To Notify, or not to Notify? Trend Towards Security Breach Notification Laws Continues

Client Alert | 1 min read | 12.01.05

Since our last update in September of this year, four additional states have enacted security breach notification laws and similar laws are still pending in several states. New York, New Jersey, North Carolina and Ohio have all joined the fray, increasing the pressure on the federal government to pass a uniform federal security breach notification law.

Each of the recently enacted laws, like the California law, generally require entities to promptly notify the residents of that state if the security, confidentiality or integrity of their personal information (defined similarly by most states with some notable exceptions) has been compromised.

The new state security laws don't just require notification of breaches after the fact. Some states require businesses to take measures now to prevent the occurrence of breaches. Depending on where your corporation does business, you could now be required by state law to:

Implement and maintain security procedures and practices to protect personal information.
Adopt measures to ensure transfers of personal information to third parties are subject to contractual safeguards.
Review existing document destruction policies to ensure appropriate methods for the destruction of personal information.
Utilize encryption to ensure the safe transfer of personal information to third parties.

The best way to avoid disclosure under the new laws is to avoid the breach in the first place. Therefore, we recommend that corporations adopt procedures for handling the security of personal information generally, and prepare a response plan which includes an established method for notifying individuals when and if their personal information is compromised. Furthermore, most states will accept an existing information security policy if it contains notification provisions that meet the timing requirements of the new laws. If you already have an information security policy, you may wish to review it to ensure it comports with new applicable state law.

Contacts

Kris D. Meade
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2854
a21lYWRlQGNyb3dlbGwuY29t

Insights

Client Alert | 4 min read | 12.04.25

District Court Grants Preliminary Injunction Against Seller of Gray Market Snack Food Products

On November 12, 2025, Judge King in the U.S. District Court for the Western District of Washington granted in part Haldiram India Ltd.’s (“Plaintiff” or “Haldiram”) motion for a preliminary injunction against Punjab Trading, Inc. (“Defendant” or “Punjab Trading”), a seller alleged to be importing and distributing gray market snack food products not authorized for sale in the United States. The court found that Haldiram was likely to succeed on the merits of its trademark infringement claim because the products at issue, which were intended for sale in India, were materially different from the versions intended for sale in the U.S., and for this reason were not genuine products when sold in the U.S. Although the court narrowed certain overbroad provisions in the requested order, it ultimately enjoined Punjab Trading from importing, selling, or assisting others in selling the non-genuine Haldiram products in the U.S. market....

Client Alert | 21 min read | 12.04.25
Highlights: CMS’s Proposed Rule for Medicare Part C & D (CY 2027 NPRM)
Client Alert | 5 min read | 12.02.25
CARB Delays Enforcement of California’s Climate-Related Financial Risk Report Law (SB 261) and Issues New Guidance on Climate Disclosure Requirements in SB 261 and SB 253
Client Alert | 11 min read | 12.01.25
EU AI Act, GDPR, and Digital Laws Changes Proposed

View All Insights