47+ data breach state laws

It is no surprise that the US is a major source of data breaches, but, according to the IC3’s most recent annual report, over 80% of the globe’s reported cyber crimes are from the country.

Data security remains pivotal to organizations’ reputation and finance, with breaches potentially costing companies both in material losses and government fines. For US companies that operate across the country, maintaining an awareness of individual states’ legal requirements is vital. There are 47 states with data breach notification laws, as well as the District of Columbia and the territories of Guam, Puerto Rico, and the Virgin Islands.

These laws vary in a number of ways and can be challenging for businesses operating across multiple states. Such organizations must take into consideration an array of subtly different requirements, for example:

  • What defines personal information
  • The types of security breaches that are covered in each state
  • Under what circumstances notification must be given
  • How soon notification must be given
  • The penalties for violations
  • The exemptions for breaches

California, New York among the most targeted states

While the US as a whole makes up four-fifths of all reported cyber crimes, it is California, unsurprisingly, that is most targeted – accounting for 14.53% of all domestic incidents reported to the IC3. Florida is a distant second with 8.47% of incidents, followed by Texas (7.67%), New York (6.3%), and Illinois (3.51%).

That New York accounts for what is seemingly such a small number of incidents may be surprising, given both its status as an economic hub (with a GDP that is, after California, only narrowly behind Texas) and the state’s new, much stricter cybersecurity regulations that will become effective on March 1, 2017. However, those figures still equate to 15,116 incidents for the year and a reported $58,083,855 in losses. That makes New York good for around the same number of incidents per person as California and is more than Texas, Illinois, or sixth-ranked Pennsylvania.

Understanding NY State Department of Financial Services’ new cybersecurity regulations

If your business is based in New York State, or you do business there, you will need to be aware of the new cybersecurity proposals the state’s Department of Financial Services (DFS) has put forward. IT Governance provides everything you need to meet the DFS requirements, offering a full range of products for ISO 27001 that can be used to ensure you comply. Find out more >>

ISO 27001 Cybersecurity Documentation ToolkitNow available on Pre-order >>

The ISO 27001 Cybersecurity Documentation Toolkit covers state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

  • NIST SP 800-53
  • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • ISO 27001, the internationally-recognized cybersecurity framework