Several states have clarified or tightened their data breach notification statutes since we last updated the Mintz Matrix at the beginning of the year. Please click here for the latest edition of the Mintz Matrix, which is a 50-state resource concerning U.S. state data breach notification laws that we have maintained since 2009.

The states continue to enhance these laws and address concerns around interpretation and compliance even as more attention is being paid to the comprehensive consumer privacy statutes sweeping across the country.  We have been keeping an eye on developments and are making updates to the Mintz Matrix for states with modified data breach notification requirements that are taking effect this year, including:

• The lawmakers in Texas decided to require covered entities to report data breaches to the Texas Attorney General within 30 days (rather than 60 days) of discovering a breach, and to do so using an electronic form available on the AG’s website. The amendment to Texas' data breach notification law took effect on September 1st! 
• In Utah, the breach notification requirements were amended as of May 3, 2023 to expand reporting obligations and require notice to Utah’s Attorney General and to its newly codified Utah Cyber Center in the event a data breach involving known or reasonably likely misuse of personal information impacts 500 or more Utah residents.  If 1,000 residents are affected, the amendment now also requires reporting to consumer reporting agencies.
• About that same time in May earlier this year, Pennsylvania’s amended breach notification law expanded the definition of “personal information” to include medical and health insurance information, and also a username and email address in combination with a password or security responses permitting access to an online account.  For breaches involving that latter category of login credentials, the state will permit some limited form of electronic notification to affected individuals.
• Connecticut also expanded its definition of personal information to address “precise geolocation data” and made some clarifications concerning the AG’s enforcement authority when there are violations of the statute.  These CT amendments take effect October 1, 2023.