Messy white jigsaw puzzle piecesIt’s once again time for a summary round-up for the puzzling array of state PII breach notification laws.

Back in 2002, California enacted the first state law mandating notification of individuals whose personally identifiable information (PII) is breached.  By 2018 every state had followed suit, along with the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.  Each state has its own unique approach, and the states continue to expand their requirements, especially their definitions of what constitutes PII and the timing and content of mandated notifications (bold text below reflects changes since 2018).

These laws are triggered by the affected individuals’ residency, not where the breach occurred. So, when a business with employees and customers in many states suffers a data breach, it must comply with a wide variety of conflicting and evolving state breach notification laws. 

Scope of PII

State PII breach notification laws generally apply to a state resident’s name combined with another identifier useful for traditional identity theft, such as the individual’s Social Security number, driver’s or state identification number, or financial account number with access information. But an ever-growing number of states include other combination elements in their PII definition:
Continue Reading The Puzzle of State PII Breach Notification Statutes