State Data Breach Notification Law Elements

State Data Breach Notification Law Elements: A Comprehensive Guide for CIPP/US Exam Preparation

Introduction

State data breach notification laws are among the most critical areas of U.S. privacy law. Since California enacted the first breach notification law in 2002 (SB 1386), all 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted their own data breach notification statutes. Understanding the key elements of these laws is essential for any privacy professional and is a heavily tested topic on the CIPP/US exam.

Why State Data Breach Notification Law Elements Are Important

State breach notification laws are important for several reasons:

1. Consumer Protection: These laws ensure that individuals are informed when their personal information has been compromised, enabling them to take protective measures such as freezing credit, changing passwords, or monitoring financial accounts.

2. Organizational Accountability: They create legal obligations for organizations to maintain awareness of security incidents and respond promptly, incentivizing better data security practices.

3. Patchwork Compliance Challenge: Because each state has its own law with different requirements, organizations operating across state lines must navigate a complex web of obligations. Understanding the common elements — and where they diverge — is critical for compliance.

4. Enforcement and Penalties: Failure to comply with state breach notification laws can result in significant penalties, including fines, lawsuits, and reputational damage. State attorneys general are increasingly active in enforcement.

5. Evolving Landscape: States continue to amend and strengthen their breach notification laws, expanding definitions of personal information, shortening notification timelines, and adding new requirements.

What Are State Data Breach Notification Law Elements?

State data breach notification laws generally contain several core elements. While the specifics vary from state to state, the following are the foundational components that appear across most statutes:

1. Definition of Personal Information (PI)

Every state law defines what types of data, when compromised, trigger notification obligations. Traditionally, the core definition includes an individual's first name or first initial and last name in combination with one or more of the following data elements:

- Social Security number (SSN)
- Driver's license or state identification card number
- Financial account number, credit card number, or debit card number (in combination with any required security code, access code, or password that would permit access to the account)

Many states have expanded their definitions of personal information to include:

- Medical or health information
- Health insurance information
- Biometric data (fingerprints, retina scans, etc.)
- Email addresses in combination with passwords or security questions and answers
- Passport numbers
- Taxpayer identification numbers
- Usernames or email addresses combined with passwords or security questions

Key Point: The trend is toward broader definitions of personal information. Some states (e.g., California, Illinois, and Washington) have particularly expansive definitions.

2. Definition of Breach

States define what constitutes a "breach" or "breach of the security of the system." Most states define a breach as the unauthorized acquisition of personal information. However, there are important variations:

- Some states use unauthorized acquisition (a narrower standard)
- Some states use unauthorized access (a broader standard that may not require actual acquisition of data)
- Some states include unauthorized acquisition or reasonable belief of acquisition

Many states also include a risk of harm qualifier or exemption, meaning notification is not required if, after an appropriate investigation, the organization reasonably determines that the breach is unlikely to result in harm to the affected individuals.

3. Who Must Notify (Covered Entities)

State breach notification laws typically apply to:

- Data owners or licensees: Entities that own or license personal information of state residents
- Data maintainers: Entities that maintain personal information on behalf of another entity

Most laws distinguish between the obligations of the data owner (who has the primary notification obligation to individuals) and the data maintainer or service provider (who typically must notify the data owner of a breach).

4. Who Must Be Notified

State laws require notification to various parties, which can include:

- Affected individuals: All states require notification to individuals whose personal information was compromised
- State attorney general: Many states require notification to the state AG, sometimes triggered when the breach exceeds a certain threshold (e.g., 500 or 1,000 affected residents)
- Consumer reporting agencies (CRAs): Many states require notification to CRAs when the breach exceeds a specified threshold (commonly 1,000 or more affected residents)
- State regulators: Some states require notification to specific regulatory bodies

5. Timing of Notification

The timing requirement is a critical element and varies significantly by state:

- Some states require notification in the most expedient time possible and without unreasonable delay (a general reasonableness standard)
- Some states impose specific deadlines, such as:
  - 30 days (e.g., Arizona, Colorado, Florida)
  - 45 days (e.g., Ohio, Wisconsin)
  - 60 days (e.g., Connecticut, Vermont, many other states)
  - 72 hours (this is more common in sector-specific federal law, but some state frameworks reference short timelines for certain categories)

Most states allow for a law enforcement delay — notification may be delayed if law enforcement determines that it would impede a criminal investigation.

6. Method of Notification

State laws specify acceptable methods of notification to affected individuals:

- Written notice (sent to the last known mailing address)
- Electronic notice (if consistent with E-SIGN Act provisions)
- Telephonic notice (some states permit this)
- Substitute notice: Permitted when the cost of providing notice exceeds a certain threshold (commonly $250,000), the number of affected individuals exceeds a threshold (commonly 500,000), or the entity lacks sufficient contact information. Substitute notice typically involves:
  - Email notification (when available)
  - Conspicuous posting on the entity's website
  - Notification to major statewide media outlets

7. Content of Notification

Many states specify what information must be included in the breach notification. Common required content elements include:

- Description of the incident
- Types of personal information involved
- Steps the organization has taken or plans to take in response
- Contact information for the organization
- Contact information for the state attorney general or relevant agency
- Advice to the individual on steps they can take to protect themselves (e.g., placing fraud alerts, obtaining free credit reports)
- Information about identity theft protection services (some states require the entity to provide complimentary credit monitoring)

8. Exemptions and Safe Harbors

Several important exemptions and safe harbors exist across state laws:

- Encryption safe harbor: Most states exempt breaches involving data that was encrypted at the time of the breach, provided that the encryption key was not also compromised. This is one of the most commonly tested elements.
- Good faith acquisition exemption: Many states exempt situations where personal information was acquired in good faith by an employee or agent of the organization, provided the information is not used improperly or subject to further unauthorized disclosure.
- Risk of harm threshold: Some states do not require notification if, after investigation, the organization determines the breach is not reasonably likely to cause harm to the affected individuals.
- Compliance with other laws: Entities that comply with federal breach notification requirements (e.g., HIPAA for healthcare entities, GLBA for financial institutions) may be deemed compliant with state law, depending on the state.

9. Enforcement and Penalties

State breach notification laws are typically enforced by:

- State attorneys general
- In some states, private rights of action may be available to affected individuals

Penalties vary by state but can include:

- Civil penalties per violation or per individual affected
- Injunctive relief
- Actual damages suffered by individuals
- Some states impose penalties on a per-day or per-individual basis

How State Breach Notification Works in Practice

Here is a practical walkthrough of how the breach notification process typically unfolds:

Step 1: Discovery of a Security Incident
An organization discovers a security event — such as unauthorized access to a database, a lost laptop, a phishing attack, or a ransomware incident — that may involve personal information.

Step 2: Investigation and Assessment
The organization investigates the incident to determine:
- Whether personal information was involved
- What types of personal information were compromised
- How many individuals are affected
- The residency of affected individuals (this determines which state laws apply)
- Whether the data was encrypted
- Whether there is a risk of harm

Step 3: Legal Analysis
The organization (often with the help of privacy counsel) analyzes the breach against the notification requirements of each relevant state to determine:
- Whether notification is required
- Who must be notified (individuals, AG, CRAs)
- The deadline for notification
- The required content and method of notification

Step 4: Notification
The organization provides notification to all required parties within the applicable timeframes, using the required methods and including the required content.

Step 5: Remediation and Documentation
The organization takes steps to mitigate the impact of the breach, strengthens security controls, and documents its response for regulatory and litigation purposes.

Key Concepts to Remember for the Exam

- There is no single federal breach notification law that applies to all sectors (though sector-specific laws like HIPAA and GLBA exist). State laws fill this gap.
- California SB 1386 (2002) was the first state breach notification law and served as a model for other states.
- The encryption safe harbor is one of the most important and frequently tested elements.
- The definition of personal information varies by state and has been expanding over time to include biometric data, medical information, login credentials, and more.
- The distinction between unauthorized acquisition and unauthorized access as the trigger for notification is a key differentiator among state laws.
- Notification to the attorney general and consumer reporting agencies is a requirement in many states, typically triggered by a threshold number of affected individuals.
- Substitute notice provisions exist to address situations where traditional notice methods are impractical or too costly.
- The good faith acquisition exemption protects organizations when employees or agents access personal information without authorization but in good faith and without misuse.

Exam Tips: Answering Questions on State Data Breach Notification Law Elements

1. Focus on the Elements Framework: When you see a question about state breach notification, mentally walk through the key elements: definition of PI, definition of breach, who must notify, who must be notified, timing, method, content, exemptions, and enforcement. Most questions will test one or more of these elements.

2. Know the Encryption Safe Harbor: This is a favorite exam topic. Remember that most states exempt encrypted data from notification requirements, but only if the encryption key was not also compromised. If a question describes a breach involving encrypted data, check whether the key was also breached.

3. Distinguish Acquisition vs. Access: Pay close attention to whether a question asks about unauthorized acquisition (taking possession of data) or unauthorized access (viewing or accessing data without taking it). This distinction can change the answer.

4. Watch for Risk of Harm Analysis: Some questions will present a scenario and ask whether notification is required. If the state law in question includes a risk-of-harm threshold, the answer may be that notification is not required if no harm is likely.

5. Remember the Good Faith Exception: If a question describes an employee who accidentally accesses personal information but does not misuse it, the good faith acquisition exemption may apply.

6. Pay Attention to Notification Recipients: Questions may test whether you know that notification must go not only to individuals but also to the state attorney general and/or consumer reporting agencies. Remember the common thresholds that trigger AG and CRA notification.

7. Know the Timing Rules: Be familiar with the general concept that notification must be made "in the most expedient time possible and without unreasonable delay" and that some states have specific day-count deadlines. Remember that law enforcement delays are generally permitted.

8. Understand Substitute Notice: Know when substitute notice is permitted (cost exceeds threshold, too many affected individuals, or insufficient contact information) and what it typically involves (email, website posting, and media notification).

9. Recognize the Expanding Definition of Personal Information: If a question asks whether a particular type of data triggers notification requirements, remember that modern state laws increasingly include biometric data, medical information, login credentials, and other non-traditional data types.

10. Read Carefully for State-Specific Details: The exam may reference a specific state's law. If so, focus on what makes that state's law distinctive. For example, California's law is broader in its definition of PI, while some states have shorter notification timelines.

11. Eliminate Wrong Answers by Testing Against Elements: If you are unsure of the correct answer, use the elements framework to eliminate options. For example, if an answer choice says notification is never required for encrypted data, it may be wrong because the encryption key could also have been compromised.

12. Remember the Practical Flow: Some questions may present a scenario and ask what the organization should do first or next. Follow the logical sequence: discover, investigate, analyze legal obligations, notify, and remediate.

13. Federal Preemption and Overlap: Be aware that entities subject to federal breach notification requirements (e.g., HIPAA-covered entities, financial institutions under GLBA) may have compliance with state law deemed satisfied in certain states, but this is not universal. The exam may test whether federal compliance substitutes for state compliance.

14. Third-Party/Service Provider Obligations: Remember that data maintainers or service providers typically have an obligation to notify the data owner of a breach — they do not usually notify individuals directly. This is a common exam distinction.

Summary

State data breach notification laws form the backbone of data breach response obligations in the United States. Understanding the core elements — who must notify, who must be notified, what triggers notification, when notification must occur, how it must be delivered, what it must contain, and what exemptions apply — is essential for both privacy practice and CIPP/US exam success. Focus on the common elements across states while noting key areas of divergence, and always apply the elements framework when analyzing exam questions.