Data Breach Law Heat Map Verdict: Pretty.

Among the many reasons that our clients sign up to use AlertBoot mobile data security solutions for smartphones, tablets, and laptops lie the various data breach notification and data security laws and regulations.

Everyone has their own requirements: how soon notification letters must be sent, if they need to be sent at all; whether the use of encryption software is grounds for safe harbor from doing so; financial penalties; etc.  To put it shortly, it’s a giant mess, especially if a company is doing business at a national level.

The folks over at have created a handy heat map on US data breach laws.  At first glance, it looks quite helpful.  For example, you can tell that only four states don’t have breach notification laws as of July 2012: New Mexico, South Dakota, Alabama, and Kentucky.

The remaining US states as well as the US Virgin Islands and Puerto Rico do have laws with varying degrees of “strictness” which are represented via a color-coded scale.

Not Meant to Be Useful?

As pretty as it is, the heat map is less than useful if you’re looking for more information.  The biggest shortcoming is the fact that we have no idea how “strictness” was scored or scaled.

For example, Virginia is listed as the state with the strictest data breach notification law, followed by NY, MI, and MA.  This is news to me because the last time I checked, MA’s data protection laws were the strictest in the country, with NV’s and TX’s keeping it company.  The latter two, per Imation, are in middle of the pack.

Heather Clancy at notes that VA’s position makes sense, and “isn’t really surprising given that the state is a hub for federal contracting and consulting.”  I guess that does make sense.  On the other hand, I’ve seen plenty about these laws that don’t make sense:

  • Allowing “encryption” to be defined so that password-protection could also be considered to be encryption

  • The breach of Social Security numbers only (without first and last names) are actually not considered a data breach

So, “making sense” is not necessarily a condition for these laws.  One thing’s for sure: data breach notification laws are quite fractured, and it’s no wonder that companies claim they’d welcome the passage of a federal data breach notification law.

Related Articles and Sites:

Comments (0)

Let us know what you think