Data breach notification laws by state: How to notify, who to notify and when

Cyber hackers have become smarter, making it difficult for companies to keep up with the best data protections and to adhere to data privacy laws. It’s common to see companies that pour all of their focus solely into data breach prevention. However, the companies that are ready on all data security fronts also prioritize data breach response planning. These organizations realize that it’s not necessarily a matter of whether or not a breach will happen, but instead, when it happens and how prepared they are to react swiftly.

Data privacy laws and regulations have become increasingly more comprehensive in the U.S. with the enactment of the CCPA, the NY SHIELD Act and most recently, the voting in of CPRA. This is why it’s recommended for organizations to become privacy-forward and build out security strategies that involve data breach notification response plans, especially to avoid penalties for non-reporting. Here, we cover data breach notification laws in the U.S. along with the key pieces of information organizations need to know about them.

Do all states have data breach notification laws?

All 50 U.S. states have laws that require business entities to notify individuals when their personally identifiable information (PII) has become compromised due to a data breach. No matter what state a company does business in or that their customers reside in, organizations have a legal obligation to provide data breach notifications to anyone whose data gets compromised by an unauthorized party.

Each state will have different requirements, exemptions and guidelines for data breach notifications, however. Some states may not have comprehensive legislation, while other states, like California, are much more stringent about data privacy and security.

Which states have the toughest data breach notification laws?

To check the specifications of each state’s data breach notification requirements, the chart provided by the National Conference of State Legislatures is a good starting point. It’s important to note that this chart does not include each state’s laws regarding privacy and data breach notification laws of personal student data.

There are some states that arrived a bit later at developing and passing data breach notification laws, like Alabama, which became the last state to add this protection in 2018. On the other hand, there are states like California that have more robust protections in place. Here, we highlight a few states with the toughest notification laws that you should be aware of.

California data breach notification laws

The CCPA was a groundbreaking law that has set a new standard for data privacy and protection across the U.S. Even more recently, the CPRA, which is sometimes referred to as CCPA 2.0, has been passed.

As far as data breach notification goes, California’s civil code (ARTICLE 7. Accounting of Disclosures [1798.29]) requires that entities disclose any breach of their system’s security to any California resident whose PII was either disclosed or reasonably believed to be compromised by an unauthorized person. This CCPA breach notification must be issued as immediately as possible without unreasonable delay.

Delaware data breach notification laws

Delaware requires that any commercial website, cloud computing service, or mobile application that collects the PII of Delaware residents must make their privacy policies prominently available for users to view.

Delaware’s obligations are similar to that of California but with an interesting stipulation: notification is not required if a business determines (after an appropriate investigation) that the breach is unlikely to result in any harm to the individuals whose PII have been breached.

If an organization needs to notify more than 500 Delaware residents, it also needs to provide notice of the breach to the attorney general. Another requirement (TITLE 6 – CHAPTER 12B. Computer Security Breaches) is that if the data breach includes social security numbers, the business needs to offer each Delaware resident whose PII was breached, or reasonably believes to have breached, free credit monitoring services for one year (see § 12B-102 Disclosure of breach of security; notice).

Illinois data breach notification laws

Illinois is considered a state with tougher privacy laws because they have detailed biometric laws. In 2008, the state of Illinois required consent for collection of sensitive biometric information, like fingerprints or retina scans.

In terms of data breach notification laws, Illinois’ are extensive. Similar to Delaware, if more than a certain number of residents needs to be notified, a business must also provide notice to the attorney general. The notice to anyone affected must be a written notice or electronic notice.

In some cases a substitute notice (see (815 ILCS 530/) Personal Information Protection Act) is available to businesses that:

  • Demonstrate that the cost of providing notice would exceed $250,000
  • Have a quantity of affected individuals exceeding 500,000, or
  • Lack sufficient contact information

Substitute notices can include notification to major statewide media or prevalent posting of the notice on the business’s website.

Which states require credit monitoring for data breaches?

Credit monitoring is a service that keeps track of and notifies individuals of any changes to their credit history. While it’s not yet required by every state, companies often provide credit monitoring to their data breach victims to help ensure stolen personal data isn’t being misused. In the case attempted identity theft is identified, individuals can respond quickly to prevent further damage. If not addressed in a timely manner, it could have ruinous repercussions on both the victim and the entity that experienced the breach. Some changes that credit monitoring services keep track of include:

  • Hard credit inquiries, as this could mean someone is applying for credit in your name
  • Any new accounts opened in your name
  • Balances and payments on your credit cards
  • Updated addresses or name changes to your credit file
  • Personal information, such as your Social Security number, email address and passwords, found on the dark web

Currently, the only states mandating credit monitoring for data breaches are California, Delaware and Massachusetts, which also requires business entities to certify their credit monitoring services are compliant with state law and provide proof to the attorney general and director of consumer affairs and business regulation. In Minnesota, legislation requiring credit monitoring services is pending. In Pennsylvania, legislation mandating free credit monitoring for data breach victims exists, but it only applies to credit and consumer reporting agencies in the commonwealth. While Virginia doesn’t require businesses to provide credit monitoring services to breach victims, it does require that data breach notifications sent to residents offer advice about free credit monitoring, which the state will then assist in providing to interested individuals.

What should businesses do to prevent and prepare for data breaches?

Credit monitoring service is the last layer of protection businesses can offer to their consumers, but once sensitive data has fallen into the wrong hands, there’s no way to guarantee it won’t be misused. Thus, a business’s main goal should be preventing a data breach from ever happening in the first place. Below are key questions for an organization to ask, followed by core actions to take, when creating an appropriate data security strategy.

Are you prepared to handle a data breach notification? Key questions

Some of the questions that an organization should answer when creating a data privacy and security strategy that address data breach notification are:

  1. Where does all of my organization’s data currently reside?
  2. Who in the organization has access to sensitive data? What permissions do they have?
  3. How are we monitoring our sensitive data? Are we able to get insights in real-time across our on-premise networks and cloud platforms?
  4. How quickly can we respond to a potential breach? Do we have standardized communications and workflows that make us agile?
  5. Which compliance laws apply to our business? What are the legal, financial, and reputational ramifications of being non-compliant?
  6. What is our current sensitive data footprint and how does that translate into our potential risks?
  7. Core Actions

    When an organization begins thinking about these key questions, they will find that there are a few core actions that can bring their business to a better place. These include:

    1. Sensitive Data Discovery

    This process provides companies with a detailed account of how much sensitive data they have acquired, where it all resides and who has access to it. Without this step, you’ll find that there are many missing pieces while developing your overall data security strategy.

    2. Data Policies and Workflows

    To react quickly and efficiently, your organization’s security team needs to be aligned. Creating a data governance plan or data security policies will better enable your staff to work smoothly with one another and take ownership over their designated responsibilities for your organization’s data privacy efforts. While creating policies, it’s a good idea to create workflows, and an even better idea to automate those workflows.

    3. Real-Time Risk Remediation

    When a data breach occurs, time is of the essence. Using a tool that not only monitors and notifies you of suspicious activity, but that is also built to act with a remediation task when a breach occurs, is pivotal.

    How Spirion can help you manage data breach responses

    Spirion’s Data Privacy Manager features all of the key components that a business needs to prevent a data breach and quickly respond in the event of one. It’s an all-in-one solution that empowers organizations with robust sensitive data discovery, real-time data monitoring and risk remediation, and automated workflows. To see how Data Privacy Manager works, request a free demo.