By Joseph J. Lazzarotti, Jason C. Gavejian and Maya Atrakchi
The nation’s patchwork of state data breach notification laws is now complete. All 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have enacted breach notification laws requiring private organizations or government entities to notify individuals of a security breach involving their personally identifiable information.
The last two states, Alabama and South Dakota, enacted breach notification statutes in March. The Alabama Data Breach Notification Act of 2018 goes into effect on May 1, 2018. The South Dakota law will take effect on July 1, 2018.
Additionally, many other states, in response to trends, heightened public awareness, and a string of large-scale data breaches, have continued amending their existing laws. This means data breach notification laws change frequently and keeping up with them can be a challenge.
The first state data breach notification law was enacted in 2002 in California. It soon became the model for other states’ breach notification laws. In addition, the U.S. Department of Health and Human Services Office of Civil Rights (OCR) adopted a similar structure for covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Find out more about the specific provisions that will affect your state by clicking below.