State Data Breach Notification Laws: 2018 in Review

Caleb Skeath and Brooke Kahn of Covington & Burling provide a useful recap of changes in 2018 that will impact us in 2019:

…. Following up on our global year-end review of major privacy and cybersecurity developments, we’ve summarized the major developments and trends observed with regards to state data breach notification laws over the past year.

Data Breach Notification Laws in All 50 States.  With the enactment of new data breach notification laws in South Dakota and Alabama, all fifty states and the District of Columbia have implemented data breach notification laws.  The new laws in South Dakota and Alabama, which went into effect in mid-2018, included many features commonly seen in recent amendments to other states’ existing data breach notification laws, such as expanded PII definitions, explicit notification deadlines, and state regulator notification requirements.

Explicit Notification Deadlines.  During 2018, several states also joined a growing trend by revising their data breach notification laws to include explicit deadlines for notifying affected individuals.  Notably, Colorado enacted a 30-day deadline from the discovery of the breach for notifying affected individuals, which matches Florida’s 30-day deadline for the shortest notification deadline in the U.S.  Alabama, Arizona, and Oregon all passed legislation in 2018 requiring notification of affected individuals within 45 days of discovery of a breach, while Louisiana and South Dakota passed legislation requiring notification of affected individuals within 60 days of discovery.

Read more of their summary of changes in state legislation this year on InsidePrivacy.

About the author: Dissent