Data breaches have become a fact of digital life. Not surprisingly, so have the breach notification laws surrounding them.
As the law firm Jackson Lewis explains, all 50 states as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have enacted breach notification laws. They all require private organizations to notify individuals if their personal information was involved in a security breach. Otherwise, they are all different.
“Today’s nationwide patchwork of state breach notification laws require data holders operating in multiple states or maintaining personal information of residents of multiple states to keep up with the requirements across many jurisdictions,” they write.
New Jersey, for instance, is one of about two dozen states that have what Jackson Lewis calls an “expanded definition of personal information” and requires notification to a state agency.
And the rules are still changing.
“Personal information commonly is defined as an individual’s first name or first initial and last name in combination with an additional data element, such as a Social Security number, driver’s license number, or financial account information with the applicable PIN or access code for same,” Jackson Lewis says. “Recently, however, many states have amended their statute’s definition of “personal information” to include additional data elements, such as biometric and health information and user name or email address and password.”