[22833]
August 29, 2008
TO: COMPLIANCE ADVISORY COMMITTEE No. 14-08PRIVACY ISSUES WORKING GROUP No. 9-08 RE: UPDATED CHART SUMMARIZING STATE SECURITY BREACH NOTIFICATION LAWS
Attached is a copy of the most recent chart published by DLA Piper summarizing those state laws that require notification of security breaches. This version includes information on the approximately forty-five jurisdictions, including Puerto Rico, the U.S. Virgin Islands, and New York City [1], that have enacted breach notification laws. The chart compares each such jurisdiction’s law to California’s law that, in 2003, was the first such law enacted.
Item 10 in this chart lists any safe harbors from the states’ requirements. In the event the SEC adopts its proposed amendments to Regulation S-P that impose a federal breach notice requirement, [2] several states’ safe harbors (e.g., Colorado) would permit SEC registrants to comply with the SEC’s requirements in lieu of the state-specific requirements.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] New York City’s requirements only apply to entities licensed by the City’s Department of Consumer Affairs, which does not include mutual funds, investment advisers, and broker-dealers.
[2] See ICI Memorandum No. 22305, dated March 7, 2008, summarizing the SEC’s proposed amendments to Reg. S-P.