California was the first State to pass a data security breach law. Since then, 43 additional states, along with the District of Columbia, Puerto Rico and the Virgin Islands have passed laws that require public disclosure of data security breaches.
Most states require businesses that own, lease or store personally identifiable information to notify every individual whose personal data is stolen or misused. In some cases, businesses must also contact the major credit reporting agencies, State Attorney General, and the news media.
Data breaches do not always have to be disclosed. Exceptions include the loss of encrypted data, and the judgment of law enforcement authorities that the breach is not likely to result in harm to the individuals. In addition, disclosure is not required if it would interfere with an on-going investigation.
Because of the growing threat of identity theft, Congress is considering several laws that would regulate data security breaches from the federal level. As of this writing, however, data security is still regulated on a state by state basis.
If you store personally identifiable information, you need to be aware of your State's data security breach disclosure laws. To help with your research, the following pages contains links to current laws.