State breach notification laws continue to be amended to provide for notification of a state attorney general or regulator about a breach in addition to notifying affected individuals, and the number of state laws addressing security procedures continues to increase.
Following is a summary of the laws addressing notification requirements.
Forty-eight states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have breach notification laws. (Alabama and South Dakota do not have these laws.)
The breach notification laws require notification of affected individuals of a breach. The Delaware breach notification law was amended to require, along with a new New Mexico breach notification law, a company also to notify state attorney generals about a breach in addition to affected individuals.
Twenty-seven state breach notification laws—California, Connecticut, Delaware, Florida, Hawaii, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Rhode Island, South Carolina, Vermont, Virginia, and Washington—plus the Puerto Rico breach notification law require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals. 1
The following states' breach notification laws require notification to a state attorney general or regulator in addition to notifying the affected individuals.
The Connecticut, Illinois, Indiana, Louisiana, Maine, Maryland, Massachusetts, Montana, Nebraska, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals.
The Delaware breach notification law also was amended to require where there is breach (or it is reasonably believed there has been a breach) involving a Social Security number, credit monitoring services be offered at no cost to each affected Delaware resident for 1 year and all information necessary for such resident to enroll in such services be provided, including information on how such resident can place a credit freeze on his or her credit file. Such services are not required if, after an appropriate investigation, it is reasonably determined that the breach is unlikely to result in harm to the individuals whose personal information has been breached. 2
Of note, Virginia's breach notification law was amended to require any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld to notify the Virginia attorney general of a breach involving computerized data containing a taxpayer identification number together with the income tax withheld for that taxpayer. This applies only to information regarding an employer's employees, not the employer's customers or other nonemployees. Upon receipt of such notice, the Virginia attorney general will then notify the Virginia Department of Taxation. 3
With new Delaware and New Mexico laws, 16 states have laws addressing security procedures—Arkansas, California, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Maryland, Massachusetts, Nevada, New Mexico, Oregon, Rhode Island, Texas, and Utah. 4
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.