All 50 states, the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have enacted legislation requiring both public and private entities to notify affected individuals and state Attorneys General of security breaches that involve personal information.  These laws generally contain provisions defining the applicable scope of a breach; the type of information that, if breached, triggers notification; the content, method, and timing of the notification; and any exemptions to the above.

The scope of information covered by breach notification laws vary by state.  They often include Social Security Numbers, driver’s license numbers, and financial account information.  Several laws – namely those in California, New York, and Vermont – also include biometric or genetic information when combined with other identifying information, and unencrypted username, email, and password information.  Like the key elements that trigger a notification, the precipitating event – the security incident – ranges from the unauthorized acquisition to unauthorized access.

Several state data breach notification laws require covered entities to implement reasonable information security measures or provide a safe harbor to those entities that have a cybersecurity program.  For example, Ohio’s data breach notification law provides a safe harbor for covered entities that adopt and comply with a written cybersecurity program that provides for administrative, technical, and physical safeguards in accordance with industry-recognized cybersecurity frameworks.¹