The IT Law Wiki


Data breach notification laws typically require covered entities to implement a data breach notification policy, and include requirements for incident reporting and handling and external breach notification. Data breach notification laws typically cover personally identifiable information or individually identifiable information.

Federal laws[]

No single federal law or regulation governs the security of all types of sensitive personal information. Determining which federal law, regulation, and guidance is applicable depends in part on the entity or sector that collected the information, and the type of information collected and regulated. Under federal law certain sectors are legally obligated to protect certain types of sensitive personal information. These obligations were created, in large part, when federal privacy legislation was enacted in the credit, financial services, health care, government, securities, and Internet sectors. Federal regulations were issued to require certain entities to implement information security programs and provide breach notice to affected persons.

Federal law and federal guidance require federal agencies that collect sensitive personal information to implement enhanced information security programs and provide notice to persons affected by data security breaches. The Veterans Affairs Information Security Act of 2006 was enacted to prevent and respond to data breaches in the Department of Veterans Affairs.

The 2007 Office of Management and Budget memorandum on "Safeguarding Against and Responding to the Breach of Personally Identifiable Information" requires all federal agencies to implement a breach notification policy to safeguard personally identifiable information.

In August 2009, the Department of Health and Human Services (HHS) issued interim final breach notification regulations to implement Section 13402 of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), that apply to breaches of protected health information occurring on or after September 23, 2009.[1]

In 2009, the Federal Trade Commission issued a final rule pursuant to Section 13407 of the HITECH Act requiring certain web-based businesses to notify consumers when the security of their electronic health information is breached.[2] The FTC rule applies to both vendors of personal health records — which provide online repositories that people can use to keep track of their health information — and entities that offer third-party applications for personal health records.

Additional federal laws that may require data breach notification include: Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Family Educational Rights and Privacy Act (FERPA).

State laws[]

In the absence of a comprehensive federal data breach notification law, the majority of states have passed bills to require businesses and/or government agencies to notify persons affected by breaches involving their sensitive personal information, and in some cases to implement information security programs to protect the security, confidentiality, and integrity of data.[3] As of November 13, 2015, 47 states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.[4]

State laws vary across the following dimensions: 1) kinds of personally identifiable information (PII) that trigger notification requirements; 2) time in which notification is required; 3) how certain a company must be that PII was breached; 4) content of the breach notice; 5) method of notice; 6) whether notice must be given to parties other than affected customers; and 7) method of enforcement.[5]

Several states have reportedly considered legislation to hold retailers liable for third party companies’ costs arising from data breaches (California, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, Texas, and Wisconsin).[6] Many states provide a safe harbor for an entity that is regulated by state or federal law and maintains procedures pursuant to such laws, rules, regulations, or guidelines. Reportedly 29 states impose similar duties for the public and private sectors, 14 states do not, and Oklahoma’s law applies only to the public sector.[7]

Numerous data breaches and computer intrusions have been disclosed by the nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses. The Privacy Rights Clearinghouse chronicles and reports that over 345 million records containing sensitive personal information were involved in security breaches in the U.S. since January 2005.[8] From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed.[9]

In 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home. In 2007 the retailer TJX Companies revealed that 46.2 million credit and debit cards may have been compromised during the breach of its computer network by unauthorized individuals.[10] In 2008 the Hannaford supermarket chain revealed that approximately 4 million debit and credit card numbers were compromised when Hannaford’s computer systems were illegally accessed while the cards were being authorized for purchase. There were 1,800 reported cases of fraud connected to the computer intrusion. In 2009, personal information from Health Net on almost half a million Connecticut residents, and 1.5 million patients nationally (including patients in Arizona, New Jersey, and New York) was breached.[11] The information had been compressed, but not encrypted.

Responses to data breaches[]

Data breaches involving sensitive personal information may result in identity theft and financial crimes (e.g., credit card fraud, phone or utilities fraud, bank fraud, mortgage fraud, employment-related fraud, government documents or benefits fraud, loan fraud, and health-care fraud).

These public disclosures have heightened interest in the security of sensitive personal information;[12] security of computer systems; applicability of federal laws to the protection of sensitive personal information; adequacy of enforcement tools available to law enforcement officials and federal regulators; business and regulation of data brokers;[13] liability of retailers, credit card issuers, payment processors, banks, and furnishers of credit reports for costs arising from data breaches; remedies available to individuals whose personal information was accessed without authorization;[14] prosecution of identity theft crimes related to data breaches; and criminal liability of persons responsible for unauthorized access to computer systems.[15]


  1. Subpart D—Notification in the Case of Breach of Unsecured Protected Health Information, 45 C.F.R. Part 164.400 et seq.
  2. Federal Trade Commission, Health Breach Notification Rule, 16 C.F.R. §318.
  3. See Consumers Union, Notice of Security Breach State Laws (full-text).
  4. See State security breach notification laws.
  5. Cyber Security Task Force: Public-Private Information Sharing, at 19 (endnote 30).
  6. See Timothy P. Tobin, "In Response To TJX Data Breach, One State Enacts Legislation Imposing New Security and Liability Obligations; Similar Bills Pending in Five Other States" (full-text). The Minnesota bill was signed into law on May 21, 2007. 2007 Minn. Laws Ch. 108, H.F. 1758.
  7. A. Michael Froomkin, “Government Data Breaches,” Univ. of Miami Legal Studies Res. Paper No. 2009-20, text accompanying notes 53-56 (full-text).
  8. Privacy Rights Clearinghouse, "A Chronology of Data Breaches" (full-text).
  9. Tom Zeller, "An Ominous Milestone: 100 Million Data Leaks," N.Y. Times, Dec. 18, 2006, at C3.
  10. U.S. Securities and Exchange Commission, Form 10-K Annual Report: The TJX Cos., Inc. (full-text). See also In re TJX Companies.
  11. According to the Privacy Rights Clearinghouse, Connecticut Attorney General Richard Blumenthal sued Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach. The AG sought a court order blocking Health Net from continued violations of HIPAA by requiring that any protected health information contained on a portable electronic device be encrypted. This case marks the first action by a state attorney general involving violations of HIPAA since the Health Information Technology for Economic and Clinical Health Act (HITECH Act), which authorized state attorneys general to enforce HIPAA.
  12. "Data Privacy Expected To Be High Priority for House Commerce Panel," BNA E-Commerce L. Daily, Jan. 15, 2010.
  13. See Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data, at 56.
  14. See Federal Laws Related to Identity Theft.
  15. See Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws.

See also[]