Thomas on Data Breach: A Practical Guide To Handling Data Breach Notifications Worldwide by Liisa Thomas is a solid first edition with all the markings of becoming a go-to desk reference for private practitioners and in-house counsel responsible for navigating any organization through the thicket of data breach regulations. The 200-pages of text provide a comprehensive summary of U.S. state and federal laws that may be triggered when personal information is accessed or disclosed to unauthorized persons. It also addresses international obligations and provides the reader with a good starting point for identifying obligations that may exist in countries other than the United States.

The book is published as a softbound single volume consisting of eight chapters and two extensive appendices—one containing copies of the U.S. federal and state data breach notification statutes, the other containing copies of non-U.S. notification laws. The chapters are arranged topically with relevant information from state, federal and international laws compared and contrasted within each chapter. While that organizational style makes it difficult for the reader to obtain a complete summary of any single law from a single location, arranging the book by topic facilitates understanding the details and nuances of key aspects involved in responding to a data breach, such as understanding which laws apply, the varying types of information that may trigger notification obligations, comparing when notification is required, how notice may be given and the varying and sometimes contradictory requirements for what to include in a notice.

Since the full text of each state law, major relevant federal legislation and even some international laws pertaining to data breach notification will be included in the appendices, the lack of references to specific sections in some of the chapters is likely to be a minor inconvenience. In addition, to address the challenge of keeping up with new laws, revisions to existing laws, and important court decisions, Thomas has created a companion website, which she intends to keep updated with significant developments and updates before hard copy updates and future editions can be published. For example, the current edition was finalized prior to recent amendments in Iowa’s data breach law, the enactment of Kentucky as the 47th state with data breach laws and a federal court’s determination, at least for the purposes of a motion to dismiss, that the U.S. Federal Trade Commission (FTC) has the power to regulate cybersecurity under the unfairness prong of the FTC Act. And each of these developments, as well as others that will undoubtedly occur in the future, are important enough that readers will want to make sure they regularly check Thomas’s website.

Thomas takes the reader on a tour of data breach notification obligations from beginning to end, with chapters addressing how to determine whether to notify, conducting investigations, insurance coverage, whether to notify when data breach notification laws are not triggered, providing notice, responding to post-notification inquiries and potential consequences for violating breach notification statutes. Each chapter is further divided into clearly marked sections that will facilitate the use of the volume as both a research tool and practical guide when analyzing a possible breach and charting a response. Questions such as which states require notification to which regulators or when can notifications be provided by e-mail are easily answered by a quick review of the detailed table of contents.

Thomas answers the question of what motivated her to write this book by indicating that she sought to fill a void in legal references or treatises that comprehensively addressed and synthesized U.S. data breach notification requirements as well as those applying. She identifies three goals of the book:

If it is a helpful tool for you in the next data breach in which you are involved, I have succeeded. And if showing the book to your senior leadership to demonstrate how complicated this area is also helps, all the better. And even better still, what if government regulators read it and began to understand just what a daunting—and expensive—task it can be to comply with all of these notice requirements. Requirements, that even if met, may not accomplish their stated goal of helping individuals protect themselves.

There is no doubt that Thomas has succeeded in her first goal, and even a cursory review of several of the chapters should help legislators and regulators understand the byzantine array of requirements that businesses must navigate in determining whether and how to notify users of certain events, some of which have no have no bearing on the risk of possible harm to consumers and some of which are completely contradictory. For example, Thomas points out that many states do not contain specific requirements for what to include in a breach notice, but others do. And of those that do, most require a description of the incident, but Massachusetts does not permit inclusion of a description of the nature of the breach.

Thomas, with assistance from contributors Monique Bhargava, Liz Brodzinski, Robert Newman, Pavel Sternberg and Marc Trachtenberg, devoted untold hours over the course of approximately a year in preparing the book. Their effort will not be lost on the reader, who will benefit from the effort that went into categorizing, assimilating and organizing the volume. The chapters are generally consistent in their level of detail, although some chapters, such as the one addressing the intricacies of providing notice, are more detailed and heavily footnoted. Others, such as the chapters on insurance and penalties, are suitable as a general introduction and high-level review of the topics.

Thomas and her contributors should be proud of the resource they have prepared. It is a testament to their dedication and knowledge of the subject matter and is destined to become a trusted reference to anyone that is interested in understanding the ever-evolving data breach notification landscape.

Jim McCullagh, CIPP/US, is a partner in Perkins Coie's Litigation Practice and co-chairs the firm's Privacy & Security Practice and is also active in the Intellectual Property Litigation and E-Discovery Services & Strategy national practices. He focuses on technology and intellectual property issues, including investigation, enforcement programs and litigation of computer fraud and abuse, data breaches, spam, phishing and IP infringement.

Written By

James McCullagh, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»