State Data Breach Notification Laws

Foley & Lardner LLP looks beyond the law to focus on the constantly evolving demands facing our clients and their industries. With over 1,100 lawyers in 24 offices across the United States, Mexico, Europe and Asia, Foley approaches client service by first understanding our clients’ priorities, objectives and challenges. We work hard to understand our clients’ issues and forge long-term relationships with them to help achieve successful outcomes and solve their legal issues through practical business advice and cutting-edge legal insight. Our clients view us as trusted business advisors because we understand that great legal service is only valuable if it is relevant, practical and beneficial to their businesses.

Explore

While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice.

United States Privacy

Authors

To print this article, all you need is to be registered or login on Mondaq.com.

While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What's more, as data breaches continue to rise, states are responding with increasingly frequent and divergent changes to their statutes, creating challenges for compliance. Organizations must make it a priority to monitor these changes to prepare for and respond to data breaches.

For a summary of basic state notification requirements that apply to entities who "own" data, download Foley's State Data Breach Notification Laws Chart. This chart is current as of September 1, 2023, and should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach vary depending on the specific facts and circumstances.

This chart does not cover non-owners of data. If you do not own the data at issue, consult the applicable laws and contact legal counsel. This chart also does not cover:

Exceptions based on compliance with other laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
Exceptions regarding good faith acquisition of personally identifiable information (PII) by an employee or agent of an entity for a legitimate purpose of the entity, provided there is no further unauthorized use or disclosure of the PII.
Exceptions regarding what constitutes PII, such as public, encrypted, redacted, unreadable, or unusable data. The chart indicates whether a safe harbor may be available for data that is considered public, encrypted, redacted, unreadable, or unusable, but the specific guidance will vary based on the circumstances. For example, some states have a safe harbor only for data that is encrypted, whereas other states may have a safe harbor for data that is encrypted or public.
The manner in which an entity provides actual or substitute notification (e.g., via email, U.S. Mail, etc.).
Requirements for the content of the notice.
Any guidance materials issued by federal and state agencies.
A comprehensive assessment of all laws applicable to breaches of information other than PII.

State Data Breach Notification Laws Chart

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors

Jennifer J. Hennessy

Chanley Howell

Jennifer Urban

Steven Millendorf

Aaron Tantleff

Samuel D. Goldstick

Your Author LinkedIn Connections