Summarizing Federal & State Data Breach Notification Laws

If your organization handles or works with a certain type of data, you have a legal obligation to protect that data. Generally speaking, this could refer to personal information like names, identifiers (i.e. social security numbers), health data, or financial data. If any such data is compromised, it’s not only your fiduciary responsibility to disclose the breach to those harmed—it’s also your legal obligation.

Every state in the U.S.—with the exception of Alabama and South Dakota—has a data breach notification law in place. There are a handful of federal laws protecting specific types of data as well. All that said, there are quite a few things that states differ on.

For example, some states have a very broad definition of personal information; for others it is well-defined. Some states require notification if customer data has been accessed, while others restrict notification to cases where there’s a risk of harm.

Additionally, the laws may change based on the type of data compromised and how the state believes a breach to be constituted. For example, is it enough that a bad actor penetrated the network or do they have to actually acquire the data? Beyond that, there are also different notice requirements—how should an organization notify the victims, and when?

To better understand federal and state security breach notification laws, take a look at these three links:

  1. According to law firm BakerHostetler, the standard definition of personal information is as follows:

Personal Information: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes personal information.

Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state or local government records, or widely distributed media. In addition, Personal Information shall not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

But this isn’t the beginning and end of that story. The actual definition of personal information varies state by state, so BakerHostetler published this helpful guide on the additions (or deletions) each state makes to this standard definition.

  1. This page on the National Conference of State Legislatures (NCSL) website has hyperlinks to each of the 48 different data breach notification laws, including their citation numbers.
  1. For an in-depth look at each of these laws in a more readable format, take a look at this 195-page report put out by Steptoe & Johnson LLP. It breaks down each state’s policy according to the following questions:
  • What entities are covered?
  • Is there a requirement for service providers?
  • What data [is] covered?
  • Has there been a breach?
  • Is there a risk of harm analysis?
  • Who receives notice?
  • When must notice be given?
  • May notice be delayed?
  • How must notice be given?
  • Is substitute notice available?
  • Is there an exemption or safe harbor?
  • Enforcement? Penalties? Is there a private right of action?

Knowing all of your legal obligations insofar as security breach notification laws are concerned is critical for prioritizing your cybersecurity initiatives. But keep in mind that simply knowing this legal obligation isn’t enough—you need a comprehensive cybersecurity program with initiatives that protect all data, including trade secrets and intellectual property.

Thus, consider that some of your sensitive customer data may be located outside your company, with critical vendors. Depending on your industry, state or federal regulations may mandate how you handle that information. For example, if you’re in the healthcare industry, HIPAA requires you to have contractual agreements with outside business associates dictating the terms of protecting sensitive information.

Therefore, in order to protect your customers and your data, you need to know what data is critical, who has access to it, and what those individuals and organizations are doing to protect it. If the data falls outside your organization, you’ll need to build a risk management program that takes this into account.

Make sure your vendor risk program is keeping your data safe.

Whether you’re just getting started with your vendor risk program or you’re reevaluating how you assess critical vendors, you’ll want to know the most critical things to ask. Download these 40 important vendor assessment questions today for free.

Download Guide: 40 Questions You Should Have In Your Vendor Security Assessment