Data Breach Notification Statutes

Created by Laura Biber on April 04, 2016 1393

Data breach notification laws are currently an area governed by state statutes. 47 states currently have data breach notification laws. The only three that do not are Alabama, New Mexico, and South Dakota. There have been repeated calls, including in the 2014 White House Report on Big Data, for a federal data breach notification statute. Highly publicized hacks or breaches generally increase calls for federal legislation, with five bills related to personal data privacy and breaches introduced in 2014 alone.  In January 2015, President Obama announced his proposal for the Personal Data Notification & Protection Act, calling for a single federal law in lieu of the “patchwork” of 47 state laws. As of April 2016, this bill was still being considered by Congress.

Most state data breach notification statutes contain the following four categories: (1) who must comply with the law (i.e. data brokers, businesses, government, etc.); (2) the definition of personal information; (3) the definition of breach; and (4) notification requirements.

The Utah data breach notification law has been mapped and may be found in the list of states.

Written by Laura Biber on April 24, 2016 0 1908
View all explanation (1)

Supporting Authority

Security Breach Notification Laws
Link to Supporting Resource

The National Conference of State Legislatures has compiled an overview of state data breach notification statutes and the links to the state statutes themselves. 

Created by Laura Biber on April 21, 2016 0 2104

Analysis of the White House Data Breach Notification Bill
Link to Supporting Resource

This article summarizes the Personal Data Notification & Protection Act, announced by President Obama in January 2015. The article contrasts this proposal with the five similar bills introduced in 2014 and explains how this federal law would preempt state data breach notification laws.

Created by Laura Biber on April 21, 2016 0 2087