X

Assess Risk After a Breach – Including Security Breach Notification Laws By State

All 50 states have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.

“Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).” according to the National Conference of State Legislatures.

A data breach occurs when there is an intentional or unintentional release of secure or private/confidential information to an untrusted environment. Data breaches can come in a plethora of forms, most commonly: ransomware, malware, phishing, denial of service & physical theft.

Once you have identified that there has been a breach determine the nature and extent of the data involved. Make sure to assess all different types of possible identifiers, sensitive information and extent of the data that was compromised. If possible you should also seek to determine the nature of the attack and the person who acquired, used or received the PII.

Take steps to mitigate the results of the breach and evaluate your risk across:
– Nature and extent of PI
– Unauthorized persons acquiring PI
– Risk whether PI was accessed or acquired
– Impact on risk of compromise mitigation steps

Security Breach Notification Laws

StateCitation
Alabama2018 S.B. 318, Act No. 396
AlaskaAlaska Stat. § 45.48.010 et seq.
ArizonaAriz. Rev. Stat. § 18-545
ArkansasArk. Code §§ 4-110-101 et seq.
CaliforniaCal. Civ. Code §§ 1798.291798.82
ColoradoColo. Rev. Stat. § 6-1-716
ConnecticutConn. Gen Stat. §§ 36a-701b4e-70
DelawareDel. Code tit. 6, § 12B-101 et seq.
FloridaFla. Stat. §§ 501.171282.0041282.318(2)(i) 
GeorgiaGa. Code §§ 10-1-910, -911, -912; § 46-5-214
HawaiiHaw. Rev. Stat. § 487N-1 et seq.
IdahoIdaho Stat. §§ 28-51-104 to -107
Illinois815 ILCS §§ 530/1 to 530/25
IndianaInd. Code §§ 4-1-11 et seq.24-4.9 et seq.
IowaIowa Code §§ 715C.1, 715C.2
KansasKan. Stat. § 50-7a01 et seq. 
KentuckyKRS § 365.732, KRS §§ 61.931 to 61.934 
LouisianaLa. Rev. Stat. §§ 51:3071 et seq.
MaineMe. Rev. Stat. tit. 10 § 1346 et seq.
MarylandMd. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308
MassachusettsMass. Gen. Laws § 93H-1 et seq.
MichiganMich. Comp. Laws §§ 445.63445.72
MinnesotaMinn. Stat. §§ 325E.61325E.64
MississippiMiss. Code § 75-24-29
MissouriMo. Rev. Stat. § 407.1500
MontanaMont. Code §§ 2-6-1501 to -1503, 30-14-1701 et seq.33-19-321
NebraskaNeb. Rev. Stat. §§ 87-801 et seq.
NevadaNev. Rev. Stat. §§  603A.010 et seq.242.183
New HampshireN.H. Rev. Stat. §§ 359-C:19, 359-C:20359-C:21
New JerseyN.J. Stat. § 56:8-161163
New Mexico2017 H.B. 15, Chap. 36 (effective 6/16/2017)
New YorkN.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208
North CarolinaN.C. Gen. Stat §§ 75-6175-65
North DakotaN.D. Cent. Code §§ 51-30-01 et seq.
OhioOhio Rev. Code §§ 1347.121349.191349.1911349.192
OklahomaOkla. Stat. §§ 74-3113.1, 24-161 to -166
OregonOregon Rev. Stat. §§ 646A.600 to .628
Pennsylvania73 Pa. Stat. §§ 2301 et seq.
Rhode IslandR.I. Gen. Laws §§ 11-49.3-1 et seq.
South Carolina S.C. Code § 39-1-90
South DakotaS.D. Cod. Laws §§ 20-40-20 to -46 (2018 S.B. 62)
TennesseeTenn. Code §§  47-18-2107; 8-4-119
TexasTex. Bus. & Com. Code §§ 521.002521.053
UtahUtah Code §§ 13-44-101 et seq.
VermontVt. Stat. tit. 9 §§ 2430, 2435
Virginia Va. Code §§ 18.2-186.632.1-127.1:05
WashingtonWash. Rev. Code §§ 19.255.01042.56.590
West Virginia W.V. Code §§ 46A-2A-101 et seq.
WisconsinWis. Stat. § 134.98
WyomingWyo. Stat. §§ 40-12-501 et seq.
District of ColumbiaD.C. Code §§ 28- 3851 et seq.
Guam 9 GCA §§ 48-10 et seq.
Puerto Rico10 Laws of Puerto Rico §§ 4051 et seq.
Virgin Islands V.I. Code tit. 14, §§ 2208, 2209

Resource by National Conference of State Legislatures: https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

Josh Markarian:
Related Post