State Breach Notification Laws

State Data Breach Notification Laws

#Why is this Important
#Sample RFP Language
#Sample Contract Clauses

Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, or local laws, regulations, or contractual obligations. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach. Many states have enacted data protection laws that require organizations subject to the legislation to notify customers in the event of a data breach. Oftentimes, institutions of higher education are subject to these types of regulations. Third party contracts between institutions and a third party should include language that allows the institution to meet its obligations under law.

See, e.g., Indiana Notice of Security Breach, Ind. Code §4-1-11 and Texas Government Code Subchapter F, Chapter 2054, Section 2054.1125.

Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)

Criticality: Category 1, Category 2, and Category 4.

Sample RFP Language:

  1. Describe the procedures and methodology in place to detect information security breaches and notify customers in a manner that meets the requirements of the state breach notification law.


Sample Contract Clauses:

  1. [Vendor] agrees that it will execute a Social Security Number Addendum with Institution and the Addendum will be in the form set forth in Exhibit F, SSN Addendum, attached and incorporated for all purposes.


Federal, state, or local law, regulation, or contractual obligation

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).