All 50 States Now Have Security Breach Notification Laws

Photo courtesy of CIO.com

As of July 1, 2018, all 50 states now have security breach notification laws as Alabama and South Dakota were the last two to finally join the rest of the nation in implementing such laws. Security breach notification laws were first implemented by California in 2003. However, the law didn’t garner a lot of attention until 2005 when ChoicePoint incurred a self-inflicted data breach affecting 145,000 individuals. At that point, each individual received a letter in the mail notifying them of the data breach which got the attention of several media outlets and eventually became national news. Fifteen years later, every state, including Washington D.C. all have their own set of security breach notification laws.

What Are Security Breach Notification Laws?

First, let’s define what constitutes a security breach: “the unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromised the security, confidentiality, or integrity of personal or protected information.”

Put in Layman’s terms, a security breach occurs when a hacker (or unauthorized individual) gains access to a company’s or individual’s data with or without the intent to use it for monetary or malicious purposes.

The purpose of a security breach notification law is to require companies to notify the public and/or its customers as well as consumer reporting agencies when they incur a data breach. Within the security breach notification law is the notification obligation which for the state of South Dakota states: “any information Holder that discovers or is notified of a breach of system security much notify affected individuals and consumer reporting agencies.” Furthermore, the entity must give notice to the affected individuals and consumer reporting agencies no later than 60 days from when the Information Holder discovered or is notified of a breach. It must be noted that notice is not required if, following appropriate investigation and notification to the Attorney General, the Information Holder reasonably believes the incident will not result in harm to affected individuals.

Federal Breach Notification Requirement

While there are security breach notification laws in effect for all 50 states, there is also a federal breach notification requirement issued by Health and Human Services (HHS). The Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of the American Recovery and Reinvestment Act of 2009. The HITECH Act requires health care providers, and other Health Insurance Portability and Accountability Act (better known as HIPAA) covered entities to promptly notify affected individuals of a breach. If the breach exceeds 500 individuals, providers are also required to notify the HHS Secretary and the media. Breaches affecting less than 500 individuals will be reported to the HHS Secretary on an annual basis. Lastly, the regulations also require business associates of covered entities to notify the covered entity of breaches at or by the business associate.

What Are My State’s Security Breach Notification Laws?