In Depth

CSO Disclosure Series | Data Breach Notification Laws, State By State

Five years after California's landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. Part of an in-depth series about disclosing security breaches.

By Scott Berinato

February 12, 2008 — CSO —

More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data.

That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out. Click on any state to see highlights from that state's law. (The gray states do not yet have disclosure laws). For more explanation, see the text below the map. (To learn more, see the rest of the CSO Disclosure Series, including a deconstruction of two disclosure letters and an interview about pending federal legislation.)

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. Also in California, there is a private right of action, and there are very few exemptions. It's a tough law. Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action. When you click on a state on the map above, you'll see highlights of that state's law, including specific instances where it might differ from the California law. For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box. Some other important details:

1. Notification guidelines: how soon a company is required to inform customers of a data breach. In California, this is "as soon as possible, without unreasonable delay."

2. Penalty for failure to disclose: whether or not there are civil or criminal penalties for a failure to disclose. In California, a company cannot be penalized for its lack of promptness alone.

3. Private right of action: whether this option exists for consumers in that state. In California, this is available.

4. Exemptions: what kinds of breaches, if any, companies are exempt from reporting. California allows exemptions for encrypted data that's lost and publicly available government data. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.

In addition, by clicking on the flag over Washington, D.C., you can check on the status of several pending federal bills pertaining to data breach disclosure. For more information, see "What's Next with Disclosure Legislation?", our interview with Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law.

• Email
• Print
• Comments
• Digg This
• SlashDot

• The Complete Guide to Security Breach Disclosure
• CSO Disclosure Series | Reporter's Notebook: The United States of TMI
• CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
• CSO Disclosure Series | User Education: How to Respond to a Data Breach Disclosure
• CSO Disclosure Series | What California's New Medical Disclosure Law Means for the Rest of Us
• CSO Disclosure Series | What's Next with Disclosure Legislation?