Although Congress has attempted to agree on federal data breach notification legislation, there is no national data breach notification law that applies to most companies. Instead, 48 states, plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have each enacted their own statutes addressing an organization’s notification obligations in the wake of a data breach involving personal information. The only states without such laws are Alabama and South Dakota, although their citizens may be covered in some situations by the data breach laws of other states.
While state data breach laws are similar, they are not uniform. The following summarizes some of the key provisions of state data breach notification laws and highlights areas in which state laws diverge. In the event of a breach involving records of consumers who live in multiple states, the laws of each of those states should be reviewed to ensure that the organization is complying with all notification requirements.
Number of states and territories with a breach notification law.
Number of states that do not have a breach notification law.
Percentage of state laws that require notifying regulators after some breaches.
Percentage of state laws that expressly confer a private right of action to consumers if the statutes is violated.
What to consider when evaluating state data breach laws:
- In which jurisdiction do the data subjects reside? Do the laws of those jurisdictions purport to be extraterritorial?
- Is your organization exempt from the applicable state data breach laws?
- What types of personal information are covered by the applicable statutes?
- Do the applicable statutes only require notification if the breach is “material?” If so, what language does the statute use to determine whether a breach is material?
- If notification to consumers is required, how much time does the statute give you to provide notice?
- Do the applicable statutes require that you notify state regulators?
- Do the applicable statutes require that notification letters contain specific types of information?
- Do the applicable statutes prohibit you from including some types of information in a notification letter?
- What form should the notification take? A letter? An email? A telephone call?
- Do the applicable statutes require your organization to notify any third parties?