Notifying Clients of Data Breaches: Which State Law Should We Follow?

Your financial institution is regulated by one state but has an office in another state. Which state’s law do you follow in the event of a data breach?

The answer is complicated.

State law for data breaches varies widely. From protected data to the definition of a breach, each state has its own approach. Connecticut requires that clients be notified of a breach within 90 days of an event, while Texas requires that it be done “as quickly as possible.” Tennessee has very specific standards for encryption, while others offer no standard at all. Florida allows an institution to conduct a risk assessment to decide if the data is likely to be used for identity theft, while Minnesota does not.


  • What’s an institution to do? Here are the best practices:

    1. Identify the relevant states. Compile all the applicable laws for the states your institution operates in. That means every state where you have a customer since customer notification law is determined by where the customer resides. (Ncontracts clients can ask us for a breakdown of state notification laws.)
    2. Take the most stringent definitions. Customer notification laws have three key provisions: the definition of protected data, the definition of a breach, and how quickly clients must be notified. Analyze the statutes in each state where you operate and take the most stringent and rigorous interpretations from each state. For example, if you have customers in Kansas and Tennessee, that may mean using Tennessee’s definition of encryption and Kansas’s “most expedient time possible” timing for notification. You’ll end up following stricter guidelines than necessary in some states, but you’ll also avoid falling into trouble with a state by accidentally applying the wrong rules. Remember, there’s no penalty for notifying clients sooner than necessary, but there can be large costs for being late. In California, financial penalties begin the day after notification should have occurred.
    3. Incorporate these definitions into your incident response process. Draft your incident response plan based on the strictest interpretation and monitor them regularly for changes.
    4. Incorporate state laws into the vendor management process. If your vendor operates in a state with less stringent requirements, you’ll still need them to follow your state laws. There are two ways to do this. First, you can make sure your contract contains language requiring the vendor to follow your state laws. Second, you can monitor vendor performance to understand how it secures data and responds to breaches to minimize the likelihood of a data breach. This can include reviewing SSAE 16 and SSAE 18 forms, providing vendor questionnaires, and documenting responses.

    To learn more, check out Ncontracts’ webinar: The Devil’s in the Details: How the State Notice of Breach Provisions Impact Third-Party Risk and Operations.