Skip to content

What’s a Data Breach? It Depends on the State

Forty-seven states and the District of Columbia have laws dealing with data breach notification, according to the National Conference of State Legislatures.

California was the first state to enact such a law in 2002, according to Pam Greenberg at the NCSL. The 2005 ChoicePoint data breach — which affected 163,000 consumers — spurred a number of additional state laws, according to Greenberg. She said 22 states enacted laws just that year.

“Although they have similarities, they’re not all the same,” Phyllis B. Sumner said about the 47 state laws. Sumner is a partner at the law firm King & Spalding who leads the firm’s data, privacy and security practice, which represents clients on the issue of data breaches.

“They have different timing requirements, different requirements as to who must be notified, different notification content requirements and even what actually triggers the notification,” she said.

A couple examples of differences, according to Sumner:

Whether notification is limited to electronic data breaches or also covers events that occur with paper documents.

Whether state attorneys general need to be notified.

Sumner said there are similarities as well. Many states have similar definitions of what would constitute the personally identifiable information that would trigger a company’s obligation to notify consumers, for example.

Recent Stories

Micron gets combined $13.6 billion grant, loan for chip plants

EPA says its new strict power plant rules will pass legal tests

Case highlights debate over ‘life of the mother’ exception

Supreme Court split on Idaho abortion ban in emergency rooms

Donald Payne Jr., who filled father’s seat in the House, dies at 65

Biden signs foreign aid bill, says weapons to be sent to allies within hours