Section 1.2 of this book describes the common requirements of the data breach notification laws in 50 states and the District of Columbia. These summaries focus on the obligations of private companies; government agencies also often face separate notice obligations if they experience data breaches. For ease of reference, particularly for companies that are dealing with a data breach, this appendix summarizes key provisions of each of these laws as they relate to private companies’ obligations, including the types of personal information that trigger the breach notice requirement, significant exceptions to that requirement, and notice and format of breach notices.

Note that most state notification laws allow electronic notice; in all of these instances, consent to receive notices electronically often must be consistent with the federal E‐SIGN Act. The breach notice laws typically apply to the unauthorized acquisition of covered personal information.

For ease of reference, this appendix includes many of the most important parts of the state laws, rather than mere reprints of the full statutes. However, the state laws do have additional requirements that are specific to the state. Moreover, the breach notification laws could have been amended since the publication of this book; indeed, typically at least a few states each year amend their breach notice laws. Accordingly, legal counsel always should review the current ...