Download Locations

• Center for Democracy & Technology

Summary

Information security and breach notification requirements are imposed on some entities that own, possess, or license sensitive personal information. Information security standards are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to personally identifiable information for unauthorized purposes. Data breach notification laws require covered entities to provide notice to affected persons (e.g., cardholders, customers) about the occurrence of a data security breach involving personally identifiable information. Data security breaches occur when fraudulent accounts are created, laptops or computers are stolen or hacked, passwords are compromised, insiders or employees steal data, or discs or back-up tapes are misplaced. Information security laws require covered entities to establish information security programs to ensure the security and confidentiality of information; establish administrative, technical, and physical safeguards; protect against any anticipated threats or hazards to information security which could result in substantial harm, embarrassment, inconvenience, or unfairness; protect against unauthorized access to or use of such records or information; conduct periodic assessments of the risk and magnitude of harm that could result from a security breach; limit the amount of information collected, maintained, or processed to the minimum amount necessary; maintain accurate, relevant, timely, and complete information; establish rules of conduct and training for persons authorized to access records or information; develop procedures for detecting, reporting, and responding to security incidents; notify appropriate authorities, officials, and congressional committees of security incidents; require contractors, business associates, or service providers to contractually agree to provide information security; perform annual audits of the security program; and comply with other security requirements. Many data breach notification laws require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification. Breach notification policies address whether breach notification is required, the time when notice should be given, who should provide notice, the level or risk that will trigger external notification, the contents of the notification, the means of providing the notification, and who should receive notification. In addition, such laws generally require a covered entity or a designated party to conduct a risk assessment of the likely risk of harm caused by the data breach and an assessment of the level of risk for potential misuse of information. Breach notification policies may also address when notification may be delayed and exemptions from external notification for information that is encrypted. The following report analyzes the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, and the Gramm-Leach-Bliley Act. This report will be updated.

XML