eDiscovery Daily Blog

How Many States Have Security Breach Notification Laws? You Might Be Surprised: Cybersecurity Trends

Usually, I end each blog post with “So, what do you think?”, but this time I’m starting with it.  How many states do you think have some sort of legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information (PII)?  Ten?  Twenty?  Thirty?  You might be surprised.

According to a post by the National Conference of State Legislatures (NCSL) (hat tip to Joe Hodnicki of Law Librarian Blog for the link), all 50 states, plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

That’s certainly good to know!

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

The NCSL post linked to above provides links to each of the states’ and territories’ legislation – some have a single law, code or statute to address the requirements, while others have more than one.  It’s a great reference if you ever have to determine what the laws are in a particular state or territory in terms of compliance requirements – which are already growing because of the General Data Protection Regulation (GDPR) that went into effect last year and the California Consumer Privacy Act (CCPA) which is slated to go into effect next January.  More and more, compliance discovery is becoming a strong emphasis for organizations that need to manage their risk.  It’s good to know that all of the states and territories have security breach laws – the next question is how well are they enforced?

So, what do you think?  Were you surprised that every state and territory has security breach laws?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.