United States:
Mintz Matrix Updated – Data Breach Laws in All 50 States
To print this article, all you need is to be registered or login on Mondaq.com.
With the recent enactment of data breach notification laws in
South Dakota and Alabama, all 50 US states now have laws regulating
data breach notification. We've updated the Mintz Matrix (maintained by the
Mintz Privacy Team for nearly 10 years) to provide you with the
latest information.
Managing the differing requirements remains a challenge, and
points to the need for updated incident response plans.
As an example, the chart below outlines the different
timelines for notification. The Mintz Matrix contains
information on all of these, and more.
Breach Notification Timeline
Time After Discovery of
Breach |
Action Required |
10 Calendar Days |
- Puerto Rico Department of Consumer Affairs
|
14 Business Days |
- Vermont AG preliminary notification
|
15 Business Days |
- California residents, California AG, and California Department
of Public Health must be notified of the disclosure of PHI by a
clinic, health facility, home health agency, or hospice licensed by
the California Department of Public Health ("CDPH")
|
30 Calendar Days |
- Florida residents, AG (500+ residents) (Can request 15 day
extension) (60 Days for PHI/HIPAA incidents).
- Indiana AG will open an investigation if not notified within 30
days
|
45 Calendar Days |
- Ohio residents
- Tennessee residents (60 Days for PHI/HIPAA incidents)
- Vermont residents, AG
- Washington residents, AG (500+ residents) (60 Days for
PHI/HIPAA incidents)
- Wisconsin residents (60 Days for PHI/HIPAA incidents
- New Mexico residents, AG (500+ residents)
- Maryland residents (60 Days for PHI/HIPAA incidents)
|
60 Calendar Days |
- Individuals and HHS OCR for PHI disclosure.
- Delaware (effective 4/14/18), AG (500+ residents)
|
90 Calendar Days |
- Connecticut residents (60 days for PHI/HIPAA incidents)
|
Most expedient time and without unreasonable
delay |
- AK, AZ, AR, CA (other than as noted above), CO, DE (until
4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO,
MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
|
As soon as possible |
|
Days After Confirmation of
Breach |
Action Required |
45 Calendar Days |
- Rhode Island residents, AG (500+ residents) (60 Days for
PHI/HIPAA incidents).
|
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from United States
Atlas Data And Daniel's Law
Klein Moynihan Turco LLP
Readers of this blog are well aware of the recent surge in data privacy litigation. In February 2024, Atlas Data Privacy Corporation ("Atlas Data")...
Why Data Cleanup Fails – Part Three: Process
Alvarez & Marsal
This includes the very real, tangible and increasingly significant regulatory and legal drivers (e.g., fines) organizations face, and the wider, growing cultural assumptions among customers...