IRMI Online Talk With Us
Home Articles Expert Commentary Changes in State Breach Notification and Security Procedures Laws
Cyber and Privacy Risk and Insurance

Changes in State Breach Notification and Security Procedures Laws

Melissa Krasnow | December 1, 2017

On This Page
Computer explodes from virus

State breach notification laws continue to be amended to provide for notification of a state attorney general or regulator about a breach in addition to notifying affected individuals, and the number of state laws addressing security procedures continues to increase.

Following is a summary of the laws addressing notification requirements.

Attorney General or Regulator Breach Notification

Forty-eight states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have breach notification laws. (Alabama and South Dakota do not have these laws.)

The breach notification laws require notification of affected individuals of a breach. The Delaware breach notification law was amended to require, along with a new New Mexico breach notification law, a company also to notify state attorney generals about a breach in addition to affected individuals.

Twenty-seven state breach notification laws—California, Connecticut, Delaware, Florida, Hawaii, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oregon, Rhode Island, South Carolina, Vermont, Virginia, and Washington—plus the Puerto Rico breach notification law require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals. 1

The following states' breach notification laws require notification to a state attorney general or regulator in addition to notifying the affected individuals.

  • North Dakota, more than 250 individuals
  • Oregon, more than 250 residents
  • Florida, 500 or more individuals
  • California, Delaware, Iowa, Rhode Island, or Washington, more than 500 residents
  • Hawaii, more than 1,000 individuals
  • Missouri, more than 1,000 consumers
  • New Mexico and South Carolina, more than 1,000 residents

The Connecticut, Illinois, Indiana, Louisiana, Maine, Maryland, Massachusetts, Montana, Nebraska, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals.

The Delaware breach notification law also was amended to require where there is breach (or it is reasonably believed there has been a breach) involving a Social Security number, credit monitoring services be offered at no cost to each affected Delaware resident for 1 year and all information necessary for such resident to enroll in such services be provided, including information on how such resident can place a credit freeze on his or her credit file. Such services are not required if, after an appropriate investigation, it is reasonably determined that the breach is unlikely to result in harm to the individuals whose personal information has been breached. 2

Of note, Virginia's breach notification law was amended to require any employer or payroll service provider that owns or licenses computerized data relating to income tax withheld to notify the Virginia attorney general of a breach involving computerized data containing a taxpayer identification number together with the income tax withheld for that taxpayer. This applies only to information regarding an employer's employees, not the employer's customers or other nonemployees. Upon receipt of such notice, the Virginia attorney general will then notify the Virginia Department of Taxation. 3

State Security Procedures Laws

With new Delaware and New Mexico laws, 16 states have laws addressing security procedures—Arkansas, California, Connecticut, Delaware, Florida, Illinois, Indiana, Kansas, Maryland, Massachusetts, Nevada, New Mexico, Oregon, Rhode Island, Texas, and Utah. 4

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Footnotes

1 Cal. Civ. Code § 1798.82; Conn. Gen. Stat. § 36a–701b; Del. Code tit. 6, § 12B-101 et seq. (effective date April 14, 2018); Fla. Stat. § 501.171; Haw. Rev. Stat. § 487N–2; Illinois 815 ILCS 530/50; Ind. Code §§ 24-4.9 et seq.; Iowa Code § 715C.2; La. Rev. Stat. § 51:3074 and La. Admin. Code tit. 16, pt. III, § 701; Me. Rev. Stat. Ann. tit. 10, § 1348; MD Code, Com. Law § 14–3504; Mass. Gen. Laws ch. 93H; Missouri Rev. Stat. § 407.1500; MCA § 30–14–1704; Neb. Rev. Stat. §§ 87–801 et seq.; N.H. Rev. Stat. § 359–C:20; N.J. Stat. Ann. § 56:8–163; N.M. H.B. 15, Chap. 36; N.Y. Gen. Bus. Law § 899–aa; N.C. Gen. Stat. § 75–65; N.D. Cent. Code §§ 51-30-01 et seq.; Or. Rev. Stat. § 646A.604; R.I. Gen. Laws § 11–49.3–4; S.C. Code § 39–1–90; Vt. Stat. Ann. tit. 9, § 2435; Va. Code Ann. § 18.2–186.6; RCW § 19.255.010; and 10 L.P.R.A. § 4052.
2 Del. Code tit. 6, § 12B-101 et seq. (effective date April 14, 2018).
3 Va. Code Ann. § 18.2–186.6.
4 Ark. Code § 4–110–104; Cal. Civ. Code § 1798.81.5; Conn. Gen. Stat. § 42–471; Del. Code tit. 6, § 12B-100 (effective date April 14, 2018); Fla. Stat. § 501.171; 815 ILCS 530/45 et seq.; Ind. Code § 24–4.9–3–3.5; K.S. § 50-6,139b; MD Comm. Law Code § 14–3503; 201 CMR §§ 17.00 et seq.; Nev. Rev. Stat. § 603A.210; N.M. H.B. 15, Chap. 36; Or. Rev. Stat. § 646A.622; R.I. Stat. § 11–49.3–2; Tex. Bus. & Comm. Code § 521.052; and Utah Code Ann. § 13–44–201.
IRMI Online