Every company has data. Whether it is data belonging to employees, vendors, or customers – holding data has become a reality of doing business. As the web has stretched the boundaries of a company’s reach, keeping data safe has become a task of international proportions.
It is not unusual for an organization to have employees, vendors, or customers from all over the country, and perhaps, the world. As the geographic boundaries of where we do business have expanded, so has the responsibility to understand how we must protect data – and what is required in the event that we do not.
In January President Obama announced a federal proposal that would require companies to inform customers of a data breach within 30 days of discovering the incident. This would replace the current state guidelines, which loosely require action within the “most expeditious time possible and without unreasonable delay.” What is unclear: if this proposed federal data breach notification legislation will be able to get through the system unchanged. What is clear: the threat is getting worse; and companies will continue to struggle in understanding how to respond adequately and responsibly in the current maze of statutory notification laws.
Although ever-changing, the national map below indicates the time frame organizations have to notify affected individuals of data breaches according to the language currently on record for each state. This map is based on general Personal Identifiable Information (PII). Statutory laws may be different depending on the type of information that was breached (PHI, PCI) etc.