Mintz Matrix – Data Breach Laws in All 50 States- 04/27/2018
Friday, April 27, 2018

With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification.   We’ve updated the Mintz Matrix  to provide you with the latest information.

Managing the differing requirements remains a challenge, and points to the need for updated incident response plans.   As an example, the chart below outlines the different timelines for notification.  The Mintz Matrix contains information on all of these, and more.

Breach Notification Timeline

Time After Discovery of Breach

    Action Required

10 Calendar Days

  • Puerto Rico Department of Consumer Affairs

14 Business Days

  • Vermont AG preliminary notification

15 Business Days

  • California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)

30 Calendar Days

  • Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).

  • Indiana AG will open an investigation if not notified within 30 days

45 Calendar Days

  • Ohio residents

  • Tennessee residents (60 Days for PHI/HIPAA incidents)

  • Vermont residents, AG

  • Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)

  • Wisconsin residents (60 Days for PHI/HIPAA incidents

  • New Mexico residents, AG (500+ residents)

  • Maryland residents (60 Days for PHI/HIPAA incidents)

60 Calendar Days

  • Individuals and HHS OCR for PHI disclosure.

  • Delaware (effective 4/14/18), AG (500+ residents)

90 Calendar Days

  • Connecticut residents (60 days for PHI/HIPAA incidents)

Most expedient time and without unreasonable delay

  • AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY

As soon as possible

  • NE, NH, TX

Days After Confirmation of Breach

  Action Required

45 Calendar Days

  • Rhode Island residents, AG (500+ residents) (60  Days for PHI/HIPAA incidents).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins