Assess Risk After a Breach – Including Security Breach Notification Laws By State
All 50 states have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.
“Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).” according to the National Conference of State Legislatures.
A data breach occurs when there is an intentional or unintentional release of secure or private/confidential information to an untrusted environment. Data breaches can come in a plethora of forms, most commonly: ransomware, malware, phishing, denial of service & physical theft.
Once you have identified that there has been a breach determine the nature and extent of the data involved. Make sure to assess all different types of possible identifiers, sensitive information and extent of the data that was compromised. If possible you should also seek to determine the nature of the attack and the person who acquired, used or received the PII.
Take steps to mitigate the results of the breach and evaluate your risk across:
– Nature and extent of PI
– Unauthorized persons acquiring PI
– Risk whether PI was accessed or acquired
– Impact on risk of compromise mitigation steps
Security Breach Notification Laws
State | Citation |
---|---|
Alabama | 2018 S.B. 318, Act No. 396 |
Alaska | Alaska Stat. § 45.48.010 et seq. |
Arizona | Ariz. Rev. Stat. § 18-545 |
Arkansas | Ark. Code §§ 4-110-101 et seq. |
California | Cal. Civ. Code §§ 1798.29, 1798.82 |
Colorado | Colo. Rev. Stat. § 6-1-716 |
Connecticut | Conn. Gen Stat. §§ 36a-701b, 4e-70 |
Delaware | Del. Code tit. 6, § 12B-101 et seq. |
Florida | Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i) |
Georgia | Ga. Code §§ 10-1-910, -911, -912; § 46-5-214 |
Hawaii | Haw. Rev. Stat. § 487N-1 et seq. |
Idaho | Idaho Stat. §§ 28-51-104 to -107 |
Illinois | 815 ILCS §§ 530/1 to 530/25 |
Indiana | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. |
Iowa | Iowa Code §§ 715C.1, 715C.2 |
Kansas | Kan. Stat. § 50-7a01 et seq. |
Kentucky | KRS § 365.732, KRS §§ 61.931 to 61.934 |
Louisiana | La. Rev. Stat. §§ 51:3071 et seq. |
Maine | Me. Rev. Stat. tit. 10 § 1346 et seq. |
Maryland | Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308 |
Massachusetts | Mass. Gen. Laws § 93H-1 et seq. |
Michigan | Mich. Comp. Laws §§ 445.63, 445.72 |
Minnesota | Minn. Stat. §§ 325E.61, 325E.64 |
Mississippi | Miss. Code § 75-24-29 |
Missouri | Mo. Rev. Stat. § 407.1500 |
Montana | Mont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq., 33-19-321 |
Nebraska | Neb. Rev. Stat. §§ 87-801 et seq. |
Nevada | Nev. Rev. Stat. §§ 603A.010 et seq., 242.183 |
New Hampshire | N.H. Rev. Stat. §§ 359-C:19, 359-C:20, 359-C:21 |
New Jersey | N.J. Stat. § 56:8-161, 163 |
New Mexico | 2017 H.B. 15, Chap. 36 (effective 6/16/2017) |
New York | N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208 |
North Carolina | N.C. Gen. Stat §§ 75-61, 75-65 |
North Dakota | N.D. Cent. Code §§ 51-30-01 et seq. |
Ohio | Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192 |
Oklahoma | Okla. Stat. §§ 74-3113.1, 24-161 to -166 |
Oregon | Oregon Rev. Stat. §§ 646A.600 to .628 |
Pennsylvania | 73 Pa. Stat. §§ 2301 et seq. |
Rhode Island | R.I. Gen. Laws §§ 11-49.3-1 et seq. |
South Carolina | S.C. Code § 39-1-90 |
South Dakota | S.D. Cod. Laws §§ 20-40-20 to -46 (2018 S.B. 62) |
Tennessee | Tenn. Code §§ 47-18-2107; 8-4-119 |
Texas | Tex. Bus. & Com. Code §§ 521.002, 521.053 |
Utah | Utah Code §§ 13-44-101 et seq. |
Vermont | Vt. Stat. tit. 9 §§ 2430, 2435 |
Virginia | Va. Code §§ 18.2-186.6, 32.1-127.1:05 |
Washington | Wash. Rev. Code §§ 19.255.010, 42.56.590 |
West Virginia | W.V. Code §§ 46A-2A-101 et seq. |
Wisconsin | Wis. Stat. § 134.98 |
Wyoming | Wyo. Stat. §§ 40-12-501 et seq. |
District of Columbia | D.C. Code §§ 28- 3851 et seq. |
Guam | 9 GCA §§ 48-10 et seq. |
Puerto Rico | 10 Laws of Puerto Rico §§ 4051 et seq. |
Virgin Islands | V.I. Code tit. 14, §§ 2208, 2209 |
Resource by National Conference of State Legislatures: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx