About Us | Contact Us
View Cart

Data Breach Laws: A State-by-State Framework

By Vigilize | Monday, August 17, 2020 - Leave a Comment

What you need to know for compliance coast-to-coast.


ServIcons_ITAudit_01

Back in February we posted an article summarizing state data breach laws, but only as they applied to schools.  This time around, we’re taking a look at the state data breach laws concerning businesses, including banks.  While compiling this list we found many similarities between each state’s legislation, including many who do not apply their specific laws to organizations who already must comply with federal legislation such as HIPPA or GLBA.  Despite these similarites, not every state is the same, which is why we’re providing the following list.

Alabama: SB 318 – Requires notification in writing no later than 45 days after discovery of a breach.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Alaska: Statute 45.48.010 – Requires notification “without reasonable delay” of any breach that may have resulted in unauthorized acquisition of personal information.

Arizona: Statute 18-545 – Requires notification within 45 days, unless the breach is not likely to result in “substantial economic loss” to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Arkansas: Code 4-110-101 – Requires notification “without unreasonable delay” unless there is no reasonable likelihood of harm.  Notification may be delayed for law enforcement purposes.

California: Civil Code 1798:29 – Requires notification “without unreasonable delay,” and also requires notification of the state Attorney General if more than 500 customers are impacted.  Businesses in violation are subject to civil action by those impacted by the breach.

Colorado: Statute 6-1-716 – Requires notification no later than 30 days after determination of a breach, along with notification of the state Attorney General if more than 500 customers are impacted.  Organizations in compliance with their own state’s regulations are deemed to be in compliance with this law.

Connecticut: Statute 36a-701b – Requires notification no later than 90 days after determination of a breach, including notification of the state Attorney General.  Organizations in compliance with their own state’s regulations are deemed to be in compliance with this law.

Delaware: Code Title 6, Chapter 12B – Requires notification no later than 60 days after determination of a breach, unless the breach is unlikely to result in harm to those impacted.  Organizations with their own notification policy are deemed to be in compliance with this law, as long as notification is provided within 60 days.

Florida: Statute 501.171 – Requires notification no later than 30 days after determination of a breach, along with notification of the state Department of Legal Affairs if more than 500 customers are impacted.  Failure to notify can result in fines of $1,000 for each day the breach remains undisclosed.

Georgia: Code 10-1-912 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 10,000 customers are impacted.

Hawaii: Statute 487N-1 – Requires notification “without unreasonable delay,” along with notification of the state Office of Consumer Protection if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Idaho: Code 28-51-104 – Requires notification “in the most expedient time possible.”  Organizations with their own notification policies are deemed to be in compliance with this law, as long as that policy is followed.

Illinois: 815 ILCS 530 – Requires notification “without unreasonable delay.”  Organizations may develop their own notification policy so long as it complies with the state law.

Indiana: Code 4-1-11, 24-4.9 – Requires notification “without unreasonable delay” if the breach could result in identity theft or fraud.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Iowa: Code 715C.1 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General if more than 500 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Kansas: Statute 50-7a01 – Requires notification “without unreasonable delay” unless personal information is unlikely to be abused.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.

Kentucky: Statute 365.732 – Requires notification “without unreasonable delay” unless personal information is unlikely to be abused.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Louisiana: Statute 51:3071 – Requires no later than 60 days after a breach has been discovered, unless there is no likelihood of harm to those impacted.  Notification of the state Attorney General is also required, if consumers must be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Maine: Statute 1346 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General, unless there is no reasonable likelihood the information will be abused.

Maryland: Commercial Code 14-3501 – Requires notification no later than 45 days after discovery of a breach.  The state Attorney General must be notified before customers.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Massachusetts: General Law 93H – Requires notification “without unreasonable delay,” along with notification of the state Attorney General.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Michigan: Statute 445.63 – Requires notification “without unreasonable delay,” unless the breach is not likely to cause substantial loss or injury to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Minnesota: Statute 325E.61 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 500 customers are impacted.

Mississippi: Code 75-24-29 – Requires notification “without unreasonable delay,” unless the breach is not likely to cause substantial loss or injury to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Missouri: Statute 407.1500 – Requires notification “without unreasonable delay,” unless there is no likelihood of identity theft or fraud.  Notification of the state Attorney General and all nationwide consumer reporting agencies is required if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Montana: Code 30-14-1704 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General and consumer reporting agencies.

Nebraska: Statute 87-801 – Requires notification “without unreasonable delay,” unless it is unlikely the disclosed information will be abused.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Nevada: Statute 603A.010 – Requires notification “without unreasonable delay,” along with notification of all consumer reporting agencies if more than 1,000 customers are impacted.

New Hampshire: Statute 359-C:20 – Requires notification “as soon as possible,” along with notification of the state Attorney General and all consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are not bound by this law.

New Jersey: Statute 56:8-163 – Requires notification “without unreasonable delay,” unless misuse of the information is not reasonably possible.  Prior to notification of customers, the State Police department of Law and Public Safety must be notified.

New Mexico: HB 15 – Requires notification no later than 45 days after discovery of a breach.  If more than 1,000 customers are impacted, notification of the state Attorney General and all nationwide consumer reporting agencies is also required.  Organizations in compliance with GLBA are exempt from this law.

New York: General Business Law 899-aa – Requires notification “without unreasonable delay” after a breach is discovered.  Additionally, the state Attorney General, Consumer Protection Board, State Police and Office of Information Technology Services must also be notified.  If more than 5,000 customers are impacted, consumer reporting agencies must also be notified.

North Carolina: Statute 75-61 – Requires notification “without unreasonable delay” after a breach is discovered.  The state Attorney General’s office must be notified, as well as all nationwide consumer reporting agencies if more than 1,000 customers have been impacted.

North Dakota: Code 51-30-01 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General if more than 250 customers are impacted.  Organizations may maintain their own notification policies so long as they comply with state law.

Ohio: Revised Code 1349.19 – Requires notification within 45 days after discovery of a breach.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Oklahoma: Statute 161 – Requires notification “without unreasonable delay” after discovery of a breach.  Organizations may maintain their own notification policies so long as they are in compliance with state law.

Oregon: Statute 646A.600 – Requires notification no later than 45 days after discovery of a breach.  The state Attorney General must also be notified if more than 250 customers are impacted.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Pennsylvania: Statute 73-2301 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 1,000 customers are impacted.

Rhode Island: General Law 11-49.3 – Requires notification no later than 45 days after discovery of a breach.  If more than 500 customers are impacted, the state Attorney General and all major credit reporting agencies must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

South Carolina: Code 39-1-90 – Requires notification “without unreasonable delay” after discovery of a breach.  The state Department of Consumer Affairs must be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

South Dakota: SB 62 – Requires notification within 60 days of discovering a breach.  Consumer reporting agencies must also be notified of the breach.  If more than 250 customers are impacted, the state Attorney General must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Tennessee: Code 47-48-2107 – Requires notification within 45 days of the discovery of a breach.  All consumer reporting agencies must be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Texas: Business and Commerce Code 521.002 – Requires notification “as quickly as possible” after discovery of a breach.  If more than 10,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.

Utah: Code 13-44-101 – Requires notification “without unreasonable delay” after discovery of a breach, unless misuse of data is unlikely.

Vermont: Statute 9-2430 – Requires notification within 45 days of the discovery of a breach.  The state Attorney General or Department of Financial Regulation must also be notified within 14 days.  All consumer reporting agencies must also be informed if more than 1,000 customers are impacted.

Virginia: Code 18.2-186.6 – Requires notification “without unreasonable delay” after discovery of a breach.  The state Attorney General must also be notified, along with all nationwide consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Washington: Code 19.255.010 – Requires notification no later than 45 days after the discovery of a breach, unless the breach is unlikely to cause harm.  If more than 500 customers are impacted, the attorney general must also be notified.

West Virginia: Code 46A-2A-101 – Requires notification “without unreasonable delay,” along with notification of all consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Wisconsin: Statute 134.98 – Requires notification within 45 days of the discovery of a breach.  All nationwide consumer reporting agencies must also be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Wyoming: Statute 40-12-501 – Requires notification “without unreasonable delay” after the discovery of a breach.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

 


same_strip_012513


 

Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]