State Breach Disclosure Laws - Update

Five states (and D.C.) have put data breach disclosure laws in the books in recent months. Article includes links to full text of each law.

By

July 29, 2008 — Since publication (in February) of our interactive guide to state data breach disclosure laws, the following states (and D.C.) have passed new legislation.


Alaska:

Full text of Alaska breach disclosure law [pdf]:
http://www.legis.state.ak.us/PDF/25/Bills/HB0065Z.PDF

Notification: As soon as possible, without unreasonable delay

Civil penalty of up to $500 for each resident who was not notified. Total penalty may not exceed $50,000.

Exemption: Publicly available government data

Disclosure not required if it is determined that there is not a reasonable likelihood that harm to the affected consumers will result.

Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.


Iowa:

Full text of Iowa breach disclosure law:
http://coolice.legis.state.ia.us/Cool-ICE/default.asp?category=billinfo&service=billbook&GA=82&hbill=SF2308

Notification: As soon as possible, without unreasonable delay

Disclosure not required if it is determined that there is not a reasonable likelihood that harm to the affected consumers will result.

Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.


South Carolina:

Full text of South Carolina breach disclosure law:
http://www.scstatehouse.net/sess117_2007-2008/bills/453.htm

Notification: As soon as possible, without unreasonable delay

Law allows state residents to place security freezes on their consumer credit reports


Virginia:

Full text of Virginia breach disclosure law:
http://leg1.state.va.us/cgi-bin/legp504.exe?000+cod+18.2-186.6

Notification: Without unreasonable delay

Civil penalty not to exceed $150,000 for violations

Exemption: Publicly available government data

Law does not apply to not apply to criminal intelligence maintained by law-enforcement agencies of the state and the organized Criminal Gang File of the Virginia Criminal Information Network (VCIN)


Washington D.C.

Full text of Washington D.C. breach disclosure law [pdf]:
http://www.dccouncil.washington.dc.us/images/00001/20061218135855.pdf

Notification: As soon as possible, without unreasonable delay

Civil penalty not to exceed $100 for each violation


West Virginia

Full text of West Virginia breach disclosure law:
http://www.legis.state.wv.us/Bill_Text_HTML/2008_SESSIONS/RS/BILLS/SB340%20SUB1.htm

Notification: Without unreasonable delay

Disclosure may be delayed if law enforcement officials determine it will interfere with a criminal investigation.

No civil penalty unless the court finds that the defendant has engaged in a course of repeated and willful violations. Civil penalty shall not exceed $150,000 per breach.

Other stories by Joan Goodchild

RESOURCE CENTER