Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws
State Breach, Security, and Destruction Laws: The Landscape
All 50 states have data breach notification laws, and many states layer on data security laws and data destruction laws. With no comprehensive federal breach law enacted, national companies must comply with all 50 state regimes.
Companies across every industry collect and process large amounts of personal data, making them targets for bad actors. When unauthorized persons gain access to that data, Data breach notification law|data breach notification laws are triggered. The spread of these laws to all 50 states over two decades has materially raised the priority and budget given to information security in the private sector.
The chapter covers three distinct families of state law: breach notification (disclose after a breach), data security (prevent a breach), and data destruction (prevent a breach at the end of the data life cycle by securely disposing of data).
⚠️ Two different 'personal information' definitions
State comprehensive privacy laws and state breach notification laws both define 'personal information,' but the definitions differ. Comprehensive privacy laws limit what authorized entities may do with data; breach laws aim to prevent fraud and identity theft by unauthorized users. Do not assume one definition carries over to the other.
Key terms - quick answers
What is “Data breach notification law”?
A state law requiring entities to disclose to affected individuals (and often regulators) when personal information is accessed by an unauthorized party.
What is “Data security law”?
A state law requiring companies to develop and maintain appropriate security measures to protect personal information, often under a reasonableness standard.
What is “Data destruction law”?
A state law requiring companies to dispose of personal information at the end of its life cycle so it is no longer readable or decipherable; also called a data disposal mandate.