New Guide on State Data Breach Laws

What are the current data breach laws across U.S. states and territories?

Where can the references be seen? How are the specific details different?

When are organizations required to notify the public?

Who is regulating compliance?

According to the National Conference of State Legislatures (NCSL), legislation has been enacted by all 50 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands that requires private entities or government agencies to notify individuals who have been impacted by security breaches that may compromise their personally identifiable information.

You can see the complete state-by-state data breach guide here.

According the state data breach guide’s introduction:

“These laws typically define what is classified as personally identifiable information in each state, entities required to comply, what specifically constitutes a breach, the timing and method of notice required to individuals and regulatory agencies, and consumer credit reporting agencies, and any exemptions that apply, such as exemptions for encrypted data.

Entities that conduct business in any state must be familiar with not only federal regulations, but also individual state laws that apply to any agency or entity that collects, stores, or processes data pertaining to residents in that state. While the laws in many states share some core similarities, state legislators have worked to pass laws that best protect the interests of consumers in their respective states. As a result, some states have much more stringent laws or more severe penalties for violations. …”

This infographic summarizes some of the key findings:

Infographic by Digital Guardian

Background on Data Breach Guide

For more context on this research, I contacted Ellen Zhang, Web marketing coordinator for Digital Guardian as well as Greg Funaro, director of corporate communications for Digital Guardian. Here were the responses:

Dan Lohrmann (DL): When was this work recently completed?

(Read more...)

*** This is a Security Bloggers Network syndicated blog from Lohrmann on Cybersecurity authored by Lohrmann on Cybersecurity. Read the original post at: