This is a fantastic article and valuable resource. Thank you.

These breach notice laws are out of control. It is irresponsible for law and legal practice to bury consumers with an excessive number of data breach notices.

So I know we are not a state at all, but as a DC resident, it would be nice to have some information. I mean, we are more than just a source of federal laws, we do have local laws. More of us live here than people in Wyoming, so why dont you cover them up with a flag.

Outstanding reading thank you

I refer to this site with some frequency but was dismayed today to read an article that states 42 states now have data breach notification laws on their books but this site hasn't been updated to reflect that. How often will this site be updated and can I rely on it for up-to-date information? Additional states (or district) per the article that cites the National Conference of State Legislatures are: District of Columbia, South Carolina, Virginia, West Virginia

Actually, at least 44 States, D.C. and Puerto Rico have enacted laws as of 06/2008. Read more current info @ the National Conference of State Legislatures' website. http://www.ncsl.org/programs/lis/CIP/priv/breach.htm

New Hampshire DOES have an exemption for encrypted data. It is hard to find though:
http://www.gencourt.state.nh.us/rsa/html/NHTOC/NHTOC-XXXI-359-C.htm

It is in the _second_ section of defitions (Section 359-C:19 Definitions) where it defines "Personal information" as "an individual's first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number..."

Therefore, if your name and SSN are encrypted, they are no longer Personal Information, according to this statute.

Scenario question: Your business is licensed in Delaware but you have a satellite office in Maryland. A breach occurs regarding information in the Maryland location--do you follow the law based on where the incident occurred or where your business is licensed?

This just went through its first reading in the Missouri State Senate...it is about the 4th attempte to get something on the books here in Missouri.

SB 207–By Rupp.

An Act to amend chapter 407, RSMo, by adding thereto one new section relating to data security breaches.

http://www.senate.mo.gov/09info/BTS_Web/Bill.aspx?SessionType=R&BillID=561081

SB 207 - This act requires companies that own or license personal information about Missouri residents to notify the affected individuals if the company discovers that security of the personal information has been breached. The notification must be made without unreasonable delay, but may be delayed by a law enforcement agency if the notification would compromise an investigation or homeland security.

Certain pieces of information must be included in the notification, such as the approximate date of the breach, the type of personal information compromised, the steps being taken to protect further breaches, and certain advice and contact information.

The act provides an exception to the notification requirements if it is determined that no reasonable likelihood of financial harm could result to any affected consumer from the breach.

Notification to affected consumers of a breach may be made in writing, via e-mail, or by telephone. In cases when the cost of notifying would exceed $250,000, when there are over 500,000 affected people to notify, when the company does not have sufficient contact information, or if the company cannot determine which consumers are affected by a breach, the company may use alternate notification procedures as described.

Companies shall notify the Attorney General in cases where the personal information of over 1,000 Missourians has been breached.

Companies that maintain their own notification procedures for security breaches that are consistent with this act shall be deemed in compliance with this act if they follow their procedures. Similarly, if a company maintains procedures for security breaches under another state's laws or federal law, and it follows those procedures, the company shall be deemed in compliance with this act.

The Attorney General may bring action for actual damages for willful and knowing violations of this act as well as may seek a civil penalty of up to $150,000 per security breach.