Memo #
21609

Updated Summary Of State Breach Laws
| Print

 

[21609]

 

September 18, 2007

TO: COMPLIANCE ADVISORY COMMITTEE No. 19-07
CLOSED-END INVESTMENT COMPANY COMMITTEE No. 32-07
UNIT INVESTMENT TRUST COMMITTEE No. 8-07
INVESTMENT ADVISERS COMMITTEE No. 17-07
PRIVACY ISSUES WORKING GROUP No. 9-07
SMALL FUNDS COMMITTEE No. 34-07
OPERATIONS COMMITTEE No. 21-07
TRANSFER AGENT ADVISORY COMMITTEE No. 58-07 RE: UPDATED SUMMARY OF STATE BREACH LAWS

 

As you may recall, in 2003, California passed the first law requiring businesses to notify consumers of certain breaches involving the security of their personal information.  Since California enacted its law, approximately forty other states have enacted similar laws. [1]  Significantly, no two of these laws are identical.  The law firm of Alston & Bird has provided the Institute an updated chart summarizing the laws of each state that has enacted a law relating to notification of a breach.   For ease of use, the chart compares each state’s law to California’s law in each of the following areas:

  • Effective date;
  • Entities covered by the law;
  • Format of data covered by the law (e.g., computerized data, written documents);
  • The personal information (data) covered by the law;
  • Any obligations to protect data maintained by a covered entity;
  • What triggers an entity having to send a notice;
  • The timing of sending a notice;
  • Which, if any, third-parties must be notified of the breach;
  • The authorities charged with enforcing the law;
  • Any safe harbors provided to entities;
  • Whether the state’s law preempts the laws of any local government entities; and
  • Any miscellaneous additional provisions.

The information in the chart is current as of September 2007.

We hope you find this information useful as you navigate the maze of state laws in this area.

 

Tamara K. Salmon
Senior Associate Counsel

Attachment

endnotes

 [1] See Institute Memorandum to Compliance Advisory Committee No. 81-02, Investment Adviser Associate members No. 24-02, Investment Adviser Members No. 40-02, Privacy Issues Working Group No. 6-02, SEC Rules Members No. 84-02, and Small Funds Members No. 40-02 [15222], dated October 2, 2002, which summarizes California’s law. In 2005, the Institute published two additional memos summarizing breach laws enacted by approximately thirty additional states. See, Institute Memorandum to Closed-End Investment Company Members No. 33-05, Compliance Members No. 3-05, Operations Members No. 9-05, Privacy Issues Working Group No. 2-05, SEC Rules Members No. 71-05, and Small Funds Members No. 51-05 [18895], dated May 26, 2005 and to Closed-End Investment Company Members No. 51-05, Compliance Members No. 18-05, Operations Members No. 14-05, Privacy Issues Working Group No. 4-05, SEC Rules Members No. 107-05, and Small Funds Members No. 82-05 [19200], dated September 28, 2005.