As of July 15, 2014, 47 states (other than Alabama, New
Mexico, and South Dakota) plus the District of Columbia, Guam,
Puerto Rico, and Virgin Islands have breach notification laws.
This article addresses changes in state breach notification
laws.
State Attorney General or Regulator Breach Notification
One of the changes in state breach notification laws is that
they increasingly require notification of a breach to a state
attorney general or regulator in addition to the affected
individuals. The breach notification laws require notification
of affected individuals of a breach. The number of state breach
notification laws requiring a company also to notify a state
attorney general or regulator about the breach is increasing.
Eighteen state breach notification laws—California,
Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine,
Maryland, Massachusetts, Missouri, New Hampshire, New Jersey,
New York, North Carolina, South Carolina, Vermont, and Virginia,
plus the Puerto Rico breach notification law—require
notification of a breach to a state attorney general or
regulator in addition to notifying the affected individuals.1
The amendment to the Iowa breach notification law and the
repeal and enactment of the Florida breach notification law each
became effective July 1, 2014. The Florida and Iowa breach
notification laws require notification to a state attorney
general or regulator in addition to notifying the affected
individuals where the breach affects 500 or more individuals in
Florida or more than 500 Iowa residents, respectively.
The California, Hawaii, Missouri, and South Carolina breach
notification laws also require notification to a state attorney
general or regulator in addition to notifying the affected
individuals where there are (1) more than 500 California
residents; (2) more than 1,000 individuals in Hawaii; (3) more
than 1,000 consumers in Missouri; and (4) more than 1,000 South
Carolina residents affected, respectively.
The Connecticut, Indiana, Louisiana, Maine, Maryland,
Massachusetts, New Hampshire, New Jersey, New York, North
Carolina, Vermont, and Virginia breach notification laws, plus
the Puerto Rico breach notification law, require notification of
a breach to a state attorney general or regulator regardless of
the number of affected individuals.
Notification for Electronic and Paper Breaches
State breach notification laws cover breaches involving
personal information in electronic format. The Iowa breach
notification law also was amended to cover breaches involving
personal information in both electronic and paper formats. Seven
state breach notification laws—Alaska, Hawaii, Indiana, Iowa,
Massachusetts, North Carolina, and Wisconsin—cover breaches
involving personal information in both electronic and paper
formats. Interestingly, these state breach notification laws
(other than the Alaska and Wisconsin breach notification laws)
also require notification to a state attorney general or
regulator in addition to notifying the affected individuals.2
Kentucky Breach Notification Law
Kentucky enacted a breach notification law that became
effective July 15, 2014.3 Kentucky also
enacted unique provisions regarding cloud computing service
providers (other than kindergarten to grade 12 educational
institutions) that provide kindergarten to grade 12 educational
institutions with account-based access to online computing
resources. This law prohibits the processing of student data by
cloud computing service providers for (1) any purpose other than
providing, improving, or maintaining the integrity of the cloud
computing services without express permission from the student's
parent, except for assisting an educational institution in
conducting educational research as permitted by the Family
Educational Rights and Privacy Act of 1974; and (2) advertising
or selling, disclosing, or otherwise processing student data for
any commercial purpose. This law also requires a cloud computing
service provider that enters into an agreement to provide cloud
computing services to a kindergarten to grade 12 educational
institution to certify in writing to comply with the obligations
in the immediately preceding sentence.4
1Cal. Civ. Code § 1798.82; Conn.
Gen. Stat. § 36a-701b; Fla. Stat. § 501.171; Haw. Rev. Stat. §
487N-2; Ind. Code § 24–4.9–3–1; Iowa Code § 715C.2; La. Rev.
Stat. § 51:3074 and La. Admin. Code tit. 16, pt. III, § 701; Me.
Rev. Stat. Ann. tit. 10, § 1348; MD Code, Com. Law § 14–3504;
Mass. Gen. Laws ch. 93H; Missouri Rev. Stat. § 407.1500; N.H.
Rev. Stat. § 359-C:20; N.J. Stat. Ann. § 56:8–163; N.Y. Gen.
Bus. Law § 899-aa; N.C. Gen. Stat. § 75–65; S.C. Code § 39–1–90;
Vt. Stat. Ann. tit. 9, § 2435; Va. Code Ann. § 18.2–186.6 and 10
L.P.R.A. § 4052.
2Alaska Stat. §§ 45.48.010 and
45.48.090; Haw. Rev. Stat. §§ 487N-1 and 487N-2; Ind. Code §
24–4.9–2; Iowa Code § 715C.1; Mass. Gen. Laws ch. 93H; N.C. Gen.
Stat. § 75–61 and Wis. Stat. § 134.98.
3Ky. Rev. Stat. § 365.732.
4Ky. Rev. Stat. § 365.734.