Multitude of State Breach Notification Laws Creates Compliance Challenges

Share Article

Companies of all sizes face compliance challenges under a multitude of state data breach notification laws. Scott & Scott, LLP, an intellectual property and technology law firm, with a practice area focus on security and privacy releases a State Data Breach Notification Laws Chart and suggests modeling response to the most restrictive and onerous of the state laws.

Robert J. Scott, Managing Partner, Scott & Scott, LLP

The multitude of state data breach notification laws creates technical compliance challenges.

Currently 46 states and the District of Columbia have enacted some version of consumer data breach notification requirements. The disparate environment makes compliance under evolving and sometimes divergent state notification rules challenging for organizations that find themselves cleaning up data breach.

“It especially creates a heavy burden for small-to-mid sized businesses operating in multiple states, said Robert J. Scott, Managing Partner, of Scott & Scott, LLP, an intellectual property and technology law firm, with a practice area focus on privacy and security. We created a State Data Breach Notification Laws chart as a handy resource that highlights the differences between the various state laws”.

Nevertheless, there is some commonality among the state laws. In general, the laws address the following issues related to data breach notification: 1) timing; 2) civil/criminal penalties; 3) private rights of action; 4) safe harbors; 5) exemptions for law enforcement efforts, and 6) whether materiality of breach should be considered.

No one category of issue is addressed in any standardized way among the states. The basic timing requirement for notification varies from “no more than 7 business days after investigation concludes” in the Maine statute to the vague “without unreasonable delay” in several states to New Hampshire’s “as soon as possible”.

When trying to comply to a multitude of state rules, generally a good approach is a conservative one by modeling your response to comply with the most restrictive of the state data breach laws.

“Before deciding on any course of action, carefully consider the nature of the breach, the number of potentially affected individuals, and the states in which those individuals reside”, continued Scott.

A downloadable copy of Scott & Scott, LLP’s state data breach chart is available at:

About Scott & Scott, LLP:
Scott & Scott is an international law and technology services firm dedicated to helping senior executives assess and reduce the legal, financial, and regulatory risks associated with information technology issues. An innovative approach to legal services, Scott & Scott believes that collaboration between legal and technology professionals is necessary to solve and defend against the complex problems our clients face, including privacy and network security, IT asset management, software license compliance, and IT transactions. Legal and technology professionals work in tandem to provide full-service representation. By combining these resources, Scott & Scott is better able to serve clients' needs than law firms and technology services firms working independently of one another. Visit Scott & Scott online at

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Anita Scott
Visit website