CSO Disclosure Series | Data Breach Notification Laws, State By State
Five years after California's landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. [UPDATED 7/28/2008]
February 12, 2008 — CSO —
More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. When this map was originally published in February, eleven states still had not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data.
UPDATE: Since then, five additional states (Alaska, Iowa, South Carolina, Virginia, and West Virginia) and Washington D.C. have passed legislation. See the updates, including links to the full text of each law, here.
This map will help you sort them out the varying requirements of these laws. Click on any state to see highlights from that state's law. (The gray states do not yet have disclosure laws - exceptions noted above.) For more explanation, see the text below the map. (To learn more, see the rest of the CSO Disclosure Series, including a deconstruction of two disclosure letters and an interview about pending federal legislation.)
In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. Also in California, there is a private right of action, and there are very few exemptions. It's a tough law. Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action. When you click on a state on the map above, you'll see highlights of that state's law, including specific instances where it might differ from the California law. For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box. Some other important details:
1. Notification guidelines: how soon a company is required to inform customers of a data breach. In California, this is "as soon as possible, without unreasonable delay."
2. Penalty for failure to disclose: whether or not there are civil or criminal penalties for a failure to disclose. In California, a company cannot be penalized for its lack of promptness alone.
3. Private right of action: whether this option exists for consumers in that state. In California, this is available.
4. Exemptions: what kinds of breaches, if any, companies are exempt from reporting. California allows exemptions for encrypted data that's lost and publicly available government data. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.
In addition, by clicking on the flag over Washington, D.C., you can check on the status of several pending federal bills pertaining to data breach disclosure. For more information, see "What's Next with Disclosure Legislation?", our interview with Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law.