Mintz Matrix Updated – Data Breach Laws in All 50 States

Cynthia Larose
Mintz - Privacy & Cybersecurity Viewpoints
Contact
LinkedIn
Facebook
X
Send
Embed

Mintz Levin - Privacy & Security Matters

With the recent enactment of data breach notification laws in South Dakota and Alabama, all 50 US states now have laws regulating data breach notification.  We’ve updated the Mintz Matrix (maintained by the Mintz Privacy Team for nearly 10 years) to provide you with the latest information.

Managing the differing requirements remains a challenge, and points to the need for updated incident response plans.  As an example, the chart below outlines the different timelines for notification.  The Mintz Matrix contains information on all of these, and more.

Breach Notification Timeline

Time After Discovery of Breach     Action Required
10 Calendar Days
  • Puerto Rico Department of Consumer Affairs
14 Business Days
  • Vermont AG preliminary notification
15 Business Days
  • California residents, California AG, and California Department of Public Health must be notified of the disclosure of PHI by a clinic, health facility, home health agency, or hospice licensed by the California Department of Public Health (“CDPH”)
30 Calendar Days
  • Florida residents, AG (500+ residents) (Can request 15 day extension) (60 Days for PHI/HIPAA incidents).
  • Indiana AG will open an investigation if not notified within 30 days
45 Calendar Days
  • Ohio residents
  • Tennessee residents (60 Days for PHI/HIPAA incidents)
  • Vermont residents, AG
  • Washington residents, AG (500+ residents) (60 Days for PHI/HIPAA incidents)
  • Wisconsin residents (60 Days for PHI/HIPAA incidents
  • New Mexico residents, AG (500+ residents)
  • Maryland residents (60 Days for PHI/HIPAA incidents)
60 Calendar Days
  • Individuals and HHS OCR for PHI disclosure.
  • Delaware (effective 4/14/18), AG (500+ residents)
90 Calendar Days
  • Connecticut residents (60 days for PHI/HIPAA incidents)
Most expedient time and without unreasonable delay
  • AK, AZ, AR, CA (other than as noted above), CO, DE (until 4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO, MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
As soon as possible
  • NE, NH, TX
Days After Confirmation of Breach   Action Required
45 Calendar Days
  • Rhode Island residents, AG (500+ residents) (60  Days for PHI/HIPAA incidents).

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide