Navigant's Cyber Risk and Information Security PracticeLearn More


State Breach Reporting Requirements29 June 2017

Risk Management

Data breaches and security incidents are being reported daily from organizations across all industries and geographical locations. We hear of high profile breaches on the news and on social media that outline how the breach occurred and who is affected. However, the steps the breached organization must take to report the incident are often not mentioned. Unfortunately for executives, there is not a federal government standard for data breach reporting. Instead, the individual states are left to determine what constitutes as a breach, when, and how it should be reported to both the attorney general and the affected citizens. To further complicate the matter, the breached organization must follow the state reporting requirements based on the affected parties, not just the state they reside. This month, New Mexico joins the list of 47 states and 3 U.S. territories that have their own set of data breach reporting requirements. While this may seem like another state law being implemented, it is important to acknowledge what these breach notification laws mean for you and for your organization.

The state breach notification laws define when a breach needs to be reported, who should be notified of the breach, methods of notification, details of what the notification must include for some states, and any violations. You may be thinking, “My organization has not had a breach, why would I need to know about these laws?” These laws are not just for organizations and people who have been impacted by a security breach, but for every organization handling Personal Identifiable Information (PII) such as an employee/customer’s name, social security number, date and place of birth, biometric records, and any other unique identifier. The individual states can also determine what types of data constitutes as PII, making it increasingly important to know the requirements for the states where your employees and customers reside. While there are many steps organizations can take to mitigate the risk of a breach, there is no way to guarantee that your organization will not be compromised. A key component of cyber security awareness is preparing for the event of a security breach within your organization.

The main items to identify and manage within the state reporting requirements include:

  • What information is considered PII?
  • When is an incident considered a breach (how many records must be compromised)?
  • Who to notify of a breach?
  • How quickly must the notifications be sent (to employees, customers, and the authorities)?

In the event a security breach, the first things executives typically want to know is what information was exposed and how did it happen? The last thing they want to think about is the process of notifying the proper parties that their organization suffered from a breach. However, this is one of the most crucial components of any incident response procedure. Make sure your organization is equipped with a comprehensive incident response plan and that your executive team routinely rehearses these procedures. Knowing what the timeline is to notify affected parties will keep you one step ahead for reporting your security breach.

Please reach out to COMPASS for data breach reporting guides for each of the 48 states and 3 U.S. territories.

Work With Us Learn How