Data Breach Notification Laws: Another Aspect of Privacy Compliance
In addition to comprehensive privacy regulations, such as California’s Consumer Privacy Act and Privacy Rights Act, which are just emerging at the state level, all U.S. states already have breach notification regulations. Furthermore, data breaches of certain information might give rise to notification obligations under federal law, such as HIPAA. Failure to properly monitor, document and report data breaches can lead to costly regulatory investigations, steep fines, and potential lawsuits. When privacy is compromised, consumers and employees lose trust in a company’s ability to manage personal data.
State Data Breach Notification Laws
| Alabama | Ala. Code § 8-38-1 et seq. |
| Alaska | Alaska Stat. § 45.48.010 et seq. |
| Arizona | Ariz. Rev. Stat. § 18-551 to -552 |
| Arkansas | Ark. Code §§ 4-110-101 et seq. |
| California | Cal. Civ. Code §§ 1798.29, 1798.82, CCPA Regulation |
| Colorado | Colo. Rev. Stat. § 6-1-716 |
| Connecticut | Conn. Gen Stat. §§ 36a-701b, 4e-70 |
| Delaware | Del. Code tit. 6, § 12B-101 et seq. |
| Florida | Fla. Stat. §§ 501.171, 282.0041, 282.318(2)(i) |
| Georgia | Ga. Code §§ 10-1-910 to -912; 46-5-214 |
| Hawaii | Haw. Rev. Stat. § 487N-1 et seq. |
| Idaho | Idaho Stat. §§ 28-51-104 to -107 |
| Illinois | 815 ILCS §§ 530/1 to 530/25, 815 ILCS 530/55 (2020 S.B. 1624) |
| Indiana | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. |
| Iowa | Iowa Code §§ 715C.1, 715C.2 |
| Kansas | Kan. Stat. § 50-7a01 et seq. |
| Kentucky | KRS § 365.732, KRS §§ 61.931 to 61.934 |
| Louisiana | La. Rev. Stat. §§ 51:3071 et seq. |
| Maine | Me. Rev. Stat. tit. 10 § 1346 et seq. |
| Maryland | Md. Code Com. Law §§ 14-3501 et seq., Md. State Govt. Code §§ 10-1301 to -1308 |
| Massachusetts | Mass. Gen. Laws § 93H-1 et seq. |
| Michigan | Mich. Comp. Laws §§ 445.63, 445.72 |
| Minnesota | Minn. Stat. §§ 325E.61, 325E.64 |
| Mississippi | Miss. Code § 75-24-29 |
| Missouri | Mo. Rev. Stat. § 407.1500 |
| Montana | Mont. Code §§ 2-6-1501 to -1503, 30-14-1704, 33-19-321 |
| Nebraska | Neb. Rev. Stat. §§ 87-801 et seq. |
| Nevada | Nev. Rev. Stat. §§ 603A.010 et seq., 242.183 |
| New Hampshire | N.H. Rev. Stat. §§ 359-C:19, 359-C:20, 359-C:21 |
| New Jersey | N.J. Stat. § 56:8-161, 163 |
| New Mexico | N.M. Stat. §§ 57-12C-1 |
| New York | N.Y. Gen. Bus. Law § 899-AA |
| North Carolina | N.C. Gen. Stat §§ 75-61, 75-65, 14-113.20 |
| North Dakota | N.D. Cent. Code §§ 51-30-01 et seq. |
| Ohio | Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192 |
| Oklahoma | Okla. Stat. §§ 74-3113.1, 24-161 to -166 |
| Oregon | Oregon Rev. Stat. §§ 646A.600 to .628 |
| Pennsylvania | 73 Pa. Stat. §§ 2301 et seq. |
| Rhode Island | R.I. Gen. Laws §§ 11-49.3-1 et seq. |
| South Carolina | S.C. Code § 39-1-90 |
| South Dakota | S.D. Cod. Laws §§ 20-40-19 to -26 |
| Tennessee | Tenn. Code §§ 47-18-2107; 8-4-119 |
| Texas | Tex. Bus. & Com. Code §§ 521.002, 521.053 |
| Utah | Utah Code §§ 13-44-101 et seq. |
| Vermont | Vt. Stat. tit. 9 §§ 2430, 2435 |
| Virginia | Va. Code §§ 18.2-186.6, 32.1-127.1:05 |
| Washington | Wash. Rev. Code §§ 19.255.010, 42.56.590 |
| West Virginia | W.V. Code §§ 46A-2A-101 et seq. |
| Wisconsin | Wis. Stat. § 134.98 |
| Wyoming | Wyo. Stat. § 6-3-901(b), §§ 40-12-501 to -502 |
| District of Columbia | D.C. Code §§ 28- 3851 et seq., 2020 B 215 |
| Guam | 9 GCA §§ 48-10 et seq. |
| Puerto Rico | 10 Laws of Puerto Rico §§ 4051 et seq. |
| Virgin Islands | V.I. Code tit. 14, §§ 2208, 2209 |
Know Your Data to Comply with Breach Notification Laws
Data inventory and mapping is an essential first step to building a successful data breach response notification plan. The law typically requires notification in cases when certain personal information in breached. Therefore, you need to understand what personal information your organization collects, processes, and stores. Furthermore, an ongoing data mapping can illuminate data processing areas that were missed initially or where the process has changed. Organizations that do not inventory or map their data after they have set their processes may find that they are working from out-of-date information and therefore open themselves to potential liability.
Clarip’s data mapping software tools can automate the process of understanding what data is collected by the organization, where data is collected, where data is stored, and whether and with whom it is shared. Early awareness of changes to your data and prompt notification of these changes provided by the Clarip’s software gives your team an edge on information risks and will help you comply with the applicable breach notification laws.
Access Clarip’s Privacy Whitepapers Today
For assistance with Consumer Deletion Requests, call Clarip today at 1-888-252-5653 or contact us.
Privacy News
– Clarip Blog
Whitepapers
– What Your Company Needs to Know About Regulations of Biometric Data
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Responding to Personal Data Deletion Requests Under the California Consumer Privacy Act
– Right to Opt-Out of Sale of Personal Data Under the California and Nevada Laws
– Verifiable Data Subject Requests under the GDPR and the CCPA
– Other Resources
California Consumer Privacy Act
– CCPA Text
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar
– SB-1121 Amendments
EU GDPR
– GDPR Text
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal