In our final installment of data breach notification law trends, we’ll look at one of the fastest growing trends to date: notification of state attorneys general.

Click below to catch up on this series:


Requiring notification of the State Attorney General

With the number of high profile data breaches on the rise, a significant trend in proposed and recently passed legislation relates to specifiying when a data breach requires notification to a state’s attorney general.

State attorneys general are the driving force behind this growing trend. Not only do their offices help consumers deal with the repercussions of a data breach, they also investigate data security lapses and enforce data breach notification laws. Keeping abreast of data breaches is critical to performing this work.

In 2015, the National Association of Attorneys General (NAAG) wrote a letter to Congress explaining that “any additional protections afforded consumers by a federal law must not diminish the role states already play protecting consumers from data breaches and identity theft.” It also stressed the importance of states continuing to set the pace to enact and enforce breach notification law. 

From the letter:

A number of states now require data collectors experiencing breaches to directly notify the attorneys general in states where the affected consumers reside. This requirement enables those offices to more quickly respond to breaches and accurately provide information to concerned consumers. The much-needed transparency over data breaches that has been achieved in recent years is largely attributable to these requirements at the state level.

States that have recently added requirements to notify the attorney general: 

  • North Dakota (SB 2214) In August of last year, North Dakota added the requirement to notify the attorney general, by mail or by email, of a breach involving more than 250 individuals in the most expedient time possible and without unreasonable delay.
  • Montana (HB 74) In October of last year, Montana updated its privacy law to include a requirement to notify the attorney general in the event of a breach. The notification must be submitted electronically at the same time as notification is provided to an individual.
  • Oregon (SB 601) Effective as of January 1st of this year, Oregon amended its Consumer Identity Theft Protection Act, adding a requirement to notify the attorney general if the number of consumers who must be notified exceeds 250.
  • Rhode Island (SB 134) In addition to a more stringent notification timeline for affected individuals, Rhode Island’s breach notification law, effective June 26th, now requires notification to the attorney general in the event of a breach affecting more than 500 residents.

What this means for privacy and security teams

Attorney general notification requirements add a layer of complexity to your breach response program – this is one more deadline you will need to track, and one more notification you will need to create and send.

Though many states are adding this requirement, the actual contact information and process for notifying a state attorney general can sometimes be difficult to track down. For RADAR customers, this contact information is available in the application’s resource library.

Beyond the trends

Although this is the final installment of the 2016 legal trend series, the work of the RADAR regulatory team continues. With all the movement in state and federal data breach notification regulations, navigating the complex and ever-changing data breach law landscape means staying on top of pending and recently passed legislation.

If you would like to learn more about RADAR and how we help our customers stay on top of state and federal breach notification requirements, consider scheduling a quick demo of our platform to view how RADAR works and the legal resources kept in the RADAR law overviews.


Related Reading: