CSO has produced an interactive U.S. map that shows what’s required of companies that suffer a data breach in the 38 states that care enough about consumer rights to have passed disclosure laws. Most are modeled after California’s strict SB1386 anti-ID theft law, but now you can tell at a glance what your state is doing about the issue—and in most cases you can click on the icon in the pop-up info box to see a copy of the actual law.
In a related article, CSO talks to a data breach disclosure law expert about what’s going on at the federal level, where there are at least eight different proposed laws bouncing around D.C.
Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated–as it is in many states–with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out.
SO: What about the 11 states that don’t yet have laws? Are they waiting for a federal bill?
Forsheit: In some of those states, there have been proposals that just haven’t made their way through. If we don’t see federal legislation soon, those remaining states will likely enact some law
“Data Breach Notification Laws, State By State” [CSOonline]
“CSO Disclosure Series | What’s Next with Disclosure Legislation?” [CSOonline]