Does your State have a Security Breach Notification Law?

By at 11 March, 2014, 3:42 pm

Data Breach Infographic

With the continuing onslaught of data breach stories, every lawyer should be aware whether their state has such a law on the books and what it requires in the event of a breach. The National Council of State Legislatures has compiled a chart of which states and territories have such laws and links to them as well.


According to the NCSL security breach website :

Forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.

Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

For example, In Wisconsin, the law is found in Chapter 134 MISCELLANEOUS TRADE REGULATIONS, more specifically, the security breach requirements and definitions are found at  134.98 . Section 2 of this provision states:

(2) Notice required.
(a) If an entity whose principal place of business is located in this state or an entity that maintains or licenses personal information in this state knows that personal information in the entity's possession has been acquired by a person whom the entity has not authorized to acquire the personal information, the entity shall make reasonable efforts to notify each subject of the personal information. The notice shall indicate that the entity knows of the unauthorized acquisition of personal information pertaining to the subject of the personal information.

With section 2 (br) kicking in if the entity needs to contact more than 1,000 people pursuant to 2(a):

(br) If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the timing, distribution, and content of the notices sent to the individuals.

You should check out the law as it pertains to your state or territory so you can respond to your clients if they come to you regarding receding such a notice or to advise your business clients that may suffer a security breach.


if you would like to learn more about this or other legal technology and security topics, there is still time to register for the ABA TECHSHOW 2014 held March 27-29, 2014  in Chicago. You can check out N.S.AY What? Firm and Client Data Security & Encryption in the Age of Monitoring and other great sessions..



Categories : ABA TECHSHOW | Security

No comments yet.

Leave a comment