Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
With the recent enactment of data breach notification laws in
South Dakota and Alabama, all 50 US states now have laws regulating
data breach notification. We've updated the Mintz Matrix (maintained by the
Mintz Privacy Team for nearly 10 years) to provide you with the
latest information.
Managing the differing requirements remains a challenge, and
points to the need for updated incident response plans.
As an example, the chart below outlines the different
timelines for notification. The Mintz Matrix contains
information on all of these, and more.
Breach Notification Timeline
Time After Discovery of
Breach
Action Required
10 Calendar Days
Puerto Rico Department of Consumer Affairs
14 Business Days
Vermont AG preliminary notification
15 Business Days
California residents, California AG, and California Department
of Public Health must be notified of the disclosure of PHI by a
clinic, health facility, home health agency, or hospice licensed by
the California Department of Public Health ("CDPH")
30 Calendar Days
Florida residents, AG (500+ residents) (Can request 15 day
extension) (60 Days for PHI/HIPAA incidents).
Indiana AG will open an investigation if not notified within 30
days
45 Calendar Days
Ohio residents
Tennessee residents (60 Days for PHI/HIPAA incidents)
Vermont residents, AG
Washington residents, AG (500+ residents) (60 Days for
PHI/HIPAA incidents)
Wisconsin residents (60 Days for PHI/HIPAA incidents
New Mexico residents, AG (500+ residents)
Maryland residents (60 Days for PHI/HIPAA incidents)
60 Calendar Days
Individuals and HHS OCR for PHI disclosure.
Delaware (effective 4/14/18), AG (500+ residents)
90 Calendar Days
Connecticut residents (60 days for PHI/HIPAA incidents)
Most expedient time and without unreasonable
delay
AK, AZ, AR, CA (other than as noted above), CO, DE (until
4/14/18), DC, GA, HI, ID, IL, IA, KS, KY, ME, MA, MI, MN, MS, MO,
MT, NV, NJ, NY, NC, ND, OK, OR, PA, PR, SC, UT, VA, WV, WY
As soon as possible
NE, NH, TX
Days After Confirmation of
Breach
Action Required
45 Calendar Days
Rhode Island residents, AG (500+ residents) (60 Days for
PHI/HIPAA incidents).
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.