Shortly after Target’s massive data breach in December of 2013, Attorney General Eric Holder released a statement encouraging the United States Congress to pass a federal law that would become the standard for data breach notification. "This would empower the American people to protect themselves if they are at risk of identity theft," Holder said in the statement. "It would enable law enforcement to better investigate these crimes - and hold compromised entities accountable when they fail to keep sensitive information safe."
There is currently no federal law that addresses the actual breaches. A federal law governing data breach notification would be welcome if it were to pre-empt related state laws.
All but three states: Alabama, New Mexico, and South Dakota have data breach laws that specify when and how individual victims of security breaches, that include Personally Identifiable Information (PII), are notified. Included in most of these laws are provisions regarding what type of agencies are covered by the law, the states’ own definition of what constitutes PII and a definition of what constitutes a data breach. Each state also defines its own requirements for notice which usually includes: the timing, the acceptable methods, and who must be notified.
PII usually includes name, SSN, driver's license or state ID numbers, account numbers, medical or health care information, etc.
Many states have exceptions for encrypted information loss.
State - Data Breach Statute or Code:
Alaska - Stat. § 45.48.010
Arizona - Rev. Stat. § 44-7501
Arkansas - Code § 4-110-101
California - Civ. Code §§ 1798.29, 1798.80
Colorado - Rev. Stat. § 6-1-716
Connecticut - Gen Stat. § 36a-701b
Delaware - Code tit. 6, § 12B-101
District of Columbia - Code § 28- 3851
Florida - Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526)
Georgia - Code §§ 10-1-910, -911, -912; § 46-5-214
Hawaii - Rev. Stat. § 487N-1
Idaho - Stat. §§ 28-51-104 to -107
Illinois - ILCS §§ 530/1 to 530/25
Indiana - Code §§ 4-1-11 & 24-4.9
Iowa - Code §§ 715C.1, 715C.2
Kansas - Stat. § 50-7a01
Kentucky - § 365.732, §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232)
Louisiana - Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)
Maine - Rev. Stat. tit. 10 § 1347
Maryland - Code Com. Law §§ 14-3501 & Md. State Govt. Code §§ 10-1301 to -1308
Massachusetts - Gen. Laws § 93H-1
Michigan - Comp. Laws §§ 445.63, 445.72
Minnesota - Stat. §§ 325E.61, 325E.64
Mississippi - Code § 75-24-29
Missouri - Rev. Stat. § 407.1500
Montana - Code § 2-6-504, 30-14-1701
Nebraska - Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nevada - Rev. Stat. §§ 603A.010 & 242.183
New Hampshire - Rev. Stat. §§ 359-C:19, -C:20, -C:21
New Jersey - Stat. § 56:8-163
New York - New York Gen. Bus. Law § 899-aa & State Tech. Law 208
North Carolina - Gen. Stat §§ 75-61, 75-65
North Dakota - Cent. Code § 51-30-01
Ohio - Rev. Code §§ 1349.19, 1349.191, 1349.192
Oklahoma - Stat. §§ 74-3113.1, 24-161 to -166
Oregon - Rev. Stat. § 646A.600
Pennsylvania - Stat. § 2301
Rhode Island - Gen. Laws § 11-49.2-1
South Carolina - Code § 39-1-90, 2013 H.B. 3248
Tennessee - Code § 47-18-2107
Texas - Bus. & Com. Code §§ 521.002, 521.053 & Ed. Code § 37.007(b)(5)
Utah - Code §§ 13-44-101
Vermont - Stat. tit. 9 § 2430, 2435
Virginia - Code § 18.2-186.6, § 32.1-127.1:05
Washington - Rev. Code § 19.255.010, 42.56.590
West Virginia - Code §§ 46A-2A-101
Wisconsin - Stat. § 134.98
Wyoming - Stat. § 40-12-501
In addition, the following United States territories also have data breach laws:
Territory - Data Breach Statute or Code:
Guam - GCA § 48-10
Puerto Rico - Laws of Puerto Rico § 4051
Virgin Islands - Code tit. 14, § 2208
Please note: This list is not updated on a regular basis. It is meant as a reference only. Please check each individual state’s Statutes or Codes for the most current information. Links to each state's laws are provided only as a convenience.
