U.S. State Security Breach Notification Laws

The growing concerns over identity theft and data breaches has led most states to enact laws requiring businesses and government agencies to provide notice to individuals whose personal data has been involved in a security breach. These laws vary in their scope and in what is considered “personal information”. Most of the laws specify who is responsible for providing notice, how notice must be given and when. These laws typically provide for civil and criminal sanctions for companies and other entities that fail to provide the required notice. Other states have included specific requirements for establishing adequate security to protect the personal information.

The following section provides an overview of U.S. State Security Breach Notification Laws and their requirements. Links are provided to the relevant laws. Additionally, the following topics are covered:

• Title: This is the name given to the legislation at the time of enactment or how it is currently referred to in the relevant state.
• Citation: This is the formal citation to the specific law and a hyperlink.
• Summary: This provides a brief overview of the legislation.
• Data Covered: This identifies the specific data covered by the legislation.
• Industry: This identifies the specific industries or sectors that are covered by the legislation.
• Penalties: This identifies the sanctions provided for failure to comply with the law’s requirements.