While data privacy and compliance professionals clamor for a single, Federal data breach notification statute, states have continued to establish and amend their own medley of breach notification statutes. As of September, 2012, 46 states and the District of Columbia have enacted some version of consumer data breach notification requirements. This disparate environment makes compliance under these evolving and sometimes divergent state notification frameworks both technically and logically challenging for organizations that find themselves cleaning up after a data breach.
There is, however, some commonality among the state data breach laws. Generally, the laws address the following issues related to data breach notification: 1) timing; 2) civil/criminal penalties; 3) private rights of action; 4) safe harbors; 5) exemptions for law enforcement efforts; and 6) whether materiality of breach should be considered. Unsurprisingly, no one category of issue is addressed in any standardized way among the several states. Even the basic timing requirement for notification varies wildly, from the “no more than 7 business days after investigation concludes” language in the Maine statute to the purposefully vague “without unreasonable delay” language used by a handful of other states. See our State Data Breach Notification Laws chart for a handy resource that highlights the differences between the various state laws
A good, conservative approach when trying to comply to a multitude of statutory frameworks is to model the response to comply with the most restrictive and onerous of the state laws. However, this approach is not practical in all but the most straight-forward of breach events. Instead, careful consideration of the nature of the breach, the number of potentially affected individuals, and the states in which those individuals reside must be made before deciding on any course of action with respect to notification under state breach laws.