Certified Information Privacy Professional (CIPP): US - Data Breach Notification Laws, State-by-State Requirements, Harm Thresholds

CIPP/US – Data Breach Notification Laws (State?by?State Requirements & Harm Thresholds)

What This Is

Data breach notification laws require organizations to tell affected individuals (and often regulators) when personal information is accessed, disclosed, or acquired by an unauthorized party. The rules differ by state—some set a harm threshold (the breach must be “likely to result in harm”) while others trigger notification regardless of harm. For a U.S.?based retailer that stores millions of California consumer records, failing to meet the state?specific deadline (often 30?days) can generate civil penalties of up to $2,500 per consumer per incident and trigger class?action exposure.

Key Terms & Provisions

• Breach Notification – The statutory duty to inform affected individuals (and sometimes regulators) when personal data is compromised. Jurisdiction: All 50 states + D.C.; each law spells out timing, content, and who must be notified.
• Harm Threshold – A statutory test asking whether the breach is “likely to result in identity theft, fraud, or other substantial harm.” Jurisdiction: CA, NY, TX, WA, MI, etc. If the threshold is not met, many states allow a “low?risk” exemption.
• Reasonable Security Measures – The baseline of technical and organizational safeguards an entity must have in place to avoid a breach. Jurisdiction: HIPAA, state statutes (e.g., CA SB?1386). Failure to implement can be deemed negligence.
• Attorney General (AG) Notification – A requirement to alert the state AG (or a designated agency) when a breach affects more than a statutory number of residents (often 500). Jurisdiction: CA, NY, FL, TX, etc.
• Consumer (Individual) Notification – Direct notice to affected persons, usually via mail, email, or free?credit?monitoring offer. Typical deadline: 30?days after discovery (CA, NY, WA).
• HIPAA Breach Notification Rule – Mandates covered entities and business associates to notify affected individuals, HHS, and the media (if >500?NY) within 60?days of discovery. Key point: “Unsecured protected health information (PHI)” triggers the rule.
• California Consumer Privacy Act (CCPA/CPRA) – “Data Breach” Definition – A breach is a “security incident” that results in the acquisition of personal information by an unauthorized person. Implication: Even encrypted data that is “readily accessible” can trigger notification.
• Massachusetts 201 CMR 17.00 – Requires notification to the state regulator (Office of Consumer Affairs & Business Regulation) within 30?days of a breach affecting Massachusetts residents.
• Illinois Biometric Information Privacy Act (BIPA) – “Data Breach” – No specific breach?notification statute, but courts have applied the CCPA?style notice requirement via case law (e.g., Rogers v. BNSF).
• “Low?Risk” Exemption – Some states (e.g., CA, WA) let you avoid consumer notice if you can demonstrate that the compromised data is encrypted, password?protected, or otherwise rendered unusable.
• “Triggering Event” – The moment a breach is discovered (not when it occurs). All statutes start the clock from discovery, not from the date of the intrusion.

Step?by?Step / Process Flow

1. Detect & Contain – Confirm the incident, isolate affected systems, and preserve evidence (forensic images, logs).
2. Assess Harm Threshold – Compare compromised data against the state?specific “likely to result in harm” test (e.g., SSN, driver’s license, health data).
3. Determine Notification Obligations
4. If 500 residents affected-prepare Attorney General notice (state?specific form).
5. If <?500 but harm threshold met-prepare consumer notice (30?day deadline).
6. If low?risk exemption applies-document justification; no consumer notice required.
7. Draft & Send Notices – Follow statutory content requirements (description of breach, types of data, steps to protect, contact info). Use plain language and provide free credit?monitoring if required.
8. Document & Report – Keep a breach?response log, file any required regulator reports (e.g., HHS OCR for HIPAA, state AG portals), and update internal policies.

Common Mistakes

CIPP Exam Insights

1. “Harm Threshold” vs. “No?Harm” Rule – Expect a question contrasting California’s “likely to result in harm” test with states that have no harm threshold (e.g., Nevada’s breach law).
2. Attorney General vs. Consumer Notice Timing – Remember that AG notice is often 30?days (or 45?days in NY) after discovery, while consumer notice is 30?days in most states; HIPAA gives 60?days.
3. Low?Risk Exemption Details – The exam may ask which data elements automatically satisfy the low?risk exemption (e.g., encrypted SSN). Answer: encrypted, password?protected, or otherwise rendered unreadable.
4. Cross?State Coordination – A multi?state breach may trigger multiple AG notifications; the “most stringent” rule does not apply—each state’s threshold must be evaluated separately.

Quick Check Questions

1. Scenario: A Texas?based SaaS provider discovers that an unencrypted CSV containing 800?Texas residents’ driver’s licenses was accessed by an external hacker.
2. Answer: The provider must notify the Texas Attorney General (500 residents) and also send consumer notices because the data (driver’s license) meets the “likely to result in harm” test.

3. Explanation: Texas law (Tex. Bus. & Com. Code § 521.053) requires AG notice within 60?days and consumer notice within 60?days when the harm threshold is met.

4. Scenario: A California retailer experiences a breach of encrypted credit?card data (PCI?DSS encrypted) affecting 2,000 customers.

5. Answer: No consumer notice is required because the data is encrypted, satisfying California’s low?risk exemption; however, the retailer must still assess whether the encryption meets the statutory definition and document it.

6. Explanation: CA SB?1386 allows exemption when data is “readily identifiable” only after decryption.

7. Scenario: A New York hospital (HIPAA covered entity) discovers that a business associate’s unencrypted laptop containing PHI was stolen. The breach involves 300?NY residents.

8. Answer: The hospital must notify the affected individuals within 60?days, the New York AG (since >?500?NY residents? No, only 300) is not required under NY law, but must report to HHS OCR within 60?days.
9. Explanation: HIPAA’s breach rule applies; NY’s AG notice triggers only at 500+ residents.

Last?Minute Cram Sheet (10 One?Liners)

1. California (SB?1386/CCPA): 30?day consumer notice if “likely to result in harm”; low?risk exemption if data is encrypted or password?protected.
2. Massachusetts 201?CMR?17.00: 30?day notice to state regulator and affected residents; no harm threshold—any breach triggers notice.
3. New York (NYPA 2020): 60?day consumer notice; AG notice required only when 500 NY residents are affected.
4. Texas (Tex. Bus. & Com. Code §?521.053): 60?day AG notice; consumer notice required if data meets the “harm” test (e.g., SSN, driver’s license).
5. Washington (RCW?19.255): 30?day consumer notice; AG notice if 500 residents; low?risk exemption for encrypted data.
6. Illinois (BIPA): No statutory breach?notification provision, but courts apply CCPA?style notice when biometric data is compromised.
7. HIPAA Breach Rule: 60?day notice to individuals, HHS OCR, and media (if >?500?NY) after discovery of unsecured PHI.
8. Harm Threshold Test (most states): “Likely to result in identity theft, fraud, or other substantial harm” – focus on type of data, not on actual misuse.
9. Attorney General Notification Threshold: 500 residents is the common trigger; some states (e.g., Nevada) use 1,000.
10. “Discovery” vs. “Occurrence”: The statutory clock starts when the organization first learns of the breach, not when the intrusion happened.

Study tip: Memorize the “30?day vs. 60?day” split, the 500?resident AG trigger, and which states have a harm test versus a no?harm rule. Those are the high?yield facts that repeatedly appear on the CIPP/US exam. Good luck!