State Data Breach Notification Laws

01 July 2019 Publication
Authors: Jennifer J. Hennessy Chanley T. Howell Michael R. Overly Jennifer L. Rathburn Steven M. Millendorf Aaron K. Tantleff Samuel D. Goldstick Thomas E. Chisena

While most state data breach notification statutes contain similar components, there are important differences, meaning a one-size-fits-all approach to notification will not suffice. What’s more, as data breaches continue to rise, states are responding with increasingly frequent and divergent changes to their statutes, creating challenges for compliance. Organizations must make it a priority to monitor these changes to prepare for and respond to data breaches.

For a summary of basic state notification requirements that apply to entities who “own” data, download Foley’s State Data Breach Notification Laws Chart. This chart is current as of July 1, 2019, and should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach vary depending on the specific facts and circumstances.

This chart does not cover non-owners of data. If you do not own the data at issue, consult the applicable laws and contact legal counsel. This chart also does not cover:

  • Exceptions based on compliance with other laws, such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
  • Exceptions regarding good faith acquisition of personally identifiable information (PII) by an employee or agent of an entity for a legitimate purpose of the entity, provided there is no further unauthorized use or disclosure of the PII.
  • Exceptions regarding what constitutes PII, such as public, encrypted, redacted, unreadable, or unusable data. The chart indicates whether a safe harbor may be available for data that is considered public, encrypted, redacted, unreadable, or unusable, but the specific guidance will vary based on the circumstances. For example, some states have a safe harbor only for data that is encrypted, whereas other states may have a safe harbor for data that is encrypted or public.
  • The manner in which an entity provides actual or substitute notification (e.g., via email, U.S. Mail, etc.).
  • Requirements for the content of the notice.
  • Any guidance materials issued by federal and state agencies.
  • A comprehensive assessment of all laws applicable to breaches of information other than PII.

For more information about state data breach notification laws or other data security matters, please contact one of the following individuals listed below or another member of Foley’s Cybersecurity practice.


California Statute Offers Dramatic Change to Independent Contractor, Franchise-Franchisee Relationships
20 September 2019
Legal News: Distribution & Franchise
AI Ouch! AI Job Interview Law Starting in 2020!
20 September 2019
Internet, IT & e-Discovery Blog
RCE PTA Carve-Out Resumes After Interference
18 September 2019
The Ninth Circuit Expected to Rule that Doctors Can Be Wrong in the Winter v. Gardens False Claims Act Case
18 September 2019
Legal News: Government Enforcement Defense & Investigations
Lacktman, Ferrante Cited in mHealth Intelligence About Ryan Haight Act
19 September 2019
mHealth Intelligence
Vernaglia Comments on AHA v Azar Decision
18 September 2019
MedPage Today
Tinnen Discusses How Viewpoint Diversity Helps Businesses Thrive
18 September 2019
Lach Comments on Launch of New Group
16 September 2019
BizTimes Milwaukee
MedTech Impact Expo & Conference
13-15 December 2019
Las Vegas, NV
Review of 2020 Medicare Changes for Telehealth
11 December 2019
Member Call
BRG Healthcare Leadership Conference
06 December 2019
Washington, D.C.
CTeL Telehealth Fall Summit 2019
04-06 December 2019
Washington, D.C.