Removing Barriers Blog

States Seek to Strengthen Data Breach Notification Laws
Posted January 27, 2017 by CUNA Advocacy

In response to well-publicized data breaches, state lawmakers are considering legislation that would strengthen existing data breach notification laws. Recently, legislators in Connecticut, Georgia and Oklahoma have introduced legislation that imposes new notification requirements in the event of breaches.

In Connecticut, H 6708 would require those who store personal information to notify the police when breaches occur.  Current law only requires notification to those who have been compromised. Georgia legislation, H 82, would require notification when personal information is released to unauthorized persons whether it was released intentionally, inadvertently, or accidentally. Oklahoma’s bill, S 614, would requires retailers to notify each financial institution that issued a credit or debit card that was compromised in a breach. Also, violations of the provisions of the Oklahoma’s Data Breach Notification Act could lead to damages for the costs of reissuing cards, stopping payments, closing accounts and notifying customers.

Data breach notification requirements are in 47 states statutes, leaving Alabama, New Mexico, and South Dakota as the only three states that currently do not have data breach notification laws. A notification bill is currently pending in New Mexico, however. State notification laws typically cover: who is required to comply with the law; what constitutes “personal information”; what is considered a breach; what are the requirements for notice; and any exemptions from the law.