Although Congress has attempted to agree on federal data breach legislation, there is no national data breach notification law that applies to most companies. Instead, 47 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving certain types of personally identifiable information (“PII”). The only states without such laws are Alabama, New Mexico, and South Dakota, although their citizens may be covered by the data breach laws of other states.
While the state data breach laws are similar, they are not uniform. The following summarizes the key provisions of state data breach notification laws and highlight areas in which state laws diverge. In the event of a breach involving records of consumers who live in multiple states, the laws of those states should be reviewed to ensure that the organization is complying with notification requirements.
Click here to view table.
What to consider when evaluating state data breach laws:
- In which jurisdiction do the data subjects reside?
- Do the laws of those jurisdictions purport to be extraterritorial
- Is your organization exempt from the applicable state data breach laws?
- What types of personally identifiable information are covered by the applicable statutes?
- Do the applicable statutes only require notification if the breach is “material?”If so, what language does the statute use to determine whether a breach is material?
- If notification to consumers is required, how much time does the statute give you to provide the notice?
- Do the applicable statutes require that you notify state regulators?
- Do the applicable statutes require that notification letters contain specific types of information?
- Do the applicable statutes prohibit you from including some types of information in a notification letter?
- What form should the notification take? A letter? An email? A telephone call?
- Do the applicable statutes require your organization to notify any third parties?