Data Breach Notification Statutes

November 5, 2014Alerts

Data security is quickly becoming one of the most pressing issues affecting businesses. The security threats are numerous – “hacker attack,” point-of-sale network intrusion (e.g., Target), stolen hard drives and laptops containing customer or employee information – and no company is immune, regardless of its size or its industry. In fact, a recently-published research report by the Ponemon Institute found companies have a nearly 20% chance of suffering a data security breach involving 10,000 or more records over the next 24 months, at an average cost to the company of $201 per record breached.

Organizations are legally required to take specific steps if the security of consumer or employee data they are holding is compromised. One of the most immediate and important is notifying consumers or employees of the breach. Forty seven states have adopted statutes requiring such notification. However, there is no single, national standard for notification, and the various state laws vary widely about when notice is required, how it must be given, timing and other important features.

Our Privacy and Data Security team has decoded and distilled the 47 different sets of state laws into an easily usable chart containing each state’s notification requirements.