In the past year, five states – Alaska, Iowa, South Carolina, Virginia, and West Virginia – have enacted data breach notification laws, bringing to 45 the total number of U.S. jurisdictions (plus Washington D.C.) with laws on the books. The states with no data breach notification laws are Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.
For the most part, all of the new laws follow what is now a fairly familiar pattern for data breach notification requirements. All require that notice of a breach be provided without “unreasonable delay,” but notice may be delayed to accommodate any pending law enforcement investigations. Notice also is not required under any of the new laws when the data that was accessed was encrypted. All of the laws provide for civil penalties for failure to comply.
However, there are a couple of noteworthy differences. West Virginia and Iowa join a minority of states with laws that do not allow for private causes of action for failure to comply with the notification requirements. In addition, the South Carolina, Virginia and West Virginia enactments contain no express exemption for immaterial breaches, though breaches requiring notice generally are defined to include only those where there is a reasonable risk of harm to the person whose data was accessed.
As always, business handling personal information should continue to remain vigilant regarding any new or revised provisions in the data breach notification laws for the jurisdictions in which they conduct business. There have been no major, new developments regarding the enactment of a national data breach notification law, and, at this point, with so many state laws on the books, it is possible that a federal law either will, if passed, provide only supplementary requirements in addition to the state laws or will fail to reach passage altogether. The longer the state regimes remain in place, the less the likelihood of complete federal preemption on the issue.
Therefore, for the foreseeable future, businesses will need to maintain up-to-date notification procedures that are in compliance with the laws of each state where they operate. It remains advisable to consult with counsel in developing procedures that are consistent with business goals and objectives.
About the author
Julie Machal-Fulks:
As a partner at Scott & Scott, LLP, Julie Machal-Fulks leads a team of attorneys in representing and defending clients in legal matters relating to information technology. Her practice focuses on complex litigation ranging from privacy and network security, data breach notification and crisis management, intellectual property disputes, service provider negligence claims, and content-based injuries such as copyright and trademark infringement in software, the Internet, and all forms of tangible media.
Get in touch: jfulks@scottandscottllp.com | 800.596.6176