What are the current data breach laws across U.S. states and territories?
Where can the references be seen? How are the specific details different?
When are organizations required to notify the public?
Who is regulating compliance?
According to the National Conference of State Legislatures (NCSL), legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information.
You can see the complete state-by-state data breach guide here.
According the state data breach guide’s introduction:
“These laws typically define what is classified as personally identifiable information in each state, entities required to comply, what specifically constitutes a breach, the timing and method of notice required to individuals and regulatory agencies, and consumer credit reporting agencies, and any exemptions that apply, such as exemptions for encrypted data.
Entities that conduct business in any state must be familiar with not only federal regulations, but also individual state laws that apply to any agency or entity that collects, stores, or processes data pertaining to residents in that state. While the laws in many states share some core similarities, state legislators have worked to pass laws that best protect the interests of consumers in their respective states. As a result, some states have much more stringent laws or more severe penalties for violations. …”
This infographic summarizes some of the key findings:
Infographic by Digital Guardian
Background on Data Breach Guide
For more context on this research, I contacted Ellen Zhang, Web marketing coordinator for Digital Guardian as well as Greg Funaro, director of corporate communications for Digital Guardian. Here were the responses:
Dan Lohrmann (DL): When was this work recently completed?
Greg Funaro (GF): Yes, it’s accurate. Work was finished in May, but any pending legislation, like in Colorado, was included in the research.
DL: Did you work with any nonprofits on this such as the National Conference of State Legislatures?
GF: We did not — research was conducted independently.
DL: Any similar work on federal regulations about data breaches?
GF: Federal data breach notification laws are currently in discussion. Recently, the Treasury recommended Congress enact a federal data security and breach notification law to protect consumer financial data. See full Politico article.
DL: During the research process, were there any unusual data breach laws that surprised you?
GF: No. The U.S. should look to the EU and model itself after GDPR [General Data Protection Regulationto provide more protection to consumers' sensitive data, especially given the amount of data breaches that regularly occur.
A Sample of Covered Information and Penalties from Two States
The data breach laws in each state cover different information. Also, penalties and what is required to be reported to regulators vary from state to state.
For example, here are some of the details in Arizona:
Reporting: “Nothing needs to be reported to regulators.
Covered information includes: first and last name or first initial and last name plus one or more of the following: • Social Security number • Driver’s license or state identification card number • Financial accounts • Credit or debit card numbers (plus any security or access codes required).
Covered info in the state of Arizona refers only to electronic information and does not apply to covered information in paper form.
Penalties: Entities may be liable for civil penalties for violations. This law may only be enforced by the Arizona Attorney General who may bring an action to obtain actual damages for willful and knowing violations as well as civil penalties up to $10,000 per breach (or a series of breaches of a similar nature discovered in a single investigation). The same penalties apply to government agencies and non-government agencies in Arizona.”
Whereas in California:
“Covered information includes: First and last name or first initial and last name plus one or more of the following: • Social Security number • Driver’s license or state identification card number The Definitive Guide to U.S. State Data Breach Laws 12 • Financial accounts • Credit or debit card numbers (plus any security or access codes required) • Medical or health insurance information • Information collected by automated license plate recognition systems
Additionally, covered information includes a username or email address in combination with passwords or security question responses that would grant access to a resident’s online account. Covered information includes information in electronic format only.
Reporting: Individuals and businesses that are required to issue a security breach notification to more than 500 California residents must submit a single sample copy of the notification provided to consumers (with personal information redacted) to the attorney general.
Penalties: Civil penalties may apply for violations. Consumers who are injured by a violation of this law have the right to initiate a civil action to recover any damages they suffered as a result. This right does not apply to individuals impacted under the medical information-specific statute in California. Under the medical information-specific statute, the California Department of Health and Human Services may impose penalties on covered entities including: • A $25,000 penalty per patient whose information was compromised • A penalty of up to $17,500 per subsequent occurrence of unauthorized or unlawful access, use, or disclosure of personal medical information • If required notification is not provided, a penalty of $100 per day after the initial 15-day period may apply. Total penalties for a single event are not to exceed $250,000.”
Again, I encourage readers to visit the state-by-state guide to see details requirements for data breach reporting in their state.
I applaud the efforts of Digital Guardian in putting this state-by-state guide to data breach laws together. I am highlighting their efforts, because I believe this is an excellent resource for both residents as well as public- and private-sector organizations around the country.
What is clear is that current state data breach laws are all over the map, with varying levels of reporting and penalties.
I still foresee federal data breach laws eventually being passed to level the playing field across states. However, it is hard to see when this will become a top priority for Congress.