DATA BREACH LAWS
This project is my submission for Professor Andrea Matwyshyn's Information Security Law class at Northeastern University School of Law. Our task was to bring transparency to an area of the law and/or aggregate data in a new and useful way. Note, this project is not meant to provide legal advice and you should not take it as such. I am a law student doing a research project and while I am presenting information about the law, all representations herein are from the statutes and would not be of use without the knowledge of specific facts. I chose to analyze data breach laws because they are one mechanism for enforcing reasonable security standards for data storage and transmission. There is no federal statute that sets security standards or breach notification standards so we have to look to each state to see what they provide. Since 2001 when California first passed and later enacted their data breach statute every state except Alabama and South Dakota have adopted some form of data breach law.
As you may imagine, having nearly 50 different statutory regimes may make it difficult for businesses to understand their obligations. Most states set a reasonable time frame with certain exceptions for law enforcement activity and restoring the system, but some have more concrete deadlines at 30, 45, or 90 days. This effectively means that companies must look for an exception that applies broadly to justify a delay or meet the shortest reporting requirement. Many states have clear reporting and enforcement regimes with state Attorney General's playing a primary role. As you can see, while fractured, these statutes can be an effective enforcement mechanism if they contain the appropriate statutory mechanisms like damages, standards for data care, standards for data destruction, or even offering guidelines through the Attorney General's office. Still, as you will see in the case of Georgia, a statute that does not have a standard of data care can be toothless in the eyes of the court. What I've heard takes place in the wild is that companies will meet the stringent requirements of a state like California or New York and find that it is cost effective to follow the same requirements for their remaining customers, no matter the jurisdiction. With that in mind, it may even be possible to harmonize the law and help implement standards for data security and retention, emphasizing a security by process approach.
Below are five states that you can get to immediately. On each state page you will find links to the state's law, usually as it is displayed on a state website, hopefully so that information will get updated with amendments, even if I may not get the update immediately. All information is as of 11.6.2017 and you will see I included some amendments that are taking effect in 2018. I have included the definitions of "data breach" for each state because not all of them cover the same material. Some states have other areas of the law dealing with paper records, but others leave a gap in the law by specifying computerized data in the statute which wouldn't apply to someone dumpster diving through your accountant's un-shredded data. Next you will find the notice requirements and the penalties for non-compliance, if any. Questions and further inquiries may be directed to firstname.lastname@example.org.