DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Resource: U.S. State Data Breach Notification Laws

Posted on April 19, 2024 by Dissent

There’s an update to Foley & Lardner’s resource on U.S. state data breach notification laws. They explain what their resource applies and what it doesn’t apply to:

While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to rise, states are responding with increasingly frequent and divergent changes to their statutes, creating challenges for compliance. Organizations must make it a priority to monitor these changes to prepare for and respond to data breaches.

For a summary of basic state notification requirements that apply to entities who “own” data, download Foley’s State Data Breach Notification Laws Chart. This chart is current as of April 11, 2024, and should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach vary depending on the specific facts and circumstances.

This chart does not cover non-owners of data. If you do not own the data at issue, consult the applicable laws and contact legal counsel. This chart also does not cover:

  • Exceptions based on compliance with other laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
  • Exceptions regarding good faith acquisition of personally identifiable information (PII) by an employee or agent of an entity for a legitimate purpose of the entity, provided there is no further unauthorized use or disclosure of the PII.
  • Exceptions regarding what constitutes PII, such as public, encrypted, redacted, unreadable, or unusable data. The chart indicates whether a safe harbor may be available for data that is considered public, encrypted, redacted, unreadable, or unusable, but the specific guidance will vary based on the circumstances. For example, some states have a safe harbor only for data that is encrypted, whereas other states may have a safe harbor for data that is encrypted or public.
  • The manner in which an entity provides actual or substitute notification (e.g., via email, U.S. Mail, etc.).
  • Requirements for the content of the notice.
  • Any guidance materials issued by federal and state agencies.
  • A comprehensive assessment of all laws applicable to breaches of information other than PII.

Related posts:

  • Resource: State Data Breach Notification Laws – June 2025
  • NY: A.G. Schneiderman Proposes Bill To Strengthen Data Security Laws, Protect Consumers From Growing Threat Of Data Breaches
Category: LegislationState/LocalU.S.

Post navigation

← Medical records of millions stolen in Turkish state hospital data leak
Hong Kong private hospital given 4 weeks to submit report over US$10 million ransomware attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni
  • Detaining Hackers Before the Crime? Tamil Nadu’s Supreme Court Approves Preventive Custody for Cyber Offenders
  • Potential Cyberattack Scrambles Columbia University Computer Systems
  • 222,000 customer records allegedly from Manhattan Parking Group leaked
  • Breaches have consequences (sometimes) (1)
  • Kansas City Man Pleads Guilty for Hacking a Non-Profit
  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data
  • Sacred Secrets: The Biblical Case for Privacy and Data Protection
  • Microsoft’s Departing Privacy Chief Calls for Regulator Outreach
  • Nestle USA Settles Suit Over Job-Application Medical Questions
  • NY Attorney General James Affirms Hospitals Must Provide Access to Emergency Abortion Care
  • How Internet of Things devices affect your privacy – even when they’re not yours

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.