State Breach Notification Statutes for all 50 States (American Bankers Association)

February 4, 2018 —

State Breach Notification Statutes for all 50 States (American Bankers Association)

Listed below is  a spreadsheet of state data breach notification acts with information about notification deadlines, parties that must be notified, and applicable bank exemption language, if any.

This is information was compiled by the American Bankers Association Office of Legislative Counsel. Please contact ABA's Sabrina Bergen at sbergen@aba.com for more information. 

Overview

  • Alabama and South Dakota do not have data breach notification statutes, the remaining 48 states, D.C., Guam, Puerto Rico, and the U.S. Virgin Islands require businesses to notify consumers in the event that their personal information is compromised in a data breach.
  • Twenty-one states require notification to the Attorney General in the event of a data breach (In addition, FL, HI, ME, NJ, and SC require notification to a specified law enforcement or regulatory body)
  • Thirty-one states require notification to Consumer Reporting Agencies
  • Fifteen states provide a comprehensive exemption for banks (AR* (regulated by federal law that provides greater protection to personal information), AZ, GA* (Banks not included in definition of "data collector"), HI, IN, IA, KY, MN, NM, OH, OR, SC, TN, VT* (but still need to notify state regulator) and WI)
  • Twenty-nine states, D.C., Guam, and Puerto Rico deem banks to be in compliance with state breach notification law if they are in compliance with corresponding federal law and regulations
  • Three states (MT, NJ and TX) and the U.S. Virgin Islands deem entities to be in compliance with state breach notification law if they maintain and comply with their own notification procedures
  • Alaska provides an exemption for entities subject to GLBA from the requirement to notify consumer credit reporting agencies
  • Eleven states have specific notification deadlines: 30 calendar days (FL, IN), 45 calendar days (MD, NM, OH, TN, VT, WA, WI), 60 calendar days (DE), and 90 calendar days (CT)


Wisconsin (Wis. Stat. ยง 134.98)

An individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
1. The individual's social security number.
2. The individual's driver's license number or state identification number.
3. The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account.
4. The individual's deoxyribonucleic acid profile, as defined in s. 939.74 (2d) (a).
5. The individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation.

TIME: 45 Calendar Days (60 days for PHI/HIPAA incidents)

Consumer Reporting Agencies:
If, as the result of a single incident, an entity is required under par. (a) or (b) to notify 1,000 or more individuals that personal information pertaining to the individuals has been acquired, the entity shall without unreasonable delay notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the timing, distribution, and content of the notices sent to the individuals.

This section does not apply to an entity that is subject to, and in compliance with, the privacy and security requirements of 15 USC 6801 to 6827, or a person that has a contractual obligation to such an entity, if the entity or person has in effect a policy concerning breaches of information security.


Click HERE for all State Data Breach Notification Laws from ABA.