Data Breach Laws
Major data breaches have become a near-daily occurrence. Some of the largest and most well-recognized companies have rocked the headlines. These notable names include LinkedIn, Mercedes Benz, and Equifax. Every state has a data breach statute on the books, but the differences in these laws have profound impacts on incident responses.
In a recent study of victims of multiple data breaches, the affected participants were unaware of 74% of incidents. If people don’t know their data has been breached then they can’t take the concrete steps to recover their data, or at least reduce the impacts. That’s one reason that language around notifications is such an important part of data breach laws. For example, in Alaska, the notification must only be made “expeditiously” whereas, in Colorado, the affected party must be notified within 30 days. There are also state-by-state discrepancies in the enforcement of penalties. The Attorney General in Nevada can initiate legal proceedings against a violating party and impose civil penalties of up to $5,000 for each individual penalty. In contrast, New Mexico does not allow penalties greater than $25,000.
The inconsistencies are not just a matter of legal semantics. When data breaches occur, the implications go far beyond bad press for a company. Leaked sensitive data, including Social Security numbers, driver’s license numbers, and financial information can easily make its way into the hands of nefarious actors. Victims of data breaches may not notice suspicious credit card activity on their bank statements, but that doesn’t mean it is lost in the ether. The data is typically sold on the Dark Web to large-scale criminal enterprises that can repurpose it to perpetuate future attacks. Unfortunately, not every state legislates data breaches commensurate to the stakes to its citizens.
This comprehensive chart, designed by Jeff Jockisch at PrivacyPlan, analyzes the consumer protection strength of Data Breach Laws across the 50 states. His methodology is scored based on four metrics: Breach Notification, Personal Data Coverage, Harm Triggers, and Fines & Enforcement. Check where your state ranks!