Ride the Lightning

All U.S. Data Breach Notifications Laws in One Place

February 20, 2019

While I lecture often on data breach notification laws – and always advise audiences that all the states have them – it occurred to me when I read a post from the eDiscovery Daily blog that I hadn't posted the fact that links to all these laws can be found in a single place online. So that omission is now corrected.

All 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands, have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc.); definitions of “personal information” (e.g., name combined with SSN, driver's license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

There are many notable variations among the state laws – and as all entities are subject to these laws, it is helpful to be able to read them from a single location.

The National Conference of State Legislatures has links to all of the laws here. The NCSL is a source of many valuable resources – well worth bookmarking!

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson