State Data Breach Notification Requirements Specifically Applicable to Insurers
Patrick H. Haggerty’s article is particularly timely this week in light of the Systema Software data leak.
Almost all U.S. states and territories have enacted breach notification laws requiring private and/or government entities to notify individuals when their personal information is compromised. These laws vary, and much has been written about the challenges caused by the differences, including who must comply with the law (e.g., persons, businesses, information brokers, government entities, covered entities); definitions of “personal information” (e.g., first name or first initial and last name combined with a Social Security number, driver’s license or state ID, financial account numbers, or health information); what constitutes a breach (e.g., unauthorized acquisition of data or access to data, risk of harm); requirements for notice (e.g., timing or method of notice and who must be notified); whether notification of a state regulator (e.g., attorney general’s office) is required; and exemptions (e.g., for encrypted information). We have created a chart describing each law as well as a chart summarizing key issues. Separate and apart from these laws, eight states—California, Connecticut, Maine, New Hampshire, Ohio, Rhode Island, Vermont, Washington, and Wisconsin—have breach notification requirements that specifically apply to insurers. These breach notification requirements also vary and are discussed in detail below.
Read more on BakerHostetler Data Privacy Monitor.