Data Breach Notification in the United States and Territories

This report from Privacy Rights Clearinghouse took a close look at the current landscape of data breach notification statutes across the country and identified key disparities in the level of protections that each statute affords. Their analysis compares each state’s data breach notification statutes along with key provisions, including:

  • Definition of breach.
  • Definition of personally identifiable information.
  • Form of data covered.
  • Whether the statute covers paper records.
  • Whether the statute covers encrypted data when the encryption key has been accessed or acquired.
  • What entities are covered by the statute.
  • Whether notification triggers after discovery or after reasonable investigation.
  • Whether there is a risk of harm trigger for notification.
  • How consumers are notified.
  • What must be included in the notice.
  • Whom entities must notify.
  • Whether the state publishes breach data publicly.
  • Whether individuals have a private right of action for violations.
  • Whether there are exceptions to the notification obligation if the entity complies with other laws (HIPPA, GLB, etc.).
  • Whether there is flexibility in the notification if the entity maintains an equivalent or stronger policy.
  • Penalties for violations.