As Supreme Court Justice Louis Brandeis once put it, in the US the states are the laboratories of democracy, able to “try novel social and economic experiments without risk to the rest of the country.” Which is why there are now 50 different – albeit sometimes similar – laws about data privacy. What should companies facing all these different requirements do? The best course of action may be to apply a foreign law: The EU’s General Data Protection Regulation.
On June 1st Alabama’s Data Breach Notification Act of 2018 went into effect, making it the 50th state with a law holding companies legally responsible if a breach occurs. In some form, all 50 require entities to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information and the nature and size of the business and its operations. The devil, of course, is in the details. Differences abound on everything from who the law applies to, how long companies have to notify consumers and the government, and much more. In addition to all these regulations, several laws have been introduced in Congress that would also have an impact on data protection.
Efforts are already underway in many legislatures to toughen these laws and last month Colorado enacted the strictest set of standards so far, requiring companies notify consumers of a breach within 30 days. This is far more stringent than the GDPR which requires it be done within 72 hours.
PWC has a very good summary of the differences between the GDPR and US privacy models. In addition to time of notification, GDPR is tougher when it comes to the risk threshold for reporting; under what circumstances the government needs to be notified; what consumers must be told about a breach; and, what companies must do after a breach has occurred.
To be clear, adopting the GDPR will not put companies in compliance with all the different state standards. At present they vary far too much from each other for any one-size-fits-all solution. However, adhering to the GDPR will have companies operating under stricter requirements than now legally required and so have a leg up if and when those requirements change.