State Breach Notification, SSN Protections, and Identity Theft Laws

California enacted the first breach law in 2002; all 50 states now have one. Breach-law personal information centers on name + SSN, driver's license/ID, or financial account number. States also protect SSNs and all 50 have identity theft laws; FACTA preempted much credit-report law but left identity-theft authority.

Breach-law personal information

In most state data breach notification laws, personal information means an individual's first name or initial and last name combined with one or more of: (1) Social Security number; (2) driver's license or state ID number; or (3) financial account, credit, or debit card number. This is narrower than the comprehensive-law definition.

California enacted the first breach notification law in 2002; every state followed. Many laws require reports to state AGs and confer AG enforcement if the breach reveals inadequate security controls. States also protect SSNs - for example, California bars businesses from publicly posting them or requiring transmission over an unencrypted connection.

In 2003, FACTA amended the FCRA and preempted many state credit-report laws, but states retained power to enact identity-theft laws. All 50 states have identity-theft laws, and more than half permit restitution for victims.

Key terms - quick answers

What is “Data breach notification law”?

A state law requiring notice when defined personal information is breached; California enacted the first in 2002 and all 50 states now have one.

What is “Social Security number”?

A nine-digit federal identifier tied to the Social Security Act of 1935 that became a de facto identifier and a key target in identity theft.

What is “Identity theft laws”?

State laws addressing identity theft; all 50 states have them and more than half permit restitution for victims.