breach notification

Subscribe to breach notification via RSS

We thought it might be helpful to provide citations to the 37 state (plus D.C. and Puerto Rico) breach notification laws that cover private entities (Oklahoma’s law, that only addresses state agencies, is not included). We also provide links, or uploaded copies, where available.

Lawmakers in six states have responded quickly to the massive data breach at TJX Companies, Inc. with various bills designed to strengthen merchant security and/or render companies liable for third party companies’ costs arising from data breaches. These latest bills – introduced in California, Connecticut, Illinois, Massachusetts, Minnesota and Texas – represent a new front of state legislative activity to regulate privacy and data security and expand requirements beyond the current data breach notification and data security laws that many states have enacted in recent years. To date, Minnesota is the only state to enact such legislation, which was signed into law by its Governor on May 21, 2007.

Under legislation recently proposed in California, retailers doing business in the state would be subject to enhanced data destruction requirements, and all businesses would be affected by new data breach notification requirements.  In the wake of the TJX Companies data breach, which may have affected more than 46.2 million credit and debit cards, California Assemblyman Dave Jones introduced revised A.B. 779.  That legislation reiterates that retailers are subject to the same data safeguard requirements as other businesses that maintain customer records or own or license personal information, while significantly truncating the period of time retailers may retain personal information of customers.  The bill also would revise the data breach notification laws applicable to all businesses that own or license personal information.