Security Breach Notification Laws

Subscribe to Security Breach Notification Laws via RSS

Following is an updated list of citations to state data breach notification laws. We also note that as of January 1, 2008, California’s data breach notification law, Civil Code § 1798.82, will include “medical information” and “health insurance information” in the definition of personal information. Also, any business “maintained for the purpose of managing medical information” must comply with the prohibitions of California’s Confidentiality of Medical Information Act, effective January 1. These changes were enacted through A.B. 1298, signed by Governor Schwarzenegger on October 14, 2007.

On Saturday, California Governor Arnold Schwarzenegger vetoed AB 779, legislation that would have amended California’s landmark data security breach legislation. The bill would have been the first to follow law enacted by Minnesota earlier this year and effective August 1, 2007, that amended Minnesota’s security breach notification law by, among other things, prohibiting businesses from retaining certain payment card data after authorization of a transaction.

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

A recent decision from the Southern District of Ohio echoes prior decisions of district courts addressing negligence claims against companies that have experienced a data breach. The court held that the cost of obtaining credit monitoring services does not count as damages without evidence of identity fraud. Kahle v. Litton Loan Servicing LP, case no. 1:05cv756.

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

On April 26, 2007, New York Attorney General Andrew Cuomo announced that his office entered into a settlement with CS STARS LLC for violating the state’s Information Security Breach and Notification Law, which is codified at N.Y. Gen. Bus. Law § 899-aa. Cuomo’s office targeted CS STARS for delaying, for seven weeks, the issuance of legally required notification regarding the theft of a computer which contained the personal information of approximately 540,000 worker’s compensation recipients.