Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, February 20, 2008

Data Breach Notification Laws, State By State

Five years after California’s landmark SB 1386, this interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised.  More than five years after California’s seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit.  Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer’s personal data.  One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data.  That leaves 38 states that have enacted some sort of breach disclosure law.

The logical answer to keeping your network and systems secure is to prevent unhealthy or unauthorized users on the network in the first place.  Encryption may seem like an easy fix, but there is no easy answer to this complicated problem.  In general, most state laws follow the basic tenets of California’s original law: Companies must immediately disclose a data breach to customers, usually in writing.  Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action.

When you click on a state on the map, you’ll see highlights of that state’s law, including specific instances where it might differ from the California law.

For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box.  In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.

Posted on 02/20