This Article discusses state laws requiring notification of a party whose personal information is held by a business or government agency when the third party’s security is breached and an unauthorized person accesses the personal information. In the wake of the 2005 ChoicePoint data breach, over half of the states passed legislation requiring that companies notify the affected parties after breach of personal information. Most of the state statutes followed the model set forth by California’s Security Breach Notification Act of 2002. However, significant variations exist between the different statutes, which can create compliance problems. This Article specifically illustrates the relevant differences, analyzes the effect of the statutes, and discusses the policy implications of such legislation.
G. M. Bingisser,
Data Privacy and Breach Reporting: Compliance with Various State Laws,
4 Shidler J. L. Com. & Tech.
Available at: https://digitalcommons.law.uw.edu/wjlta/vol4/iss3/5