Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Common Structure of State Breach Laws

Despite differences, state breach laws share three building blocks: key terms (personal information, covered entities, security breach), notification requirements (who/when/what/how), and enforcement (penalties and private rights of action).

Key terms - definition of personal information (the data elements that trigger reporting), covered entities, and security breach (including whether a risk-of-harm analysis is allowed)
Notification requirements - whom to notify, when, what to include, how, when to notify the state attorney general or agencies, when to notify consumer reporting agencies, exceptions, and permitted delays
Enforcement - penalties and private rights of action

← The Absence of a Federal Breach Law Breach Laws: Defining Personal Information →