As data breaches have become more prevalent over the last few years, states have required organizations experiencing data breaches involving consumers’ personally identifiable information (PII) to notify their customers. Since California’s data breach disclosure law (SB1386) became effective in 2003, a total of 47 states and provinces have passed laws that require consumer notification of a data breach involving PII. Currently, only Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota do not have a data breach notification law. A listing of state data breach laws is here.
Organizations need to be aware of the data breach requirements of the states where they conduct business and where their consumers reside. Notification and communication requirements can differ from state to state. Therefore, it is important not only to have knowledge about these state requirements, but to audit your applications to prevent data loss in the first place.