Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Exceptions to Notification

Three exceptions excuse notice: an entity subject to a more stringent law (e.g., HIPAA or the GLBA Safeguards Rule), an entity following its own compatible policy, or data within the encryption safe harbor. The encryption safe harbor typically fails if the decryption key is breached too.

Entities subject to another more stringent breach law - e.g., HIPAA (Chapter 8) or financial institutions under the GLBA Safeguards Rule (Chapter 9)
Entities following their own notification policy, if compatible with the state law
Data within the safe harbor - encrypted, redacted, unreadable, or unusable

The key must stay secure

All state breach laws include an encryption safe harbor, but it typically applies only when the decryption key remains secure. Laws like Illinois make explicit that the exception does not apply when the decryption key is breached along with the encrypted data.

Key terms - quick answers

What is “Encryption safe harbor”?

A provision excusing breach notice where data was encrypted, redacted, or rendered unreadable/unusable - generally only if the decryption key was not also breached.

What is “GLBA Safeguards Rule”?

A Gramm-Leach-Bliley Act rule for financial institutions; entities compliant with it may be exempt from a state breach law under the more-stringent-law exception.

← Notification: Consumer Reporting Agencies When Notification May Be Delayed →