More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. When this map was originally published in February, eleven states still had not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data.
UPDATE: Since then, five additional states (Alaska, Iowa, South Carolina, Virginia, and West Virginia) and Washington D.C. have passed legislation. See the updates, including links to the full text of each law, here.
This map will help you sort them out the varying requirements of these laws. Click on any state to see highlights from that state's law. (The gray states do not yet have disclosure laws - exceptions noted above.) For more explanation, see the text below the map. (To learn more, see the rest of the CSO Disclosure Series, including a deconstruction of two disclosure letters and an interview about pending federal legislation.)
You need to upgrade your Flash Player
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. Also in California, there is a private right of action, and there are very few exemptions. It's a tough law. Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action. When you click on a state on the map above, you'll see highlights of that state's law, including specific instances where it might differ from the California law. For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box. Some other important details:
1. Notification guidelines: how soon a company is required to inform customers of a data breach. In California, this is "as soon as possible, without unreasonable delay."
2. Penalty for failure to disclose: whether or not there are civil or criminal penalties for a failure to disclose. In California, a company cannot be penalized for its lack of promptness alone.
3. Private right of action: whether this option exists for consumers in that state. In California, this is available.
4. Exemptions: what kinds of breaches, if any, companies are exempt from reporting. California allows exemptions for encrypted data that's lost and publicly available government data. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.
In addition, by clicking on the flag over Washington, D.C., you can check on the status of several pending federal bills pertaining to data breach disclosure. For more information, see "What's Next with Disclosure Legislation?", our interview with Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law.
The map is meant to cover the highlights of the various state laws and is not meant to be comprehensive. For the most comprehensive information available, you can in most cases click on the thumbnail icon in the highlights box and be taken to a copy of the state law.
This map was created to provide a single source for information on all state laws that is both a good reference and visually intuitive. We started it as an experiment, and we'd love to know what you think of it and how you would improve it. Enjoy!
Executive Editor Scott Berinato can be reached at firstname.lastname@example.org.
Sources: Scott and Scott LLP, Perkins Coie, Proskauer Rose LLP, CSO Reporting
Map last updated: 2/12/2008
To learn more:
CSO DISCLOSURE SERIES, 2008
One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that Monster.com and USAJOBS were really giving to customers whose personal information had been disclosed.
An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn't have a federal breach notification law.
New state law AB 1298, aimed at reducing instances of medical identity theft, could prompt similar legislation elsewhere, but experts are still unsure whether out-of-state companies with information about Californians must comply.
Just find out that your personal information has been compromised? Heres what to do.
Lead paint in toys. Brain-eating amoeba. Identity theft. Drowning in sand. We know more than ever about the risks all around us. Do we know what disclosing them all is doing to us?