It has now been more than five years since California became the first state to pass a data breach notification law (California SB 1386) mandating that companies notify consumers when they have lost the consumer’s personal data. While not all states have followed suit, the folks at CSOonline have published a very handy resource showing those states that have now passed their own data breach legislation.
The research by CSOOnline reveals that 38 states that have enacted some form of data breach disclosure law. Most of these laws follow the general outline of the California law and require that companies immediately disclose a data breach to their customers. However, the laws differ in their details and in particular on issues such as:
1. Deadlines and timing requirements for informing customers of a data breach.
2. Penalties faced by companies for failure to disclose.
3. Private rights of action for customers in the case of failures to notify.
4. Exemptions in which companies need not report breaches.
Customer data is becoming an ever more valuable (and marketable) asset for all technology companies (whether or not they are operating through a software as a service business model). As this trend increases, state and federal government agencies have likewise increased their focus on the protection of that data. In the current environment, knowledge and observance of the laws governing customer/consumer data has become an essential requirement for those companies that collect, use, and mine that data as part of their business models. While CSOOnline points out that their resource is not meant to be comprehensive, it is a handy tool to help in starting to understand the legal landscape in the area of data breach notification.