Data Breach Notification Laws, State By State

Five years after California's landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. Part of an in-depth series about disclosing security breaches.

More than five years after California's seminal data breach disclosure law, SB 1386, was enacted, not all states have followed suit. Eleven states still have not passed laws mandating that companies notify consumers when that company has lost the consumer's personal data. One state, Oklahoma, does have a breach notification law, but it only applies to state entities that have lost data.

That leaves 38 states that have enacted some sort of breach disclosure law. This map will help you sort them out. Click on any state to see highlights from that state's law. (The gray states do not yet have disclosure laws). For more explanation, see the text below the map. (To learn more, see the rest of the CSO Disclosure Series, including a deconstruction of two disclosure letters and an interview about pending federal legislation.)

You need to upgrade your Flash Player

In general, most state laws follow the basic tenets of California's original law: Companies must immediately disclose a data breach to customers, usually in writing. Also in California, there is a private right of action, and there are very few exemptions. It's a tough law. Laws in other states are tough too, but some allow more exemptions or do not allow a private right of action. When you click on a state on the map above, you'll see highlights of that state's law, including specific instances where it might differ from the California law. For example, the Massachusetts law pertains to paper record as well as computer data, as noted in the box. Some other important details:

1. Notification guidelines: how soon a company is required to inform customers of a data breach. In California, this is "as soon as possible, without unreasonable delay."

2. Penalty for failure to disclose: whether or not there are civil or criminal penalties for a failure to disclose. In California, a company cannot be penalized for its lack of promptness alone.

3. Private right of action: whether this option exists for consumers in that state. In California, this is available.

4. Exemptions: what kinds of breaches, if any, companies are exempt from reporting. California allows exemptions for encrypted data that's lost and publicly available government data. In California there is no such thing as an immaterial breach, while other states do have a definition of immaterial breach.

In addition, by clicking on the flag over Washington, D.C., you can check on the status of several pending federal bills pertaining to data breach disclosure. For more information, see "What's Next with Disclosure Legislation?", our interview with Tanya Forsheit, an attorney from Proskauer Rose LLP who is an expert on data breach disclosure law.

The map is meant to cover the highlights of the various state laws and is not meant to be comprehensive. For the most comprehensive information available, you can in most cases click on the thumbnail icon in the highlights box and be taken to a copy of the state law.

This map was created to provide a single source for information on all state laws that is both a good reference and visually intuitive. We started it as an experiment, and we'd love to know what you think of it and how you would improve it. Enjoy!

Executive Editor Scott Berinato can be reached at

Sources: Scott and Scott LLP, Perkins Coie, Proskauer Rose LLP, CSO Reporting

Map last updated: 2/12/2008

To learn more:


The Dos and Don'ts of Disclosure Letters

One security breach, two letters, 11 lessons in the art of telling customers you screwed up. Two PR pros deconstruct the messages that and USAJOBS were really giving to customers whose personal information had been disclosed.

What's Next with Disclosure Legislation?

An interview with lawyer and breach notification expert Tanya Forsheit on why the United States still doesn't have a federal breach notification law.

What California's New Medical Disclosure Law Means for the Rest of Us

New state law AB 1298, aimed at reducing instances of medical identity theft, could prompt similar legislation elsewhere, but experts are still unsure whether out-of-state companies with information about Californians must comply.

User Education: How to Respond to a Data Breach Disclosure

Just find out that your personal information has been compromised? Heres what to do.

Reporter's Notebook: The United States of TMI

Lead paint in toys. Brain-eating amoeba. Identity theft. Drowning in sand. We know more than ever about the risks all around us. Do we know what disclosing them all is doing to us?

This story, "Data Breach Notification Laws, State By State" was originally published by CSO.


Copyright © 2008 IDG Communications, Inc.

7 secrets of successful remote IT teams