This guide is for informational purposes only and is intended merely as a high-level overview of state data breach laws. The content below provides a summary of state notification requirements for when an organization’s security breach has compromised personal information about the organization’s vendors, employees, clients or customers. Data breach events can be dynamic occurrences, and because of this, the regulations that pertain to these circumstances continue to evolve. Organizations that experience a data breach incident are strongly encouraged to use this guide only as a starting point for a multifaceted approach that may include involving their legal counsel.
Importantly, the chart below covers entities that own their data and excludes public entities and non-owners of data. Moreover, this guide presents generally applicable information; it does not introduce or explore the issue of exceptions to the law based on competing compliance requirements, such as the obligations prescribed by the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach-Bliley Act (GLBA).