All across the country, data breach notification laws can differ based on the state in which the breach occurred and the state in which the affected consumers live. With no nationwide notification law as of yet (and two states not even having notification laws in place), that can mean a wide variety of requirements scattered across the country.

Fifteen different states’ attorneys general have come together to clarify what constitutes a notification requirement under their view of existing laws.

Different states define their notification requirements based on the types of personal information that were stolen, viewed, accessed, or used without authorization; in some states, there is also a “combination effect,” meaning notifications are required when certain pieces of information are accessed together, like email addresses and passwords or names and Social Security numbers. Unfortunately, businesses have made the mistake in the past of thinking that only specific pieces of information could trigger the requirement to notify possible victims of a breach, but the letter from these different states makes it clearer.

According to, “In response to a ‘FAQ’ circulated by [Aptos, Inc], the AGs of New York, Connecticut, Colorado, Pennsylvania, Virginia, Mississippi, Illinois, North Carolina, Kentucky, Oregon, Iowa, Arkansas, Washington, Maryland, and Minnesota wrote that Aptos was incorrect in its view that ‘there is no obligation to notify in those states – the account number plus CVV states – if your customers’ CVV data was not exposed.’ The AGs clarified unequivocally, ‘The CVV number does not have to be disclosed to trigger our states’ notification obligations.’”

What’s the difference?

The CVV number is the three-digit security number on the back of the card. Some entities mistakenly believe that a credit card number on its own can’t benefit identity thieves and scammers, but that isn’t exactly the case. The AGs’ letter informed Aptos that their states require a notification anytime a consumer’s name and payment information is breached, regardless of whether the CVV number was compromised.

This is an important distinction for businesses to understand. The costs associated with issuing a data breach notification—potentially to millions of customers in a large-scale event—can be very serious, and the resulting legal action by banks who have to foot the bill for issuing new cards may be severe. Even worse, failing to notify consumers under the false notion that they’re not required to notify can have serious consequences as well. It’s important for any company that gathers and stores consumers’ information to fully understand their obligation under the different laws.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.