Although 46 states, the District of Columbia and Puerto Rico have passed laws requiring consumer notification in the event of a security breach of personal information, recent large-scale and publicized breaches continue to make data security a top legislative agenda item in statehouses across the country. Of the 15 data breach proposals introduced by State legislators this year, two have been signed into law.
In Vermont, the state legislature passed a new law that requires entities to notify the state attorney general’s office within 14 days of a security breach, unless the data collector has affirmed with the attorney general’s office that a written data security plan is in place and the organization can comply with breach notification requirements. In addition, the Vermont law would require that a consumer be notified of the incident in general terms; alerted to the types of information exposed; provided with a toll-free number to call for guidance; given advice about credit monitoring; and provided with the date of the breach and its discovery by the business within 45 days. The Connecticut legislature also passed a new data breach law that requires companies to notify the state attorney general’s office of a security breach before a notice is sent to consumers.
Congress is also considering data breach notification proposals. In the Senate, several members have signaled their intent to offer data breach notification amendments when the Chamber considers cybersecurity legislation.
However, there are a number of hurdles that lawmakers must address before they can move forward. First, the large number of congressional committees that have jurisdiction on the issue has led to turf battles. Also, it has been difficult for Congress to settle on a standard that would effectively preempt the current patchwork of state laws.