IAPP updates its US state breach notice resource

The IAPP just updated its chart outlining the state data breach notification laws in the United States. Some interesting comparisons and observations emerge.

Sending notices to consumers when their personal data has been compromised in a cyber incident is probably the most familiar aspect of cybersecurity law, both to data governance professionals and consumers. In the U.S., the first state law requiring notice was enacted by California in 2002 and became effective in 2003. Alabama was last, adopting its law in 2018. Now all 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have breach notice laws. In effect, these laws constitute a nationwide rule — but with variations.

The first thing to note about state breach notice laws is their relatively narrow definition of personal information — certainly narrower than the definition of personal information in the more recent comprehensive state privacy laws. This reflects the origins of the concept of breach notification: The laws mainly arose to alert consumers that they needed to be vigilant for identity theft and financial fraud following a data breach. Therefore, definitions of personal information for breach notification purposes focus on the building blocks of identity theft and financial fraud. 

The breach law with the narrowest scope may be Hawaii's Revised Statutes Chapter 487N, which defines personal information as an individual's first name or first initial and last name in combination with Social Security number, driver's license number or Hawaii identification card number, or "account number, credit or debit card number, access code, or password that would permit access to an individual's financial account." The Hawaii law is rare in covering paper records; most of the breach notice laws apply only to computerized data.