The growing concerns over identity theft and data breaches has led most states to enact laws requiring businesses and government agencies to provide notice to individuals whose personal data has been involved in a security breach. These laws vary in their scope and in what is considered “personal information”. Most of the laws specify who is responsible for providing notice, how notice must be given and when. These laws typically provide for civil and criminal sanctions for companies and other entities that fail to provide the required notice. Other states have included specific requirements for establishing adequate security to protect the personal information.
The following section provides an overview of U.S. State Security Breach Notification Laws and their requirements. Links are provided to the relevant laws. Additionally, the following topics are covered:
District of Columbia