In large security incidents, the differences among state breach notification laws usually do not come into play. In smaller matters, where individuals in only a few states are potentially affected, the differences sometimes result in having an obligation to notify individuals in some states but not others. And states have been active in amending their notification laws, creating even more differences. Maryland started off 2018 with an amended breach notification law, and Arizona, Colorado, Connecticut, Delaware, Iowa, Louisiana and Oregon followed suit. Also this year, the final two states without data breach notification laws, Alabama and South Dakota, passed a law.
Colorado’s amended law, effective September 1, 2018, highlights the issues where new and revised laws are creating differences. Many of the initial breach notification laws narrowly defined personal information in this way: a person’s name combined with one of three data elements — Social Security number, driver’s license number, or financial account/payment card number. Colorado’s amended law, similar to 30 other states with broader definitions, now defines personal information as also including any student, military, or passport identification number; medical information; health insurance identification number; biometric data; and username or email address, in combination with a password or security questions and answers, that permit access to an online account.
For years, the BakerHostetler www.dataprivacymonitor.com blog has published two resources: (1) a summary of state notification laws, and (2) a list of key issues (e.g., a list of states with a broader definition of personal information). As we watched the updates to notification laws continue and saw the entities we work with building dedicated internal incident response teams, we thought it was time to enhance our resources for their use. The new Breach Notification Law Interactive Map that we developed combines our two resources into one source with enhanced features. Clicking on a state generates a pop-up that gives you a “Quick Notes” summary, a more detailed summary and a link to the full text of the statute. If you click on one of the “Key Issues Filters,” each state that meets that filter criteria is highlighted.