With last month’s passage of the Alabama Data Breach Notification Act of 2018 (SB 318), all 50 states will have laws requiring companies to notify individuals when their personal information is exposed as a result of a data breach. It has been 15 years since the first data breach notification law passed in California, and this milestone is worth celebrating as a strong statement from the people of the United States that we care about our privacy.
While this should be a time for celebration, it is also a time to remind ourselves that the fight for privacy rights is far from over. Even though all 50 states now require some form of data breach notice, the laws are not created equal. People must be notified when their personal information is breached, but definitions of “personal information” vary widely from state to state. In most states, you will receive notice when electronic records containing your personal information are breached, but only eight states require it when paper records are compromised. In some (but not all, or even most) states, companies that experience a data breach have to also notify the state's attorney general's office. In others, if reporting is required at all, it may not happen unless a minimum number of records—250, 500 or 1000—are breached.
Along with the many state-to-state legal discrepancies, active attacks on privacy rights continue to underscore the need to fight. For example, Senate Bill 220 in Ohio would provide a loophole for companies to avoid paying for their negligence in a data breach. Easing up on privacy protections in a post-Equifax-breach world is wholly unacceptable. We deserve strong privacy protections for all, and must continue to push forward!