Before New Law, Calif. Breach Notices Took 4-6 Months: Privacy Rights Clearinghouse
A new California law setting concrete deadlines for data breach notifications could make a big difference in the state, Emory Roane, Privacy Rights Clearinghouse (PRC) associate director of policy, said Tuesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Signed Friday by Gov. Gavin Newsom (D), California’s new law requires companies to notify state residents within 30 calendar days of a company discovering a data breach and to alert the state’s attorney general 15 days after that, if more than 500 California residents were affected (see 2510060033).
“Our research shows California breach notifications can take an average of five months or more from the time the breach is discovered to when it has been reported, leaving consumers at risk while their information has been exposed, and they're left unaware,” Roane emailed Privacy Daily.
PRC’s database shows that “the average time to notify consumers was 160 days, or nearly six months,” while the median time “was 120 days, or four months,” explained Roane. “It's hard to see how those timelines square with” California’s previous “statutory requirement for notification ‘in the most expedient time possible and without unreasonable delay.’”
“Meanwhile, states like Texas (60 days), Florida (30 days), Maine (30 days), and Colorado (30 days) have long had concrete deadlines that provide both clarity for businesses and better protection for consumers,” added Roane.