1. Home
  2. |Insights
  3. |New State Security Breach Notification Laws

New State Security Breach Notification Laws

Client Alert | 1 min read | 09.08.05

Beyond the HIPAA Privacy Rule and the HIPAA Security Rule, health care entities now face potential compliance obligations under an increasing number of state laws requiring notification of security breaches. Following in the footsteps of the California legislature, nineteen other states have now passed security breach notification laws, and there are similar laws pending in eight states whose legislatures are still in session: New Jersey, Massachusetts, Michigan, North Carolina, Ohio, Oregon, Pennsylvania, and Wisconsin.

Each of the recently enacted laws, like the California law, generally require entities to notify promptly the residents of that state if the security, confidentiality or integrity of their personal information – defined similarly by most states with some notable exceptions – has been compromised.

Failure to comply may result not only in enforcement by state officials, but could also result in civil lawsuits – some of the new state laws incorporate a private right of action.


As an additional requirement, some states require
businesses to take security measures to
prevent the occurrence of breaches.
Depending on which health care market your business
serves, you could be required by state law, e.g.,
to utilize encryption for transmission of
personal information or to implement
compliant document destruction policies.

If your organization loses personal data,
do you know
how to respond?

The best way to avoid disclosure under the new laws is to avoid the breach in the first place. Therefore, we recommend that as a supplement to existing HIPAA Security measures, health care entities adopt and implement any necessary state-specific procedures for handling the security of personal information generally. Health care entities should also prepare a response plan which includes an established method for notifying individuals when and if their personal information is compromised. Furthermore, most states will accept an existing information security policy if it contains notification provisions that meet the timing requirements of the new laws. If you already have an information security policy, you may wish to review it to ensure it comports with new applicable state law.

Insights

Client Alert | 4 min read | 12.04.25

District Court Grants Preliminary Injunction Against Seller of Gray Market Snack Food Products

On November 12, 2025, Judge King in the U.S. District Court for the Western District of Washington granted in part Haldiram India Ltd.’s (“Plaintiff” or “Haldiram”) motion for a preliminary injunction against Punjab Trading, Inc. (“Defendant” or “Punjab Trading”), a seller alleged to be importing and distributing gray market snack food products not authorized for sale in the United States. The court found that Haldiram was likely to succeed on the merits of its trademark infringement claim because the products at issue, which were intended for sale in India, were materially different from the versions intended for sale in the U.S., and for this reason were not genuine products when sold in the U.S. Although the court narrowed certain overbroad provisions in the requested order, it ultimately enjoined Punjab Trading from importing, selling, or assisting others in selling the non-genuine Haldiram products in the U.S. market....

View All Insights