"A data security breach occurs when there is a loss or theft of, or other unauthorized access to, sensitive personally identifiable information that could result in the potential compromise of the confidentiality or integrity of data. Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws requiring notification of security breaches involving personal information. Federal statutes, regulations, and a memorandum for federal departments and agencies require certain sectors (healthcare, financial, federal public sector, and the Department of Veterans Affairs) to implement information security programs and provide notification of security breaches of personal information. In response to such notification laws, over 2,676 data breaches and computer intrusions involving 535 million records containing sensitive personal information have been disclosed by data brokers, businesses, retailers, educational institutions, government and military agencies, healthcare providers, financial institutions, nonprofit organizations, utility companies, and Internet businesses. As a result, a significantly large number of individuals have received notices that their personally identifiable information has been improperly disclosed. This report provides an overview of state security breach notification laws applicable to entities that collect, maintain, own, possess, or license personal information. The report describes information security and security breach notification requirements in the Office of Management and Budget's 'Breach Notification Policy,' the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), and the Gramm-Leach-Bliley Act (GLBA)."
CRS Report for Congress, R42475