What are Data Breach Notification Laws? featured image

What are Data Breach Notification Laws?

by John DiGiacomo

Partner

Data Breach

What are data breach notification laws? Many people have heard about, or have themselves been potentially victimized by a data breach. Your credit card information might have been hacked, or your personal identifying information might have been exposed in a data security breach. But many people do not realize that there are legal protections in place that require businesses and governments to notify potential victims when there is a data security breach.

What Are Data Breach Notification Laws?

At present, there are a few national standards in place regarding data breach notification of potential victims, but federal laws are limited at this time to financial institutions (the Gramm-Leach-Bliley Act, 15 U.S.C. Section 6801, et seq., which requires notification when nonpublic personal information of a consumer is breached) and the healthcare industry (the Health Insurance Portability and Accountability Act, 45 CFR Sections 106.103, 164.400-414, and 42 U.S.C. Section 1320d, et seq., which requires notification when a patient’s protected health information is breached).

Laws Vary From State to State

Data breach notification laws vary from state to state. However, as a general rule these laws are written consistent with a typical format. Data breach notification laws typically:

  • Outline who the law applies to (i.e., private entities, government entities, educational institutions, etc.). Oftentimes, data breach notification laws apply to government entities, private entities, and educational institutions.
  • Provide a definition as to what is personal information for the purposes of the notification law. In most states, “personal information” includes data such as a person’s first and last name, Social Security number, driver’s license number, state-issued identification card number, account number, credit card or debit card number and security code, access code, or PIN necessary to access the account, credit card or debit card.
  • Provide an explanation of what constitutes a data security breach. Typically, a data security breach involves an unauthorized breach of the security of a system thereby gaining access to personal information. The specific definition associated with breach notification laws can vary greatly by state.
  • Include details concerning what is required for compliance with the data breach notification law. Examples include identification of the timeframe in which notifications must be made, whether the notification must be made in writing, and specific information that must be included in the data breach notification.
  • Identify any exemptions to the data breach notification laws. In some states, if data is encrypted it might be exempt from state data breach notification laws.
  • Address the penalties associated with a failure to comply with the law. Each state identifies the penalties associated with a failure to comply with the state’s breach notification laws.

Talk to a Data Breach Lawyer

Cybersecurity is as an area of law is constantly changing and evolving. Revision Legal has worked with a number of businesses in assessing data retention risks and providing legal counsel on data security breach notifications in all 50 states. If you have concerns about your exposure or have recently received a data breach notification, contact the experienced attorneys at Revision Legal straightaway. Civil fines are available in some states for a failure to expeditiously notify those affected by breaches. Contact Revision Legal’s internet lawyers using the form on this page or call us at 855-473-8474.

Image credit to Flickr user Jim Kaskade.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case