The law firm of Mintz Levin has produced a report listing data breach notification laws in the United States as of June 1, 2012. The report includes details by state, and includes the District of Columbia, Puerto Rico, and the U.S. Virgin Islands. Typically, breach notification laws include a:
- Description of the personal information that must be protected
- List of the businesses, organizations, and state/local agencies that must comply with the state's breach notification law
- Process for the timing, content, and distibution of a breach notification
- Any exceptions to the law (e.g., encrypted files)
- Other provisions and applicable state laws
- Penalties for violations
- Whether breach victims (e.g., state residents) can sue, and if so against whom
Four states do not have any breach notification laws:
- New Mexico
- South Dakota
If you live in one of these states, contact your elected officials and demand that your state pass a breach notification law. When companies or government agencies have consumers' sensitive personal information lost or stolen, you need to know to protect yourself.
The report is also available here (Adobe PDF, 469 k bytes).