|
State Data Security / Breach Notification Laws
Enacted in 2003, California SB 1386 was a first in setting clear guidelines for the disclosure and responsibility of organizations in the event data breaches leading to the disclosure of personal data. Since then, forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
Although varying from state to state, most laws contain the following basic elements set by the original California bill:
-
Notification guidelines: which data is covered by the bill and how soon must organizations notify affected persons.
-
Penalties for data breach incidents: what penalties is the organization subject to, as a result of losing sensitive data or failing to disclose such incidents, and what steps they must take to protect those affected by it.
-
Private right of action: what action may be taken by affected consumers, if any.
-
Exemptions: when are companies exempt from reporting data breaches, if at all. For example, some states provide exemptions for data which has been encrypted or stored on encrypted media.
This map will point you to the varying requirements of these laws in each state. Click on any state to see highlights from that state's law.
(The gray states do not yet have disclosure laws)
The latest version of Flash Player is required to view the map.
Puerto Rico - Puerto Rico Laws Annotated Title 10: §§ 4051 to 4055, effective September 7, 2005
Virgin Islands - Virgin Island Code § 2208, effective October 17, 2005
|