive advantage.
"This bill gives consumers nationwide the confidence that when they do business in Ohio, their personal data is better protected than in states we compete with for customers and commerce," said Nauseef.
In passing the law, legislators noted the increase in consumer data breaches recorded in 2020 and the first half of 2021, both in Ohio and nationally. According to Government Technology, 846 separate data breaches have taken place in 2021 so far, impacting around 119 million Americans.
Cybersecurity you can trust
New state laws will be sure to impact the way companies discuss and disclose any data security issues, the ideal solution is to prevent a problem before it even happens. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks, including methods like multi-factor authentication. Some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.