Forensic, General & Medical
Expert Witnesses

Data Breach Notification Laws in U.S. States

Breaches in data security and contracts within a business are confusing and could cause various conflicts depending on the state and the laws that govern over the matter. It is important to know what the laws of the state specify in breach notifications for cybersecurity and data restrictions as outside influences could cause the breach and leave the company liable for damages.

Remaining compliant with laws for each state is difficult when facing and responding to a data breach. When the data leaks occur, the entity must face the aftermath and attempt to reconcile the complications that the breach caused. These matters generally affect clients, customers and other businesses working with the entity on projects or joint ventures. When an emergency occurs where the company must seal a breach or stop the problem from further harming the company or clients, notifications are often the least of the important immediate matters. However, any violations of adherence to breach notifications could lead to penalties.

State Laws Confusing the Company

Each state involved in data breach notification matters may confuse the entity even more by adding other complicated, complex and difficult to understand clauses and requirements in the state. Some cause more confusion to the business by changing what constitutes a data breach such as the breaching of information from an entity, agency or government department in the security of the computer systems. Some clauses in the laws do contain details about unencrypted information while others refrain from mentioning this or encrypted data in the breach. This may lead to the need to hire a business lawyer to fully understand what the state wants.

Specific Issues in States

Problems with breach notifications occur through state laws that are both confusing and complicated. Tennessee has similar issues through nonincluded information in the laws. This state removed the safe harbor clauses for data breach notifications that obligate the entities to involve encrypted data in these details. Every other state has this clause. Other states may include unencrypted data but not encrypted. This could affect credit card details, personal credentials and user info. The definition of the breach may also change based on the state. Some explain this problem as the compromised security of confidential information of users or the company itself.

The breach notification laws change based on the definition of what the state believes a breach is. The reasonable belief that data is no longer safe and acquired by a third party is the general explanation that constitutes a breach of data within an entity. However, the risk of harm to the information within a company or agency may increase or decrease through the measures the entity takes. If there is no reasonable belief that the data compromised has any connection to users, a breach notification may no longer remain necessary. If the issue is with encrypted data but the state does not include this in the breach, the notification may remain unnecessary for these breaches.

Amendments to Breach Notification Laws

To ensure a timely adherence to data breach notifications for users and companies, the state needs to ensure the modifications occur with a reasonable amount of time. Amendments to the regulations require a timeframe for compliance. Additionally, the entity must determine the scope of the breach and if users or entities need notification based on the problem. Some breaches only affect the initial company where the breach occurs. Restoring the integrity of data systems is crucial, and the time to consider the matter is critical for the affected business. Knowing what is lost is the only way to truly inform users and clients about the breach.

The notice laws in some states only provide 45 days to give a breach notification to affected users and clients. No extensions are available in many states with these specifications. However, others may provide a specific time period with some extensions. Another state explains that 90 days are available to notify the users affected by the breach. Depending on the state, other notification provisions require the company to engage in further notifications and resolving the matter. It is important to contact a lawyer to ensure compliance with the state laws.

Legal Support for Breach Notifications

Hiring a lawyer could prevent violations to breach notifications for the company. The amendments to the laws could affect the business sooner than expected. Additionally, violations could incur severe fines that the company is not able to make due to the scope and range of the breach for the users and clients.

Provided by

Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.

Find an Expert Witness