Data Breach Notification in the United States and Territories: 2021

In 2002, California became the first state to recognize the need for individuals to be made aware when their data is exposed in security incidents. In 2018, South Dakota and Alabama became the 49^th and 50^th states, respectively, to enact data breach notification statutes—effectively granting some level of protection to all United States residents. However, the level of protection can vary state to state.

Data Collection

Summary

This analysis compares each state’s data breach notification statutes along key provisions including

• definition of breach
• definition of personally identifiable information
• form of data covered
• whether the statute covers paper records
• whether the statute covers encrypted data when the encryption key has been accessed or acquired
• what entities are covered by the statute
• whether notification triggers after discovery or after reasonable investigation
• whether there is a risk of harm trigger for notification
• how consumers are notified
• what must be included in the notice
• whom entities must notify
• whether the state publishes breach data publicly
• whether individuals have a private right of action for violations
• whether there are exceptions to the notification obligation if entity complies with other laws (HIPAA, GLB, etc)
• whether there is flexibility in notification if the entity maintains equivalent or stronger policy
• penalties for violations

States or Territories That Amended Their Data Breach Notification Laws in 2021

California
Connecticut
Georgia
New York
North Dakota
Oregon
Utah
 

CAL. CIV. CODE § 1798.82 (for businesses)

CAL. CIV. CODE § 1798.29 (for state agencies)

Definition of Breach

Unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person, business, or agency.

Definition of Personally Identifiable Information

(1) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements: (a) SSN; (b) driver’s license number,  California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual;(c) account number or credit or debit card number, in combination with any required security access code, or password that would permit access to an individual’s account; (d) medical information, (e) health insurance information and (f) unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual (unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes); (g) information or data collected through the use or operation of an automated license plate recognition system; and (h) Genetic Data, meaning any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material (which includes but is not limited to . deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source(2) A username or email address, in combination with a password or security question and answer that would permit access to an online account.

Form of Data

Computerized.

Paper Records Covered

No.

Encrypted Data Covered When the Encryption Key Has Been Accessed or Acquired

Yes, a breach of encrypted data will trigger a notification requirement if the encryption key or a security credential is also acquired by an unauthorized person, and the owner of licensor of personal information has a reasonable belief that the encryption key or security credential could be used to 
render the encrypted personal information readable or usable.

Entities Covered 

Any person or business that conducts business in CA, and that owns or licenses computerized data that includes personal information.

Notification Obligation Triggers After Discovery or After Reasonable Investigation

Discovery or notification of the breach of the security of the system if the information was, or is reasonably believed to have been, acquired by an unauthorized person. 

Time for Notification Once an Obligation is Triggered

In the most expedient time possible and without unreasonable delay, immediately if notifying the data owner. 

Risk of Harm Trigger for Notification Exists

No.

Notification Method

(1) Written notice; (2) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in Section 7001 of Title 15 of the United States Code; (3) Substitute notice, if the person or business demonstrates that the cost of providing notice would exceed $250K, or that the affected class of subject persons to be notified exceeds 500,000, or the person or business does not have sufficient contact information. Substitute notice shall consist of all of the following: (A) E-mail notice when the person or business has an e-mail address for the subject persons; (B) Conspicuous posting, for a minimum of 30 days, of the notice on the internet website page of the person or business, if the person or business maintains one; (C) Notification to major statewide media (and the Office of Information Security within the Department of Technology, if the breached entity is a state agency). 

Breach notification letters must be titled “Notice of Data Breach” and present required information under the following headings: “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.” The title and headings must be clearly and conspicuously displayed using a font size no smaller than 10-point type. S.B. 570 also provides a model breach notification form, which, if used, is deemed to comply with the content requirements for written notification. 

Mandatory Notification Items

A security breach notification shall include, at a minimum: (a) name and contact info. of reporting person or business subject to this section; (b) list of the types of personal info. that were or are reasonably believed to have been the subject of a breach; (c) if the info. is possible to determine at the time the notice is provided, then any of the following: (i) the date of the breach, (ii) estimated date of the breach, or (iii) the date range within which the breach occurred. The notification shall also include the date of the notice; (d) whether notification was delayed as a result of a law enforcement investigation, if possible to determine at time notice is provided; (e) general description of breach incident, if possible at time notice is provided; (f) toll-free telephone numbers and addresses of major credit reporting agencies if breach exposed a SSN or driver’s license or CA ID card number; and (g) if person or business was the source of the breach, an offer to provide appropriate identity theft prevention and mitigation services at no cost to the affected person for not less than 12 months, along with all information necessary to take advantage of the offer. 

At discretion of person or business, security breach notification may also include any of the following: (a) info. re what person or business has done to protect individuals whose info. has been breached; (b) advice on steps that the person whose info. has been breached may take to protect him or herself.

Notification Recipients    

Any affected resident of CA, data owner if notifier is not owner. 

If required to notify more than 500 CA residents as a result of a single breach of the security systems, shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General (AG). All insurers, insurance producers, and insurance support organizations must provide the insurance commissioner with any notices or information that is submitted to the AG’s office. 

Attorney General or State Government Publishes Breach Data

Yes.

Private Right of Action Included

No, however a separate law, the California Consumer Privacy Act, includes a limited private right of action when a consumer’s personal information has been exposed in a data breach because of the business’s failure to use reasonable security measures.

Exception to Notification Obligation Exists if the Entity is Complying with Other Laws (HIPAA, GLB, etc.)

A covered entity under HIPAA will be deemed to have complied with the notice requirements if it has complied completely with HIPAA.

Allows Flexibility in Notification Requirements to Entities that Maintain Their Own Notification Procedures Consistent with the Statute

“A person or business that maintains its own notification procedures as part of an information security policy for the treatment of personal information and is otherwise consistent with the timing requirements” of this law can notify individuals according to its own policy. 

Additional Exceptions

Timing of notification shall be consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system.

Penalties for Violations

Any customer injured by a violation of this title may bring a civil action to recover damages. Statute specifically authorizes injunctions against businesses violating the statute. Class actions are not barred.

Miscellaneous Provisions

Where online account is breached but no other personal information is breached, notification may be given electronically through the online account.

If, however, there has been a breach of email account login credentials, a person or business providing the affected email services may NOT give notice through the breached email account, but must give notice in other way.