Cyber Insurance
What kind of work do you do?
Female computer engineer working in server room.
Choose from the nation's best insurance providers
Logos of Insureon's business insurance carrier partners

State data breach notification laws and requirements

Because state laws regulate the investigation and handling of data breaches, it's important to know the notification requirements for your business location. Learn more about the laws for data breach notification in your state.

What are data breach notification laws?

Data breach notification laws regulate how businesses need to notify anyone affected by a data breach in which an individual’s personally identifiable information (PII) was accessed or stolen.

While notification requirements differ by state, the general idea is that businesses need to notify those affected as soon as possible after a data breach. Failure to comply with notification requirements could result in civil penalties and expensive lawsuits.

While IT consultants, healthcare providers, and accountants are especially vulnerable here, any business that handles personal information could be at risk.

What is personally identifiable information?

Depending on your state’s data privacy laws, its definition of PII likely includes:

  • Social Security numbers
  • Driver's license numbers and non-driver identification card numbers
  • Account numbers, credit card numbers, and debit card numbers in combination with a password or other means of access to a financial account

PII may also include biometric information (such as fingerprints and retinal scans), usernames, email addresses, and passwords.

Any business that handles PII should invest in cyber insurance to mitigate costs in the event of a data breach.

Get free quotes for cyber insurance
Small business owner looking for insurance quotes on their tablet.

Each state has its own data breach notification requirements

All fifty states in the U.S. have laws requiring businesses to notify individuals of a data security breach.

Each state provides its own unique consumer protection laws and data breach notification requirements, although many of these state laws are similar to one another. California set the standard for data breach notification laws by being the first state to enact them in 2002.

Every state requires notification of affected individuals without unreasonable delays. Some states give a specific number of days for notification, typically within 30 to 60 days of a breach being discovered.

You would likely have to send a written notice to everyone directly, as well as make a general notification through the media and a state agency or officer, such as your state’s attorney general.

For some states, notifying the authorities must be done for any breach, while for others it depends on the number of residents affected. Some states also require a business to offer credit monitoring services after a data breach.

If your business operates in multiple states, it’s a good idea to be aware of what’s required within each jurisdiction and make this notification part of your cyber breach response plan.

What do business owners need to include in a data breach notice?

A data breach notification must be written in plain language. Some states require a notice to be titled “Notice of a Data Breach.”

Depending on your state, the notification requirements for a data breach will likely include such information as:

  • The name of the company or organization issuing the notice
  • A description of what happened
  • The types of personally identifiable information that may have been compromised
  • When the breach is believed to have happened
  • Whether or not the notification was delayed because of a criminal investigation

The notice may have to include an offer of identity theft prevention and mitigation services for at least a year. You should also include contact information for your company’s representatives.

If a large number of individuals were affected, you may also need to report the breach to consumer reporting agencies, such as Experian and Equifax.

It’s a good idea to consult with an attorney and get legal advice in advance to make sure your data breach response plan complies with all applicable laws.

Health and finance businesses are regulated on the federal level

Federal laws regulate the data security of healthcare facilities, healthcare professionals, and financial institutions.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes a Breach Notification Rule that requires notification after a breach of unsecured protected health information. Businesses must notify:

  • Affected individuals
  • The Secretary of Health and Human Services
  • The media, if over 500 residents of a state or jurisdiction were affected

Individuals must be notified by first-class mail, or by email if they've agreed to electronic communication, within 60 days of the discovery of a breach.

The Federal Trade Commission also has a Health Breach Notification Rule for the vendors of personal health records and their third-party service providers, under the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Financial institutions should be aware of their obligations under the Gramm-Leach-Bliley Act (GLBA), which requires them to protect the personal information of their customers against data breaches. This affects any business that offers financial products or services, from financial advisors to insurance agents.

You may also like
A laptop and cybersecurity emblems.
Multi-factor authentication (MFA) insurance requirement

Depending on their industry and insurance provider, small businesses may be required to implement specific MFA requirements as part of their risk management plan to qualify for cyber insurance coverage.

Protect your business with cyber insurance

The increasing costs and risks of a cyberattack or data breach could put any company in a bind. In 2021, the average cost of a data breach rose from $3.86 million to $4.24 million, according to a report by IBM. This is especially true for small business owners who might not have the financial resources to recover from a security breach.

Insurance carriers make a distinction between tangible property and digital property, because each comes with its own risks. So while general liability insurance is a necessity for most businesses, general liability policies will only cover injury to tangible property and exclude information stored, created, used, or transmitted digitally.

There is a newer exclusion to general liability insurance, known as electronic data liability coverage, that can be added an endorsement to your standard policy. However, this is only designed to account for damage to electronically stored data that results from a physical injury to the computer hardware, such as a laptop being dropped and resulting in stored data being permanently lost.

That’s why many small business owners are turning to cyber liability insurance as a way to financially protect themselves. Cyber liability coverage can help pay for expenses such as customer notification, credit monitoring, legal fees, and regulatory fines. It can also offset the cost of recovering data.

Most companies invest in data breach insurance

There are a couple different kinds of cyber liability insurance.

First-party cyber liability insurance, also known as data breach insurance, covers the direct costs of a data breach or cyberattack. This includes things like forensic investigations, notifying those affected, credit monitoring services, cyber ransoms, and business interruption expenses.

This coverage is purchased by most business owners looking to insure themselves from a data breach.

Third-party cyber liability insurance insures against lawsuits filed by clients, if they accuse you of failing to prevent a data breach or cyberattack at their business. Also known as technology E&O insurance, it's crucial for IT consultants and cybersecurity businesses that are responsible for protecting their clients from cyberattacks.

How much does cyber liability insurance cost?

A small business owner calculating their cyber liability costs

Cyber liability insurance can be an affordable option for a small business. Several factors affect the premium, including:

  • The amount of private information handled
  • Your industry
  • Policy deductible and limits
  • Number of employees
View Costs

How can businesses prevent a data breach?

When your business stores data, technology and education are your most important tools in data protection and avoiding a breach. It's crucial to make sure you take measures to prevent data breaches.

Some states may even require it. For example, New York’s Stop Hacks and Improve Electronic Data (SHIELD) Security Act requires businesses to safeguard private information through a variety of methods, such as designating one or more employees to coordinate a security program.

Requiring strong passwords, security questions, and two-step authentication can provide reasonable protection for your business and any service providers who access this information, thereby reducing the chance of an unauthorized acquisition of data.

Save money by comparing quotes with Insureon

Complete Insureon’s easy online application today to compare quotes for cyber liability insurance from top-rated U.S. insurance companies. Once you find the right policy for your small business, you can begin coverage in less than 24 hours.

What our customers are saying

Updated: March 5, 2024

Find cyber insurance quotes

Save money by comparing insurance quotes from multiple carriers.
EXPLORE ON INSUREON
How to prevent a data breach at your businessWhat to do after a data breachCyber insurance requirementsWhy do cyber liability claims cost so much?Does your cyber insurance have business interruption coverage?Best cyber insurance for small businesses