It’s time for an updated version of our “Mintz Matrix” – the Mintz Levin matrix of state data security breach notification laws. We update this matrix quarterly, or as developments dictate.
The Fall 2012 version can be found at Data Breach Notification Matrix
In this update, we call particular attention to changes in the following states:
Texas -- The amendment to the Texas breach notification statute took effect September 1, 2012. We previously blogged about these amendments, which could be construed to now act as a 50-state breach notification statute. It requires entities that conduct business in Texas to provide notice to both affected Texas residents and to non-residents if the non-resident lives in a state that does not require notification of the security breach. As of today, those states include Alabama, Kentucky, New Mexico and South Dakota. The amendment also increased penalties for violations to $100 per affected individual per day of failed or delayed notification, up to $250,000 for a single breach.
Connecticut – The amended version of Connecticut’s data breach notification law (previously blogged about here) adds a requirement to notify the Connecticut Attorney General “not later than the time when notice is provided to the resident.” This amendment took effect on October 1, 2012. Attorney General George Jepsen’s Privacy Task Force has established an email address to facilitate breach reporting at [email protected]. A link to the email address and information regarding the new reporting requirement is at the AG’s website.
Now, for today’s disclaimer: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel (the Mintz Levin privacy team) when reviewing options and obligations in responding to a particular data security breach.