State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach Updated June 2017

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues.  This summary provides an overview of the similarities and differences in data breach laws adopted in 48 states and the District of Columbia.  

As reflected in this summary, laws may differ as to the information defined as “personal” or “sensitive” and the triggers for notification.  Many states require that specific content beincluded in notices, and those requirements differ.  In addition, several states impose obligations to notify certain state agencies in some or all cases. 

Because privacy is a politically popular topic for legislators, laws continue to evolve and change.  It is important to confirm that no changes have been made to relevant laws whenever you deal with a data breach.  While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.  

This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances.  

For more information on privacy and data security matters, please contact us:

Sheila Millar (+1 202.434.4143, millar@khlaw.com)

Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)