Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

Update on State Security Breach Notification Laws

At least twenty states (Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Rhode Island, Tennessee, Texas and Washington) have recently enacted laws that require owners and licensees of computerized personal information to notify individuals if their unencrypted personal information has been obtained without authorization.

Most of the laws are modeled on California’s security breach notification law which requires a company to provide notice to affected individuals if it discovers that unencrypted personal information has been obtained by someone without authorization. The California law, which took effect in 2003 and is largely responsible for the disclosure of several large-scale security breaches earlier this year, requires that notice be provided "in the most expedient time possible and without unreasonable delay," but allows for delay of notification to determine the scope of the breach and for law enforcement purposes. Notice can be provided in writing, electronically, by "substitute notice" which includes a web site posting and notice to statewide major media if certain conditions are met, or by a notification method that is part of a company’s information security policy.

New York’s law, which takes effect December 7, 2005, contains some significant differences. For example, the New York law applies to encrypted and unencrypted data if the encryption key is also compromised; requires notice to consumer reporting agencies that evaluate consumer credit information or other information, for large-scale breaches (i.e., a breach that would require notice to more than 5,000 New York residents at one time); has specific requirements for the content of the notice; and requires notification to the state Attorney General, Consumer Protection Board, and New York cyber-securities authorities. While the California law is silent on enforcement and penalties, the New York law provides that the Attorney General may file suit to recover actual costs or losses incurred by those affected, including consequential financial losses. In addition, the Attorney General can seek civil penalties of up to $150,000.

Federal lawmakers are also considering several security breach notification bills including S. 751, S. 768, S. 1216, and H.R. 1069, some of which would preempt state laws.


This client alert is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.