Data Breach Notification in the United States 2022 Report

Data Breach Notification in the United States and Territories

Given the daily barrage of data breaches impacting consumers, Americans are increasingly demanding stronger privacy protections. In 2002, California was the first state to recognize the need for individuals to be made aware when their data is exposed in security incidents by passing the world's first security breach notification law, California Senate Bill 1386 (supported at the time by Privacy Rights Clearinghouse!). In 2018, South Dakota and Alabama finally became the 49th and 50th states, respectively, to enact data breach notification statutes to protect their residents.

However, five years later not everyone enjoys the same level of protections in their respective state. Each year, we closely analyze each data breach notification statute along key provisions, allowing us to identify disparities in the level of protections that each statute affords. Download our report and use our interactive dashboard (or the underlying database) to compare states' data breach notification statutes against themselves and across key metrics. 

Interactive Dashboard:

 

About this research:

Our analysis approaches data breach notification from a consumer privacy perspective. For each state we ask the following:

Personal Information: 

  • Does the definition of PII cover biometric information? 
  • Does the definition of PII cover passports?   
  • Does the definition of PII cover medical information?  
  • Does the definition of PII or Breach cover paper records?   
  • Does the definition of PII or Breach cover deidentified information? 
  • Does the definition of PII or Breach explicitly cover publicly available information? 
  • Does the definition of PII or Breach cover encrypted information?  
  • If yes, does it only cover encrypted information if the decryption key was or is likely to have been exposed?  

 

Covered Entity: 

  • What entities are covered?:   
  • Does the law cover businesses and individuals?  
  • Does the law cover state government agencies?  
  • Does the law cover local government agencies?  

 

Notification Trigger: 

  • Are there Permitted Delays for notification? 
  • Does the notification requirement trigger immediately after discovery of the breach or After an investigation of some kind? 
  • Is there a risk of harm trigger for notification (i.e., is notification only required if the entity determines there was a likelihood of harm occurring from the breach?)? 
  • Is there an exception to the notification requirement if the entity is complying with other laws (HIPAA, GLB, etc). 
  • Time limits for notification once it is required. 
  • Are there permitted delays for notification? 
  • Does the law specify how notification must be given? 
  • Does the law permit notification by email?  
  • Does the law permit notification by physical mail?  
  • Does the law permit notification by fax or other methods?  
  • Does the law specify what must be included in the notice?  
  • Does the notification requirement trigger immediately after discovery of the breach or After an investigation of some kind?   
  • Is there a risk of harm?  
  • Exception to notification requirement if the entity maintains their own notification procedures which meet a certain threshold? 
  • Requires notifying consumer reporting agencies? 
  • Requires notifying the individual?  
  • Requires reporting to the Attorney General or government agency under certain conditions?  

 

State Transparency: 

  • Does the state require reporting to an attorney general or state agency? 
  • If yes, Does the agency publish the breached data? 
  • Does the state require reporting to Consumer Reporting Agencies?  
  • If yes, Number of affected residents to trigger Consumer Reporting Agency notification: 

 

Enforcement: 

  • Does the statute include a Private Right of Action?  
  • Does the statute include Stipulated damages?