Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?
Which of the following is commonly required for an entity to be subject to breach notification requirements under most state laws?
Most state laws require an entity to conduct business in the state to be subject to breach notification requirements. This means that if a business operates within a state's jurisdiction and deals with personal information of residents, it must comply with that state's data breach notification laws. This is a common criterion across various state legislations.
Connecticut describes the covered entities subject to its notification law as “any person who conducts business in this state, and who, in the ordinary course of such person’s business, owns, licenses or maintains computerized data that includes personal information.” Some states limit the definition of “covered entities” to those that “conduct business in that state.” Note, however, that some state laws are narrower, such as the Georgia law applying only to “information brokers.”