Data Security Breach Notification Laws by State
Author: Vincent K. Bates, Littler
Every employer maintains personal information, whether of its employees, vendors or customers. Because of the sensitive nature of such data, an employer must take steps to protect it. An employer must also understand its responsibilities if a data breach does occur (e.g., the unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by the employer) which may have resulted in the unauthorized acquisition of such information.
While all state data breach notification laws require an employer to provide notice to affected individuals, the laws vary as to how and when the notice must be provided. Generally, the notice requirements are triggered when an employer that is covered by the law discovers or is notified of a breach. The following chart summarizes each state's data security breach notification requirements, including:
- Definitions of the personal information that is covered by the law;
- The time within which an employer must provide notice;
- The format in which notice must be provided;
- The content that must be included in the notice; and
- Whether notice must be provided to additional parties.
Some states' laws have common exceptions to these requirements. For instance, Arizona, Iowa and Maryland have coverage exceptions for entities subject to HIPAA or Title V of the Gramm-Leach-Biley Act, or entities that must comply with the notification requirements or security breach procedures of their primary or functional federal regulator.
Most states also exclude certain information from the definition of personal information, such as data that is publically available, redacted or encrypted (if the encryption key is not compromised). Many states, such as Arkansas and Iowa, also have exceptions to the notice timing requirement, such as when requested by law enforcement to prevent interference with a criminal investigation or when the covered entity needs time to determine the nature and scope of the breach.
Additionally, there are several states, including California, Georgia and New York, that provide an exception to the requirement to provide notice if, after a determination is made, the breach is unlikely to result in material harm to the individuals whose information has been accessed. Further information on exceptions to state data breach notification laws are addressed in the Workplace Security sections of the Employment Law Manuel. There are no federal requirements relating to data breaches as indicated by N/A in the chart.