Forty-seven states and the District of Columbia have laws dealing with data breach notification, according to the National Conference of State Legislatures.
California was the first state to enact such a law in 2002, according to Pam Greenberg at the NCSL. The 2005 ChoicePoint data breach — which affected 163,000 consumers — spurred a number of additional state laws, according to Greenberg. She said 22 states enacted laws just that year.
“Although they have similarities, they’re not all the same,” Phyllis B. Sumner said about the 47 state laws. Sumner is a partner at the law firm King & Spalding who leads the firm’s data, privacy and security practice, which represents clients on the issue of data breaches.
“They have different timing requirements, different requirements as to who must be notified, different notification content requirements and even what actually triggers the notification,” she said.
A couple examples of differences, according to Sumner:
Whether notification is limited to electronic data breaches or also covers events that occur with paper documents.
Whether state attorneys general need to be notified.
Sumner said there are similarities as well. Many states have similar definitions of what would constitute the personally identifiable information that would trigger a company’s obligation to notify consumers, for example.