In general, most state laws require that companies disclose a data breach to affected residents of the state. Some statutes also require notification of law enforcement, consumer protection boards, or credit agencies. Most breach notification laws set forth notification guidelines as to how soon a company is required to inform customers of a data breach (e.g., without unreasonable delay); the existence of civil or criminal penalties for failure to notify; the existence of a private right of action, if any, against the company; and any exemptions that apply to certain businesses or certain breaches. Some state laws distinguish between material and nonmaterial breaches. State Laws Not Uniform . Most state laws, including Minnesota’s, provide a notification scheme and require notice to individuals after a “breach of the security system.” [See Minn. Stat. § 325E.61 on pages 88- 90]. But these state laws are not identical and include their own subtle distinctions and provisions. For example, some laws only require notice when there is a “material” or “significant” risk of harm from the security breach. Note that in Minnesota, social security or account numbers alone may not trigger notification, as they must be coupled with another identifier, such as a name. Some state security breach notification laws (such as Wisconsin) are triggered even if just account numbers or related access codes are compromised. Some states also have specific requirements for what must be included in the breach notification. Minnesota does not have a specific content requirement. Timing of the notice is vague in most states and is required to be done within a “reasonable” time frame. (Wisconsin requires notice within 45 days). Some states allow for a private right of action. Minnesota actions may be brought by the Minnesota Attorney General . One bill introduced in the Minnesota legislature would have required notification of a consumer within 48 hours of discovery of the data breach. The variety in state laws is one of the most compelling justifications for a comprehensive federal breach notification law. State Data Breach Notification Statute Updates. Now that each of the fifty states, Washington DC, Guam, Puerto Rico, and the U.S. Virgin Islands all have their own data breach notification statutes, the focus has
133
Made with FlippingBook - Online Brochure Maker