Currently 47 states have data breach notification requirements in effect, which can make compliance extra burdensome when a breach affects customers across state lines. To add to the complication, in 2015, eight states amended their breach notification laws.
Some changes include:
- Five states amended their breach notification law to require entities to report a breach to state regulators.
- Four states expanded the categories of information that constitute trigger information, thereby increasing the risk that a security incident will result in breach notification obligations.
- Three states set hard deadlines for notifying affected individuals of a breach.
It is critical that employers be aware of the breach notification requirements in the states where they have customers in order to avoid regulatory penalties and potentially litigation in the wake of a security breach.