Summary of State Data Breach Notification Laws

Section 1.2 of this book describes the common requirements of the data breach notification laws in forty-seven states and the District of Columbia. These summaries focus on the obligations of private companies; government agencies also often face separate notice obligations if they experience data breaches. For ease of reference, particularly for companies that are dealing with a data breach, this appendix summarizes key provisions of each of these forty-eight laws, including the types of personal information that trigger the breach notice requirement, significant exceptions to that requirement, and notice and format of breach notices.

Note that most state notification laws allow electronic notice; in all of these cases, consent to receive notices electronically must be consistent with the federal E-SIGN Act.

For ease of reference, this appendix includes many of the most important parts of the state laws, rather than merely reprinting the statutes in full. However, the state laws do have additional requirements that are specific to the state. Moreover, the breach notification laws could have been amended since the publication of this book; indeed, typically a few states each year amend their breach notice laws. Accordingly, it always is prudent for legal counsel to review the current version of the applicable breach notice laws to confirm requirements.

Alaska