Expert Commentary

Changes in State Breach Notification Laws

As data breaches continue to occur, breach notification laws are being amended or enacted. In the United States, state and federal breach notification laws should be monitored carefully regarding changes, as should breach notification laws in other countries (e.g., Canada).

Cyber and Privacy Risk and Insurance
August 2014

As of July 15, 2014, 47 states (other than Alabama, New Mexico, and South Dakota) plus the District of Columbia, Guam, Puerto Rico, and Virgin Islands have breach notification laws. This article addresses changes in state breach notification laws.

State Attorney General or Regulator Breach Notification

One of the changes in state breach notification laws is that they increasingly require notification of a breach to a state attorney general or regulator in addition to the affected individuals. The breach notification laws require notification of affected individuals of a breach. The number of state breach notification laws requiring a company also to notify a state attorney general or regulator about the breach is increasing.

Eighteen state breach notification laws—California, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, South Carolina, Vermont, and Virginia, plus the Puerto Rico breach notification law—require notification of a breach to a state attorney general or regulator in addition to notifying the affected individuals.1

The amendment to the Iowa breach notification law and the repeal and enactment of the Florida breach notification law each became effective July 1, 2014. The Florida and Iowa breach notification laws require notification to a state attorney general or regulator in addition to notifying the affected individuals where the breach affects 500 or more individuals in Florida or more than 500 Iowa residents, respectively.

The California, Hawaii, Missouri, and South Carolina breach notification laws also require notification to a state attorney general or regulator in addition to notifying the affected individuals where there are (1) more than 500 California residents; (2) more than 1,000 individuals in Hawaii; (3) more than 1,000 consumers in Missouri; and (4) more than 1,000 South Carolina residents affected, respectively.

The Connecticut, Indiana, Louisiana, Maine, Maryland, Massachusetts, New Hampshire, New Jersey, New York, North Carolina, Vermont, and Virginia breach notification laws, plus the Puerto Rico breach notification law, require notification of a breach to a state attorney general or regulator regardless of the number of affected individuals.

Notification for Electronic and Paper Breaches

State breach notification laws cover breaches involving personal information in electronic format. The Iowa breach notification law also was amended to cover breaches involving personal information in both electronic and paper formats. Seven state breach notification laws—Alaska, Hawaii, Indiana, Iowa, Massachusetts, North Carolina, and Wisconsin—cover breaches involving personal information in both electronic and paper formats. Interestingly, these state breach notification laws (other than the Alaska and Wisconsin breach notification laws) also require notification to a state attorney general or regulator in addition to notifying the affected individuals.2

Kentucky Breach Notification Law

Kentucky enacted a breach notification law that became effective July 15, 2014.3 Kentucky also enacted unique provisions regarding cloud computing service providers (other than kindergarten to grade 12 educational institutions) that provide kindergarten to grade 12 educational institutions with account-based access to online computing resources. This law prohibits the processing of student data by cloud computing service providers for (1) any purpose other than providing, improving, or maintaining the integrity of the cloud computing services without express permission from the student's parent, except for assisting an educational institution in conducting educational research as permitted by the Family Educational Rights and Privacy Act of 1974; and (2) advertising or selling, disclosing, or otherwise processing student data for any commercial purpose. This law also requires a cloud computing service provider that enters into an agreement to provide cloud computing services to a kindergarten to grade 12 educational institution to certify in writing to comply with the obligations in the immediately preceding sentence.4

1Cal. Civ. Code § 1798.82; Conn. Gen. Stat. § 36a-701b; Fla. Stat. § 501.171; Haw. Rev. Stat. § 487N-2; Ind. Code § 24–4.9–3–1; Iowa Code § 715C.2; La. Rev. Stat. § 51:3074 and La. Admin. Code tit. 16, pt. III, § 701; Me. Rev. Stat. Ann. tit. 10, § 1348; MD Code, Com. Law § 14–3504; Mass. Gen. Laws ch. 93H; Missouri Rev. Stat. § 407.1500; N.H. Rev. Stat. § 359-C:20; N.J. Stat. Ann. § 56:8–163; N.Y. Gen. Bus. Law § 899-aa; N.C. Gen. Stat. § 75–65; S.C. Code § 39–1–90; Vt. Stat. Ann. tit. 9, § 2435; Va. Code Ann. § 18.2–186.6 and 10 L.P.R.A. § 4052.

2Alaska Stat. §§ 45.48.010 and 45.48.090; Haw. Rev. Stat. §§ 487N-1 and 487N-2; Ind. Code § 24–4.9–2; Iowa Code § 715C.1; Mass. Gen. Laws ch. 93H; N.C. Gen. Stat. § 75–61 and Wis. Stat. § 134.98.

3Ky. Rev. Stat. § 365.732.

4Ky. Rev. Stat. § 365.734.

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More