U.S. STATE PRIVACY LAWS

DATA PRIVACY AND BREACH NOTIFCATION LAWS IN THE U.S.

To date, 47 U.S. states have enacted data privacy laws, often modeled after California’s SB 1386. Most of these laws are designed to protect misuse or disclosure of personally identifiable information. Details on all U.S. state breach notification laws can be found on the National Conference of State Legislatures website: www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx

DATA FIELDS REQUIRING PROTECTION:

Most state privacy laws have similar language requiring protection of:

  • Names
  • Social security numbers
  • Driver’s license numbers
  • Account numbers
  • Credit or debit card numbers
  • Access codes or passwords that provide access to an individual’s financial account, medical or health insurance information

BREACH NOTIFICATION REQUIREMENTS & EXEMPTIONS

Most state privacy laws specifically exempt encrypted data if it has been “transformed into a form in which the data is rendered unreadable or unusable without use of a confidential process or key.”