At the present time, this state does not have statutes regulating breach reporting and consumer notification. Bills to pass these laws have been or are currently in state legislation for review and approval. Businesses, individuals, and/or agencies should be prepared to comply with the statutes should they pass.
Readers should be aware, however, that breach reporting laws don’t only apply to the location of the business, they apply to the location of the customer or consumer. This is known as “long reach.”
- In 47 other states and District of Columbia, their statutes indicate that if a business maintains, stores, or collects personal information from a resident of their state, and owns or licenses that information (data owner), that business is responsible to comply with the laws of the resident’s state when completing breach reporting and consumer notification.
- Furthermore, if a business maintains, stores, or collects any data with personal information and does not own or license the information (vendor), the vendor must report the breach to the Data Owner. The Data Owner is responsible to complete the breach reporting and consumer notification (with very limited exception).
- Multiple states, such as Massachusetts, also demand that if a data owner or vendor has personal information for a resident of their state, that business must maintain a comprehensive information security program and appoint a one or more employees to maintain it.
Additionally, although this state may not have consumer notifications laws, readers should note that it may have personal information data protection laws. This could entail:
- redaction of social security numbers or credit and debit card numbers,
- proper disposal of personal information such as shredding,
- specific laws for specialized industries such as medical, insurance, and financial institutions, or
- record retention requirements involving personal information.
Failure to comply with any of the above requirements could result in heavy monetary penalties, civil action by the state attorney general or affected residents/consumers, enjoinment, etc.
Finally, recognize that although the state may not have mandatory requirements for breach reporting, Federal agencies, industrial regulators such as the Payment Card Industry, consumer reporting agencies, and/or other entities may require reporting and notifications.