In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their notification laws, creating even more differences. Maryland started off 2018 with an amended breach notification law, and Arizona, Colorado, Connecticut, Delaware, Iowa, Louisiana and Oregon followed suit. Also this year, the final two states without data breach notification laws, Alabama and South Dakota, passed a law.

Colorado’s amended law, effective September 1, 2018, highlights the issues where new and revised laws are creating differences. Many of the initial breach notification laws narrowly defined personal information in this way: a person’s name combined with one of three data elements — Social Security number, driver’s license number, or financial account/payment card number. Colorado’s amended law, similar to 30 other states with broader definitions, now defines personal information as also including any student, military, or passport identification number; medical information; health insurance identification number; biometric data; and username or email address, in combination with a password or security questions and answers, that permit access to an online account.