States are taking steps to hold businesses accountable for
cyber security breaches.
To that end they've enacted laws that require
specific actions be taken when there is a security breach.
|
|
To date a total of 48 states and the District of Columbia,
Guam, Puerto Rico and the Virgin Islands have enacted such
laws.
|
|
The laws require businesses to provide timely notification
to:
|
|
- Persons whose information was breached.
- State Attorney General.
- Credit reporting agencies if the number of residents that
have to be notified exceed a certain amount (e.g. 1,000 for
Alaska)
|
|
It also require that a record of the notification be
maintained for a certain period of time (e.g. 5 years for
Alaska)
|
|
These laws specify how notification must take place and what
the alternative methods are if the cost of traditional mail
notification exceed a certain dollar amount.
|
|
There are fines for not fulfilling notification obligations
under the law.
For example, for Alaska the fine is $500 per resident whose
information was disclosed.
The total will not exceed $50,000.
|
|
Visit the
National Conference of State Legislatures (NCSL)
website to find the laws of each state.
|