Driven by daily headlines about massive breaches of personal data, U.S. states have been increasing their adoption of cybersecurity laws since 2003. These laws require companies to notify regulators, users, or sometimes both, when personal data has been compromised. This month, Alabama became the last U.S. state to adopt such a law (the Alabama Data Breach Notification Act), coming on the heels of South Dakota, which passed its own legislation in March. Additionally, the European Union’s General Data Protection Regulation (“GDPR”) will go into effect on May 25 2018, creating additional obligations for many companies worldwide, including obligations to notify personal data breaches in certain circumstances both to data regulators and the individuals concerned. These changes in the field of data protection create new compliance requirements and litigation risks for companies. While data breaches seem to happen routinely, the implications of a hacking incident compromising personal data have grown more complex. Click here for more.
Location