Snell & Wilmer’s Breach Response Team regularly guides clients through all phases of data breach and cyber incident response, including leading internal investigations related to data breaches and cyber incidents in coordination with third-party forensic experts; providing comprehensive crisis management services; and advising regarding state and federal data breach notification and remediation requirements. Given that most breach-related notification obligations are governed by the law of the state of residence for the individual whose personally identifiable information (“PII”) was compromised, companies often are required to comply with several – and, frequently, all fifty – states’ respective notification requirements, and one of the key challenges is managing the differences between these respective statutes. To assist our clients manage multi-state data breach notification efforts, we have developed an interactive Data Breach Map that provides an overview of the data breach statutes in all 50 states as well as the territories of the United States, which you can see here.
By clicking on a state, you will see a summary of the key features of its notification statute; highlights include PII and breach definitions, respectively, along with notification requirements, including the circumstances in which the state Attorney General’s Office or a similar consumer protection agency is required to be notified as well as timing requirements for the notifications to individuals. We’ve also included links to both the data breach statutes themselves and relevant state agency websites. Additionally, the second tab on the Data Breach Map provides a visual summary for those states that require notification when PII has merely been accessed as compared to those states that only require notification when PII has been acquired.
We will continually update the Data Breach Map to reflect changes and amendments to the state-level notification requirements. Please check it out and stay tuned for more!