CSO Maps State-By-State Data Breach Disclosure Laws

CSO has produced an interactive U.S. map that shows what’s required of companies that suffer a data breach in the 38 states that care enough about consumer rights to have passed disclosure laws. Most are modeled after California’s strict SB1386 anti-ID theft law, but now you can tell at a glance what your state is doing about the issue—and in most cases you can click on the icon in the pop-up info box to see a copy of the actual law.

In a related article, CSO talks to a data breach disclosure law expert about what’s going on at the federal level, where there are at least eight different proposed laws bouncing around D.C.

Forsheit: I really can’t tell you why it’s taking so long. There was a sense with the new Congress that there was a greater likelihood something would pass. It’s just not clear why it hasn’t. Clearly people are concerned with ID theft. It’s mostly a bipartisan issue, so you see a lot of consensus. There are some disputed aspects, like whether notification should be mandated–as it is in many states–with any unauthorized acquisition [of data], as opposed to there being a higher threshold trigger. But those can be worked out.

SO: What about the 11 states that don’t yet have laws? Are they waiting for a federal bill?

Forsheit: In some of those states, there have been proposals that just haven’t made their way through. If we don’t see federal legislation soon, those remaining states will likely enact some law

“Data Breach Notification Laws, State By State” [CSOonline]

“CSO Disclosure Series | What’s Next with Disclosure Legislation?” [CSOonline]


Edit Your Comment

  1. azntg says:

    Rhode Islanders seem to have it best, having private right of action plus a civil/criminal penalty for failure to disclose!

  2. darkclawsofchaos says:

    @azntg: Not to mention having the best Highway Patrol around.

  3. Imhotep says:

    California is strict? There’s NO civil or criminal penalty for failure to disclose. Hawaii’s looking real good right about now.

  4. phripley says:

    What law pertains:

    Are the companies bound by the laws of the state(s) …where they have operations?

    …where they are headquartered?

    …or where their customers are located?

  5. Anitra says:

    I looked through the page but couldn’t find this – what is “private right of action”? Is that saying that people whose data have been stolen can sue?

  6. Barry Zuckerkorn, Esq. says:

    @Anitra: Yes, “private right of action” means that the person whose data was stolen can sue the company for failing to inform him or her as required by the statute. In the states that do not have a private right of action, usually the company can still be found liable in a lawsuit brought by the state attorney general.

  7. rhombopteryx says:

    Awesome, according to the map, every single federal law would preempt stronger state laws and prevent identity theft victims from suing the person who leaked the data!
    That means every Senator or Congressperson who sponsored one of the bills thinks their own state legislature is too stupid to pass a good law, so they’re stopping them.

    Congress cares! (about their banking and data mining corporate contributors who have sloppy data protection….)

  8. XTC46 says:

    @Imhotep: I’m in Hawaii and work as a computer tech with a specialty in information and data security. I just quit a company on art because they refused to take the recommended steps to protect confidential medical data and I didn’t want to be in a position where civil and criminal charges could be brought against a company where I was responsible, in part, for the protection of that data. It is great for consumers and people in general, because laws like this force companies to take responsibility for the data they hold.