Data breaches are pervasive in our society and show no signs of regressing.
U.S. federal and state lawmakers and agencies have responded to cyber threats by passing breach notification laws and promulgating rules dictating cybersecurity protections companies must have in place. The New York State Department of Financial Services, for example, released its Cybersecurity Requirements for Financial Services Companies that contain broad and prescriptive security requirements.
Practices adopted to comply with U.S. breach notification and security obligations may not be sufficient in other international jurisdictions. This article provides a brief overview on the different approaches taken in other jurisdictions on breach response, breach notification and cybersecurity requirements.
Most businesses with European operations have probably heard of the General Data Protection Regulation (GDPR) that came into effect on May 25th. Certainly, the GDPR’s noncompliance penalties (greater of 20 million euros or 4 percent of global annual turnover) caught some attention.
The GDPR is notable for its short breach notification timeframe: “without undue delay and, where feasible, not later than 72 hours . . . .” Where U.S. states impose notification timeframes, they are typically at least 30 days, although some industry specific laws may be shorter (e.g., the Connecticut Insurance Department allows five days).
Read More: Todd McClelland of Jones Day | Daily Report