Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Breach Laws: Defining Personal Information

In most states, personal information means a person's first name or first initial and last name combined with at least one of: SSN, driver's license/state ID number, or a financial account/credit/debit card number (often with the access code). About two-thirds add more elements, and almost all states exclude publicly available information.

The majority definition: first name or first initial and last name in combination with one or more of (1) Social Security number; (2) driver's license or state ID number; or (3) financial account number or credit/debit card number, often with the security/access code or password needed to access the account.

Approximately two-thirds of states add elements such as medical and health care information, any federal or state identification number, unique biometric data, tax information, and mother's maiden name. Almost all states exclude publicly available information.

Key terms - quick answers

What is “Personal information (breach law)”?

Generally a person's name plus a sensitive data element (SSN, driver's license/state ID number, or financial account/card number) whose exposure triggers notification duties.

← Common Structure of State Breach Laws Breach Laws: Covered Entities →