May 25, 2020

May 22, 2020

Subscribe to Latest Legal News and Analysis

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach – Updated April 2019

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues.  This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and District of Columbia.[1]  All states require that affected residents be notified of a security breach (as that term is defined in each law), and many also require that state agencies and the three major national credit reporting agencies be notified in certain circumstances.  Many state agencies require or permit companies to submit notices online, and some agencies publicly post copies of the notices they receive.  As a practical matter, most companies that experience a breach that affects their customers, employees, or other individuals with whom they have a relationship will be required to comply with all or several state laws depending on where the individuals reside, and international and sector-specific data breach notification laws may also apply.  In addition, many state laws impose data security requirements, which should also be consulted. 

Since our last update, several states amended their laws to impose additional requirements, such as free credit monitoring for individuals whose Social Security number is acquired.  Notably, the Massachusetts law was recently amended (effective April 11, 2019) to require that, in addition to offering complimentary credit monitoring, companies that experience a breach that triggers notices to the Office of Consumer Affairs and Business Regulation and the Attorney General’s Office must indicate in such notices whether they maintain a written information security program (WISP), as required by the law.  The requirement to maintain a WISP is not new, but businesses that experience a breach affecting Massachusetts residents will now be subject to more scrutiny.   

The laws continue to evolve and change, so it is important to consult experienced counsel and check relevant laws for any updates whenever you experience a data breach. 

This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances. 

Click here to view.

[1] This summary only covers data breach notification laws for the 50 United States and District of Columbia.  It does not cover laws adopted in any U.S. territories, sector-specific laws (such as the Gramm-Leach-Bliley Act, HIPAA Breach Notification Rule, and New York State Department of Financial Services Cybersecurity Regulation), or international data breach notification laws. 


© 2020 Keller and Heckman LLP


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association