Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Breach Laws: Security Breach and Risk-of-Harm

A security breach is generally unauthorized access to or acquisition of computerized personal data that compromises its confidentiality, security, or integrity. Nearly all states apply a risk-of-harm analysis, often excusing notice where harm is not reasonably likely.

The definition typically covers unauthorized access to or acquisition of electronic files or computerized data containing personal information that compromises confidentiality, security, or integrity, where the data was not secured by encryption or rendered unreadable/unusable.

Nearly all states apply a risk-of-harm analysis. An incident is commonly excluded where it is not reasonably likely that harm (identity theft, fraud, or financial loss) will result. The risk language may sit in the definition of 'security breach' or in the notification requirements.

States without risk-of-harm

The text notes that California, Georgia, Illinois, Minnesota, North Dakota, and Texas do NOT include a risk-of-harm analysis. In those states you cannot rely on a 'no likely harm' argument to avoid notice.

Key terms - quick answers

What is “Security breach”?

Unauthorized access to or acquisition of computerized data containing personal information that compromises its confidentiality, security, or integrity and is not protected by encryption or similar means.

What is “Risk-of-harm analysis”?

An assessment of whether an incident is reasonably likely to cause harm (such as identity theft or fraud); many states excuse notification when harm is unlikely.

← Breach Laws: Covered Entities Notification: Whom to Notify →