The Ultimate Guide to Data Breach Laws By State
A detailed guide through existing data breach laws by state, including notification requirements and possible penalties companies can face for violating these laws.
Data breaches represent a serious threat for modern companies and can have drastic financial ramifications, both for the business that is attacked and other partners and clients whose data might also have been compromised in the breach.
According to a recent report, 29% of businesses that face a data breach suffer a “serious loss of revenue” that sometimes exceeds 20%.
Data breaches don't just pose a threat to a company’s short-term revenue, a serious breach can endanger the reputation of your brand as well. Customers are becoming increasingly well educated regarding potential threats to their personal information and value their privacy immensely, meaning that they are often hesitant to trust a business with a history of poor data security.
The same can be said for businesses when choosing partnerships. If your business has shown an inability to protect its data, your company could miss out on many of these types of opportunities.
Data breaches carry with them a slew of hidden costs as well. Regulatory fines and victim notification costs are an expensive reality that many companies tend to overlook. A well-documented example of a massive financial loss caused by a data breach occurred in 2015, when the Federal Communications Commission (FCC) hit AT&T with a $25 million fine for a data breach that exposed their users’ personal information.
Protecting Your Business from Data Breaches with Insurance
Any company that's serious about protecting itself from data breaches must invest serious time, effort, and money into putting together a cybersecurity plan and strategy to combat the many types of cybercrimes that could negatively affect a business.
Of course, no plan is foolproof, which is why most businesses will buy insurance to transfer some of the risk involved to a third party. The insurance policy that will protect businesses from data breaches and other forms of cyberattacks is called cyber liability insurance.
Cyber liability insurance protects your company by covering the myriad costs that can stack up after a data breach or any other type of cyberattack has occurred. If your business's systems have been breached and sensitive information has been compromised, your cyber liability policy will pay for forensic analysis for identifying the attack source, public relations services, client notification costs, credit monitoring services, loss of income, and legal costs related to claims filed against your company that stem from the data breach.
Any business that deals with electronic data should have cyber liability insurance.
Data Breach Laws By State
The core of data breach laws that apply to the collection, storing, and processing of personal data is similar in just about every state.
However, each state makes specific modifications to its laws in an effort to better protect the interests of its citizens.
These laws define what each state considers to be personally identifiable information. Furthermore, what constitutes a breach, who companies need to notify if a breach does occur, and various exemptions are some other examples of the various nuances within these data breach laws that often vary from state to state when it comes to assessing the damage caused by a data breach.
We have compiled a detailed guide through existing data breach laws by state, with information related to notification requirements, what information is covered, and possible penalties companies can face for violating these laws.
Alabama
Statute - Ala. Code § 8-38-1 et seq.
According to the Alabama Data Breach Notification Act of 2018 (S.B. 318) companies need to notify individuals of a data breach when the breach is likely to harm those affected. When the information is no longer needed, they must dispose of the data. Businesses need to provide security measures to protect personally identifying information, such as assigning an employee to coordinate these security measures, developing procedures for identifying the risks of an internal or external security breach, adapting security measures to changes in circumstances that may impact the security of sensitive information, and others.
Notifications to Individuals
Individuals likely to be harmed by the breach must be notified in writing within 45 days, except when it could interfere with a criminal investigation or national security. The notices are to be sent to their mailing addresses or by email. If the costs of notification are too high (exceeding $500,000) or there is not enough information to notify an individual about, other ways of notification may be used. If the impacted number of individuals exceeds 100,000, the company may put a notice on its website or in print and broadcast media.
Notifications to Regulators
Alabama Office of the Attorney General and all consumer reporting agencies must be informed if over 1,000 Alabama residents are contacted following a security breach.
Covered Information
Covered information is an individual’s first name or first initial and last name with one or more of the following:
- Their Social Security number, tax ID number, driver’s license number, ID card number, or any other ID number used to verify identity
- Financial account numbers (with any info needed to access them)
- Information about an individual’s health history
- A health insurance policy number or subscriber identification numbers
- A username or email address with a password or security question and answer
Penalties
Businesses that do not comply with these requirements are subject to the penalty provisions of Section 8-19-11, Code of 23 Alabama 1975, in amounts up to $2,000 per violation, not exceeding $500,000 per breach.
Alaska
Statute - Alaska Stat. § 45.48.010 et seq.
The definition of a security breach in Alaska is any unauthorized acquisition, or the reasonable belief of such, that compromises the security, integrity, or confidentiality of covered information. Some good-faith acquisitions by employees or agents do not fall under this definition nor does any person working with covered information.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately, except when it might interfere with a criminal investigation. Notices must be sent to mailing addresses in written form, or communicated electronically (consistent with E-SIGN) when need be.
Notifications to Regulators
All consumer credit reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach. These notices need to specify the timing, distribution, and content of the notifications sent to residents.
Covered Information
Covered information includes the first and last name, or a first initial and last name, and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial account
- Credit or debit card numbers (along with required security or access codes) •PINs or passwords that enable access to financial information
- Passwords, PINs and other access information for financial accounts
- Applicable to covered information in both electronic and paper form.
Penalties
Government agencies need to pay civil penalties of $500 per resident not notified of the breach, with the maximum total amount being up to $50,000. If the agency is liable for any other violations, that amount may be even higher. In private actions, the limit for penalties is the actual economic damage sustained.
Arizona
Statute - Ariz. Rev. Stat. § 18-551 et seq.
The state of Arizona defines a breach as unauthorized access or acquisition that compromises security or confidentiality of covered information. Good-faith acquisitions by employees are exempt from this definition.
Anyone who licenses, owns, or maintains covered information falls under Arizona’s data breach notification law. It is not, however, applicable to encrypted or redacted information, providing that no access was granted to the encryption key.
Notifications to Individuals
Individuals must be notified without delay, necessary means of notification being whatever is the primary communication method between the company and the customer (telephone, written, and electronic when consistent with E-SIGN). Should the cost of notification go over $50,000 or more than 100,000 individuals are to be notified, the company may opt for substitute methods of notification, such as publishing the notice on their website or in broadcasting media.
It is noteworthy that anyone maintaining the breach data is not under obligation to notify individuals affected; the owner or licensee of the data is the one required to do so unless agreed otherwise.
Notifications to Regulators
None required.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state identification card number
- Financial accounts
- Credit or debit card numbers (plus any security or access codes required)
- Refers only to covered information in electronic form, not applicable in paper form.
Penalties
Arizona Attorney General may prosecute for damages and civil penalties up to $10,000 per breach. Government and non-government agencies are subject to the same penalties.
Arkansas
Statute - Ark. Code § 4-110-101 et seq.
The state of Arkansas defines a breach as unauthorized access or acquisition that compromises security or confidentiality of covered information (excluding good-faith acquisition done by employees). Arkansas data breach laws are applicable to anyone directly dealing with covered information, with exemption of encrypted or redacted data whose encryption key has not been accessed.
Notifications to Individuals
Notifications are sent as soon as possible and only to those individuals likely to be harmed by the breach. Delays are acceptable if the notice might interfere with a criminal investigation. The notice can be given in written or electronic form (if consistent with E-SIGN).
Anyone maintaining personal information data that they do not own must notify the owner or licensee of the data as soon as possible if a breach is suspected.
Notifications to Regulators
None required.
Covered Information
Covered information includes the first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial accounts
- Credit or debit card numbers (plus any security or access codes)
- Medical information
- Applicable only to covered information in electronic form.
Penalties
The Attorney General sanctions any violations under this law, under provisions of deceptive trade practice (§ 4-88-101 et seq.).
California
Statute - Cal. Civ. Code § 1798.80 et seq.; Cal. Health & Safety Code § 1280.15
A breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information. Anyone who deals with covered information in California is subject to its data breach laws except good-faith acquisitions by employees or agents.
Notifications to Individuals
Notices have to be given as soon as possible and must use plain language and 10-point font size or larger. The following information must be provided:
- Name and contact information
- Types of breached information
- Date of the breach
- Date of the notice
- If notification was delayed because it could interfere with an investigation
- A description of the breach
- Toll-free numbers and addresses for companies managing Social Security numbers, driver’s licenses, and the like if that was the breached information.
Notifications are made in written or electronic form consistent with E-SIGN. Encrypted data (where the encryption key is not acquired) does not fall under the statute. Also, be aware that in California companies need to provide identity theft prevention and mitigation services free of charge for at least a year if Social Security numbers, driver’s license numbers, or state ID card numbers are breached.
Notifications to Regulators
The Attorney General needs to be informed if a security breach notice has been sent to more than 500 residents.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial accounts
- Credit or debit card numbers (and any security or access codes needed)
- Medical or health insurance information
- Information gathered by automated license plate recognition systems
- A username or email address with passwords or security question answers enabling access to someone’s online account.
- Applicable only to the information in electronic form.
Penalties
Individuals harmed by a data breach can start a civil action to recover any incurred damages, with the exemption of individuals affected under the medical information-specific statute in California. The maximum amount awarded for a single event cannot go over $250,000.
Colorado
Statute - Colo. Rev. Stat. § 6-1-716
In Colorado, a data breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information, excluding good-faith acquisitions by employees. Colorado’s data breach laws apply to anyone doing business in Colorado and dealing directly with covered information. Encrypted or redacted information, whose encryption key was not accessed is exempt from the statute.
Notifications to Individuals
Notices are to be sent immediately by the company's primary method of communication with the customer (telephone, written or electronic form consistent with E-SIGN). Delay is accepted if the notice interferes with a criminal investigation. No notice is necessary if it is deemed that no misuse has happened or will happen in the future.
Notifications to Regulators
All nationwide consumer credit reporting agencies and consumer reporting agencies (CRAs) are to be informed if notices are sent to more than 1,000 residents. Anyone maintaining covered info must also immediately notify the entity of primary responsibility for the information in case of misuse or the likelihood of misuse.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial accounts
- Credit or debit card numbers (and any security or access codes)
- Applicable to covered information in electronic form only.
Penalties
The Attorney General decides on the appropriate response to any violations.
Connecticut
Statute - Conn. Gen. Stat. § 36a-701b
The state of Connecticut defines a breach as unauthorized access or acquisition of covered information. Data breach laws are applicable to anyone that acquires, owns, licenses, or maintains covered information. Encrypted or redacted information (where the encryption key was not accessed) does not fall under this statute.
Notifications to Individuals
Available means of communication is written, telephone, or electronic notice consistent with E-SIGN. Notifications are to be sent immediately except when they might interfere with a criminal investigation. Notifications are not needed when no harm is likely to happen. Companies have to provide identity theft prevention and mitigation services free of charge for at least a year if Social Security numbers are breached. Individuals also need to be informed on how to freeze their credit files.
Notifications to Regulators
The Attorney General is to be informed of a data breach at the same time as the impacted consumers. Anyone maintaining covered info must also immediately notify the entity of primary responsibility for the information in case of a breach.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial accounts
- Credit or debit card numbers (and any security or access codes)
- Applicable to covered information in electronic form only.
Penalties
The Attorney General decides on the penalties for violations, which are seen as an unfair trade practice under 42-110b.
Delaware
Statute - Del. Code Ann. tit. 6 § 12B-101 et seq.
In Delaware, a data breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information, excluding good-faith acquisitions by employees. Data breach laws apply to anyone dealing directly with covered information. Encrypted or redacted information, whose encryption key was not accessed is exempt from the statute.
Notifications to Individuals
Available means of communication is written, telephone, or electronic notice consistent with E-SIGN. Notifications are to be sent immediately except when they might interfere with a criminal investigation. Notifications are not needed when no harm is likely to happen.
Notifications to Regulators
If more than 500 residents must be notified, the Attorney General is to be informed of a data breach at the same time as the impacted individuals. Anyone maintaining covered info must also immediately notify the entity of primary responsibility for the information in case of a breach.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial accounts
- Credit or debit card numbers (and any security or access codes)
- Applicable to covered information in electronic form only.
Penalties
The Attorney General decides on the damages and penalties for violations. Companies must provide credit monitoring services free of charge for at least 12 months if Social Security numbers are breached unless it is deemed that no harm will happen to affected individuals.
District of Columbia
Statute - D.C. Code § 28-3851 et seq.
A breach is an unauthorized attainment of computerized or other electronic data, including any equipment storing, said data when such an acquisition compromises the integrity, confidentiality, or security of the covered information overseen by the individual or entity. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security.
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations in 114 Stat. 641; 15 U.S.C.S. § 7001). If the costs of notification are too high (over $50,000), there is not enough contact information, or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Institutions subject to the Gramm-Leach-Bliley Act are excluded from the statute.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach, in compliance with§1681a (p).
Covered Information
Covered information includes the first name or initial and surname, or phone number, or address with one or more of the following:
- Social Security Number
- Driver’s license or a State ID card number
- Debit or credit card account numbers (with security and access codes or passwords)
Penalties
The Attorney General can initiate legal action and award penalties up to $100.00 per violation, plus costs and lawyer’s fees.
Florida
Statute - Fla. Stat. § 501.171
A breach is defined as unauthorized access of data in electronic form containing personal information (excluding good-faith acquisition done by employees). Data breach laws are applicable to anyone directly dealing with covered information, with exemption of encrypted or redacted data whose encryption key has not been accessed.
Notifications to Individuals
Available means of communication are written notices and emails. Notifications are to be sent immediately except when they might interfere with a criminal investigation. Notifications are not needed when no harm is likely to happen which has to be confirmed in writing and preserved for a minimum of five years.
Notifications must include:
- Date of the breach
- A description of the breached information
- Contact information
Notifications to Regulators
Florida Department of Legal Affairs is to be informed within 30 days of the breach if 500 or more individuals are impacted. Companies may be granted another 15 days providing they present a good reason in writing. All nationwide CRAs need to be notified as soon as possible if 1,000 or more individuals are affected. Anyone maintaining covered info must notify the entity of primary responsibility for the information within 10 days of a breach.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Military identification
- Other forms of ID used to verify identity
- Financial accounts
- Credit or debit card numbers (and any security or access codes needed)
- Medical or health insurance information
- Information gathered by automated license plate recognition systems
- A username or email address with passwords or security question answers enabling access to someone’s online account.
- Applicable only to the information in electronic form.
Penalties
Penalties under s. 501.207 are applicable for any violations. If businesses fail to meet notification requirements they will be charged up to $500,000 – no more than $1,000 a day for the first 30 days after the violation and $50,000 for each subsequent 30-day period. Should the violation go on for over 180 days, penalties may reach up to $500,000. Civil penalties apply per breach and these penalties are deposited in the General Revenue Fund.
Georgia
Statute - Ga. Code § 10-1-910 et seq.
A data breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information, excluding good-faith acquisitions by employees. Encrypted or redacted information, whose encryption key was not accessed is exempt from the statute. Data breach laws apply to data collectors and information brokers.
Notifications to Individuals
Available means of communication are written, telephone, or electronic notice consistent with E-SIGN. Notifications are to be sent immediately except when they might interfere with a criminal investigation.
Notifications to Regulators
All nationwide CRAs are to be informed as soon as possible if more than 10,000 individuals are affected. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Credit or debit card numbers (if usable without additional info, passwords, and access codes)
- Account passwords, PINs, and access codes
- Applicable to covered information in electronic form only.
Any of the items listed above are considered covered information even without a first and last name or first initial and last name if they can be used for identity theft.
Penalties
Violations may be brought to action under the Fair Business Practices Act.
Hawaii
Statute - Haw. Rev. Stat. § 487N-1 et seq.
Hawaii defines a breach as unauthorized access or acquisition of information when illegal use of the information either has occurred or is likely to occur and to cause harm to the individual. Good-faith acquisitions by employees are exempt from this definition. Data breach laws are applicable to anyone directly dealing with covered information, excluding encrypted or redacted data whose encryption key has not been accessed.
Notifications to Individuals
Notifications are sent as soon as possible, but delays are acceptable if the notice might interfere with a criminal investigation or national security. The notice can be given in written, telephone or electronic form (if consistent with E-SIGN).
Notifications to Regulators
The Hawaii Office of Consumer Protection, as well as all nationwide CRAs are to be informed promptly and in writing if notices are sent to more than 1,000 residents. Anyone maintaining covered info must also immediately notify the entity of primary responsibility for the information in case of a breach.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Credit or debit card numbers, account passwords, or access codes allowing access to financial accounts
- Applicable to covered information in both electronic and paper form.
Penalties
The Attorney General or the executive director of the Office of Consumer Protection can initiate an action in case of violations with penalties of up to $2,500 per violation. Affected parties can be compensated in an amount equal to actual damages.
Idaho
Statute - Idaho Code § 28-51-104 et seq.
A data breach is defined as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information, excluding good-faith acquisitions by employees. Data breach laws apply to anyone dealing directly with covered information. Encrypted or redacted information, whose encryption key was not accessed is exempt from the statute.
Notifications to Individuals
Notifications are sent as soon as possible, but delays are acceptable if the notice might interfere with a criminal investigation. The notice can be given in written form (sent to the last known address of the individual), telephone (if direct contact is made), or electronic form (if consistent with E-SIGN). No notice is necessary if it is deemed that no misuse has happened or will happen in the future. Anyone maintaining covered info must also immediately notify the entity of primary responsibility for the information in case of a breach.
Notifications to Regulators
The Idaho Attorney General is to be notified within 24 hours of the breach by state agencies.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Credit or debit card numbers, and any additional info allowing access to financial accounts
- Applicable to covered information in electronic form only.
Penalties
Any violation of section 28-51-105, Idaho Code may result in a civil action with fines up to $25,000 per breach.
Illinois
Statute - 815 Ill. Comp. Stat. 530/5 et seq.
The state of Illinois defines a data breach as the unauthorized acquisition of covered information that compromises the security, integrity, or confidentiality of covered information, excluding good-faith acquisitions by employees. Data breach laws apply to anyone dealing directly with covered information. Encrypted or redacted information, whose encryption key was not accessed is exempt from the statute.
Notifications to Individuals
Notices are to be sent as soon as possible in written or electronic form (if consistent with E-SIGN and if the individual has agreed to receive emails from the company). Electronic notices are acceptable even without E-SIGN compliance when user names and emails are involved in the breach so that the impacted individuals can promptly change all potentially accessed information. Delays are acceptable if the notice might interfere with a criminal investigation.
The following information needs to be specified in a consumer notice:
- Toll-free numbers and addresses for CRAs
- Toll-free number, address, and website for the FTC
- Notification that CRAs and the FTC can be contacted for any information on fraud alerts and security freezes
The notification does not need to specify the number of residents affected by the breach.
Notifications to Regulators
The Attorney General is to be informed within 5 days of notifying the U.S. Department of Health and Human Services (HHS) if the notification of HHS is needed for a breach under the HITECH Act.
Anyone maintaining covered info must immediately notify the entity of primary responsibility for the information in case of a breach and offer full cooperation.
Covered Information
Covered information includes first and last name or first initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Credit or debit card numbers, and any additional info allowing access to financial accounts
- Medical or health insurance information
- Unique biometric data used to authenticate an individual (fingerprints, retina or iris images etc.)
- Applicable to covered information in electronic form only.
Penalties
The Attorney General can initiate legal action and award penalties up to $50,000. In case a court decides the company meant to defraud, a civil penalty not exceeding $50,000 per violation can apply. Violations against senior citizens (65 years of age or older) are susceptible to further penalties in amounts up to $10,000 per violation (815 ILCS 530/20;505/7). Furthermore, anyone who has been harmed can also start a civil action under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/10a).
Indiana
Statute - Ind. Code § 24-4.9-1-1 et. seq.
Indiana defines a security breach as an unauthorized acquisition of computerized data that compromises the confidentiality, security, or integrity of a resident’s personal information. This also encompasses any paper documents that were at some point in the form of computerized data.
Good-faith acquisitions by employees are exempt from this definition.
Notifications to Individuals
Notifications about the breach have to be in accord with the law enforcement needs. Steps need to be taken in order to evaluate the scope of the breach and to enable the restoration of the data system. Database owners are obliged to notify the affected individuals about the breach of their unencrypted or encrypted personal information.
The notice may be sent in written or by electronic form. Other forms of notification are also possible if the cost of notifying residents reaches at least $250,000, more than 500,000 people need to be informed or contact information for the residents is missing.
Notifications to Regulators
Notification delays are accepted only if the notice interferes with a criminal investigation.
The Attorney General as well as all consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents.
Covered Information
Covered information includes first name and last name or first initial and last name and one or more of the following elements:
- Social security number
- Driver’s license number or ID card number
- Account number, credit card number or debit card number
- Password, security code or access code for financial accounts
The following element do not constitute covered information:
Penalties
Actions may be initiated only by the Attorney General, with the maximum civil penalty not exceeding $150,000 per violation.
Iowa
Statute - Iowa Code § 715C.1 et seq.
The state of Iowa defines a breach as an unauthorized acquisition of personal information maintained in computerized form by a person who compromises the security, confidentiality, or integrity of the personal information. The breach also refers to information in any medium, including paper, that was transferred to that medium from a computerized form. Good-faith acquisitions by employees are exempt from this definition.
Notifications to Individuals
Notifications are sent as soon as possible, but delays are acceptable if the notice might interfere with a criminal investigation. The notice can be given in written form or, if preferred, electronic form. If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 350,000 people, other ways of notification may be used. The company may put a notice on its website or in print and broadcast media.
Notifications to Regulators
A written notice is to be sent to the director of the consumer protection division of the Attorney General within five days after the breach if more than 500 people need to be informed.
Covered Information
Covered information includes a person’s first name or first initial and last name and one of the following elements:
- Social security number
- Driver’s license number or unique ID number
- Financial account and its access code or password
- Routing code or electronic identifier and its security or access code
- Unique biometric data
Penalties
The Attorney General decides on the appropriate response to any violations.
Kansas
Statute - Kan. Stat. § 50-7a01 et seq.
A breach is defined as unauthorized access of unencrypted data or personal information that is maintained by an individual or organization that results in identity theft of a customer. Good-faith acquisitions by employees are exempt from this definition.
Notifications to Individuals
Notifications are sent as soon as possible and to those individuals likely to be harmed by the breach. Delays are acceptable if the notice might interfere with a criminal investigation.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes first name and last name or first initial and last name and any of the following elements:
- Social security number
- Driver’s license or state ID number
- Credit card or debit card number
- Financial account number (and any passwords, security or access codes).
Penalties
The Attorney General decides on the appropriate response to any violations, except when it comes to insurance companies who have a license to operate in Kansas. The insurance commissioner is the one accountable for any violations done by state-licensed insurance companies.
Kentucky
Statute - Ky. Rev. Stat. § 365.732
Kentucky defines a breach as acquiring, distributing, disclosing, manipulating, destroying, or releasing unredacted or unencrypted data that is believed to have compromised the integrity, privacy, or security of that data by a person, a business, an agency or by a non-affiliated third party. Good-faith acquisition of data by an agent, employee, or non-affiliated third party is exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately, except when it might interfere with a criminal investigation. Steps need to be taken in order to evaluate the scope of the breach and to enable the restoration of the data system. Anyone maintaining personal information data that they do not own must notify the owner or licensee of the data as soon as possible if a breach is suspected.
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may put a notice on its website or in print and broadcast media.
Notifications to Regulators
Credit bureaus and consumer reporting agencies are to be informed immediately if notices are sent to more than 1,000 impacted people.
Covered Information
Covered information includes first name and last name, or first initial and last name, a personal identifying mark, a biometric image or a genetic print and one or more of the elements below:
- Bank account number
- Credit card or debit card number (and security or access codes, passwords, PINs)
- Social Security number or taxpayer ID number (including a SSN)
- Driver's license or state ID card number
- Individual identification number
- Passport number or other identification numbers made by the Federal government
- Health information (expect for education records)
Penalties
None.
Louisiana
Statute - La. Rev. Stat. § 51:3071 et seq. / La. Admin. Code tit. 16, § 701
A breach is defined as the unlawful acquisition of personal electronic data maintained by an individual, corporation, or government agency, that compromises the integrity, security and confidentiality of the data. Good-faith acquisitions by employees are exempt from this definition.
Notifications to Individuals
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations in 15 USC 7001). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General's office at the Consumer Protection Section is to be notified in writing immediately, specifying the details of the breach and listing the names of all impacted residents.
Covered Information
Covered information includes the unencrypted and unredacted first name (or first initial) and last name and one or more of the following elements:
- Social security number
- Driver's license number
- Bank/financial account number
- Credit/debit card number (and codes or passwords needed to access the account)
Penalties
If the Attorney General is not notified within 10 days of sending notices to impacted individuals, the company will be fined in an amount not exceeding $5,000 per violation. All subsequent days in which the notification is not sent are also susceptible to charge. Civil action is also possible if the residents are not notified in due time.
Maine
Statute - 10 Me. Rev. Stat. § 1346 et seq.
The state of Maine defines a breach as unauthorized acquisition, use or disclosure of an individual's electronic data that includes personally-identifying information compromising the integrity, security and confidentiality of the personal data maintained by a person, corporation, LLC, estate, partnership or any other entity (including Maine government agencies and departments and private educational institutions such as colleges and universities). Good-faith acquisitions are exempt from this definition.
Notifications to Individuals
Notification may be provided in writing or electronically (subject to US Code law). If the costs of notification are too high (over $5,000), there is not enough contact information, or the impacted number of individuals exceeds 1,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in the media.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach, specifying the date, approximate number of individuals impacted, and the timing of the notification to those individuals.
Covered Information
Covered information includes the first name (or first initial) and last name and one or more of the elements below, (if none of these elements are redacted and encrypted):
- Social security number
- Driver's license number or an ID number
- Bank account number
- Credit or debit card number
- Personal identification numbers, account passwords or other access codes
Penalties
The Attorney General decides on the appropriate response to any violations for everyone, except the entities regulated or licensed by the State regulators of the Department of Professional and Financial Regulation. Fines do not go over $500 per violation, with the maximum being $2,500 per each day of violation. Equitable relief is also possible.
Maryland
Statute - Md. Code Com. Law § 14-3501 et seq.
In Maryland, a breach is an unauthorized acquisition of electronic data that compromises the integrity, security, and privacy of the data maintained by a business. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
Available means of communication are written notice, telephone, or email (if the individual gave consent to receiving such notifications from the company).
If the costs of notification are too high (over $100,000), there is not enough contact information, or the impacted number of individuals exceeds 175,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in the media.
The notice about the breach needs to include the type of information that was breached, contact information, address, and a toll-free number of the company and major consumer reporting agencies, the Federal Trade Commission, and The Office of the Attorney General, as well as recommended steps to avoid identity theft.
Notifications to Regulators
All nationwide CRAs are to be informed as soon as possible if more than 1,000 individuals are affected. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information includes first and last name, or first initial and last name and any of the elements below (if not encrypted, rendered unusable or redacted):
- Social security number
- Driver's license number
- Financial account number including credit/debit card information (with access codes and passwords)
- Individual Taxpayer ID number or state ID number
- Passport number
- Health information, insurance, HIPAA, and medical history data
- Biometric data
- User account information with security questions
Penalties
The Consumer Protection Act deals with all penalties and violations of this law.
Massachusetts
Statute - Mass. Gen. Laws 93H § 1 et seq.
A breach is defined as unauthorized access of unencrypted data or encrypted data (when the key to access the data is available), maintained by a person, corporation, legal entity or agency that compromises the confidentiality, security, or integrity of the personally identifying data. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
Available means of communication are written and electronic notices (subject to some provisions of the United States Code).
If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in the media.
Notifications to Regulators
The Attorney General and the office of consumer affairs and business regulation need to be notified promptly about the breach.
Covered Information
Covered information includes a person's first and last name, or first initial and last name and one or more of the elements below:
- Social Security number
- Driver's license number or state ID card number
- Bank account number
- Credit card or debit card number (with or without access or security codes, PINs or passwords enabling access to the account)
Penalties
The Attorney General decides on the appropriate response to any violations.
Michigan
Statute - Mich. Comp. Laws §§ 445.63, .72
A breach is defined as the illegal acquisition or authorization of personal information of one or more individuals that is maintained by a person or an agency. Situations, where the data has not been misused or shared with unauthorized people, do not constitute a breach. Good-faith acquisitions by employees or agents are also exempt from the definition.
Notifications to Individuals
The notice can be given in written form, by telephone (if direct contact is made) or electronic form.
If the costs of notification are too high (over $250,000), or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in the media.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes the first name and last name or first initial and last name and one of the following elements:
- Social security number
- Driver license number or state ID card number
- Financial account number, demand deposit, credit card or debit card number in combination with a password, access code or security code enabling access to the financial account
Penalties
The first violation brings about a fine not exceeding $250 or imprisonment for a maximum of 93 days or both. The fine for the second violation is the amount of up to $500 or imprisonment for a maximum of 93 days or both. The third violation is punishable with no more than $750 or imprisonment of 93 days or both. The maximum penalty for multiple violations cannot go over $750,000.
Minnesota
Statute - Minn. Stat. § 325E.61.
In the state of Minnesota, a breach is any unauthorized access to electronic data maintained by a person or business that can compromise the integrity, confidentiality, and security of that computerized data. Good-faith acquisitions are exempt from the definition.
Anyone dealing with credit cards or debit cards for transaction purposes, can keep the security code, PIN, or magnetic stripe data for a maximum of 48 hours.
Notifications to Individuals
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations). If the costs of notification are too high (over $250,000), or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
In case a company has established its own security policies and notification procedures (in accordance with the requirements of the security code), they can use them to inform impacted individuals if a breach occurs.
Notifications to Regulators
All major consumer reporting agencies have to be notified within 48 hours if over 500 residents are to be notified about the breach.
Covered Information
Covered information includes first name (or first initial) and last name and one or more of the data elements below:
- Social Security number
- Driver's license number and a state ID card number
- Financial account number
- Credit / debit card number (and security codes, passwords or access codes enabling access to the financial data)
Penalties
Keeping access data after 48 hours of the transaction as well as failure to give notification about the breach are seen as violations of the law.
A person or business is considered to be in violation if they fail to disclose a security breach or retain any access card transaction data for more than 48 hours after the transaction has been authorized. The Attorney General decides on the appropriate response to any violations under section 8.3.
Mississippi
Statute - Miss. Code § 75-24-29
A breach is defined as the unlawful acquisition of unencrypted or unreadable computerized data, including databases, electronic and media files that contain personal data of any Mississippi state resident-owned, licensed, or maintained by a person conducting business in the state.
Notifications to Individuals
Notices can be sent in writing, by telephone or electronically (subject to stipulations). If the costs of notification are too high (over $5,000), there is not enough contact information, or the impacted number of individuals exceeds 5,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in the media.
Notifications to Regulators
None required.
Covered Information
Covered information includes the first name and last name, or first initial and last name and one or more of the following elements:
- Social security number
- Driver's license or state ID number
- Bank account number
- Credit or debit card number (and security codes, passwords and access codes enabling access to the account)
Penalties
The Attorney General decides on the appropriate response to any violations.
Missouri
Statute - Mo. Rev. Stat. § 407.1500
A breach is defined as unauthorized access to personal information that is maintained electronically and has confidential information of the resident. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
Notification may be provided in the form of a written notice, electronic notice (subject to stipulations), or by telephone (if direct contact is made). If the costs of notification are too high (over $100,000), there is not enough contact information, or the impacted number of individuals exceeds 150,000 people, other ways of notification may be used. The company may send emails, put a notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General is to be informed if notices are sent to more than 1,000 residents.
Covered Information
Covered information includes the first name and last name or first initial and last name and any data such as:
- Social security number
- Driver’s license number or state ID number
- A debit card number, credit card number or a financial account number (plus passwords, security and access codes)
- Unique routing code or electronic identifier (plus passwords, security or access codes)
- Health insurance information
- Medical information
Penalties
The Attorney General decides on the appropriate response to any violations with penalties going up to $150,000 per breach.
Montana
Statute - Mont. Code §§ 30-14-1701–1702, 1704
Montana defines a breach as the unauthorized acquisition of electronic data that significantly compromises the personal data's integrity, privacy and security maintained by an individual or a business and creates or is reasonably believed to have created damage and loss to a resident.
Notifications to Individuals
Notification may be provided in the form of a written notice, by telephone or electronic notice (subject to stipulations in 15 U.S.C. 7001). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a visible notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General at the Office of Consumer Protection (OCP) is to be notified immediately if two or more residents are to be notified about the breach. The electronic notice needs to contain information on the number of impacted individuals, the timing and distribution of the notification given to residents.
Insurance businesses are not obliged to notify the Attorney General's office, but the Commissioner of Insurance.
Covered Information
Covered information is any unencrypted data including a person's first and last name, or first initial and last name and any of the following elements:
- Social security number
- State ID, Tribal ID or driver's license number
- Bank account number
- Debit or credit card number (and a password, security or access code enabling access to the account)
- Medical record data
- Taxpayer ID / Unique ID issued by the US internal revenue service
Penalties
The department decides on the appropriate response to violations.
Nebraska
Statute - Neb. Rev. Stat. § 87-801 et seq.
A breaches an unauthorized acquisition of electronic data that has not been encrypted and compromises the integrity, security, and privacy of that data which is maintained by an individual or a commercial entity. Good-faith acquisitions by employees or agents do not fall under this definition, nor does obtaining the information for the purposes of a subpoena, court order or search warrant.
Notifications to Individuals
Notification may be provided in the form of a written notice, by telephone, or electronic notice (subject to stipulations). If the costs of notification are too high (over $75,000), or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Should the company have no more than 10 workers and notification costs go over $10,000, it may opt for notifications via email, paid quarter-page ads in a local paper (for 3 successive weeks), or visible notices on its website or in the local media.
Notifications to Regulators
The Attorney General is to be informed of a data breach at the same time as the impacted individuals.
Covered Information
Covered information includes the first name (or first initial) and last name and one or more of the unencrypted or unredacted elements below:
- Social security number
- Driver's license number or state ID card number
- Financial account number
- Credit/debit card number (and any passwords, access or security codes enabling access to the account)
- Unique electronic ID number or routing code (and passwords, security or access codes)
- Biometric data
- Login data (and information to access the account)
Penalties
The Attorney General can initiate legal action against violators and award damages to impacted residents.
Nevada
Statute - Nev. Rev. Stat. 603A.010 et seq.
The state of Nevada defines a breach as an unlawful acquisition of electronic data that compromises the confidentiality, integrity, and security of the personal data maintained by a data collector such as a corporation, government agency, financial or educational institution or any other type of business that collects, deals with or distributes private personal data. Good-faith acquisitions by employees or agents do not fall under this definition.
Notifications to Individuals
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations under the Electronic Signatures in Global and National Commerce Act). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information is the first name/first initial and last name and one or more of the following unencrypted elements:
- Social security number
- Driver’s license number/authorization or ID card number
- Bank account number
- Credit/debit card number and passwords, security or access codes enabling access to the account.
- Health insurance or medical ID number
- Username and password and security questions or access codes enabling access to the account
Last 4-digits of SSN, driver's license or authorization and identification card do not constitute covered information.
Penalties
Civil action, restitution, or injunction are the possible forms of penalty. The Attorney General or county district attorney decides on the appropriate short-term or permanent response to any violations.
New Hampshire
Statute - N.H. Rev. Stat. §§ 359-C:19– C:21; N.H. Rev. Stat. § 332-I:5
A breach is an unauthorized acquisition of electronic personal information that compromises the privacy or security of that information maintained by an individual, corporation, LLC, agency, government entity, or any other form of business. Good-faith acquisitions by employees or agents do not fall under this definition.
Notifications to Individuals
Notices are to be sent immediately by the company's primary method of communication with the customer (telephone, written or electronic form).
If the costs of notification are too high (over $5,000), there is not enough contact information, or the impacted number of individuals exceeds 1,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General as well as all consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents. Any trade or commerce businesses need to notify the regulatory body which has authority over that trade or commerce.
Covered Information
Covered information includes the first name (or first initial) and last name and one or more of the unencrypted elements below:
- Social security number
- Driver's license number
- Any other government ID number
- Financial account number
- Credit card or debit card number (and passwords, security and access codes)
- Public data in government records does not constitute covered information.
Penalties
The Attorney General can initiate legal action. Affected parties can be compensated in an amount equal to actual damages. In case the violation is found to be deliberate, the sum can be up to three times the amount of actual damages and no less than two times of that amount.
New Jersey
Statute - N.J. Stat. §§ 56:8-161, 163, 165 – 166
A breach is an unauthorized access to electronic files, media, or data containing personal information that compromises the security, confidentiality, or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security. No notice is necessary if it is deemed that no misuse has happened or will happen in the future, in which case a written record of that decision needs to be kept for five years.
Notifications to Regulators
Following the approval of the Division of State Police in the Department of Law & Public Safety, notices are sent to other regulators. All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes the first name or first initial and last name of a person and one or more of the following:
- Social Security Number
- Driver’s License number
- State ID number
- Account number, credit card or debit card number (and security codes, access codes or passwords enabling access to the account)
Penalties
Civil actions, fines, the destruction of data, the implementation of the Corrective Action Plans, and cyber-security reforms.
New Mexico
Statute - N.M. Stat. §§ 57-12C-1 – 57-12C-12
A breach is an unauthorized procurement of unencrypted computerized data or encrypted computerized data when the encryption code or key has also been compromised. Good-faith acquisitions by employees or agents do not fall under this definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 45 days. Anyone maintaining covered information must notify the owner or licensee within 45 days of a breach. No notice is necessary if it is deemed that no misuse has happened or will happen in the future. Excluded from this is any individual subject to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.
Notices are to be sent by the company's primary method of communication with the customer (written or electronic form). If the costs of notification are too high (over $50,000), there is not enough contact information, or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may then send emails, put a prominent notice on its website or in print and broadcast media, or send a written notice to the Attorney General’s office.
Notifications to Regulators
The Attorney General as well as all consumer reporting agencies are to be informed within 45 days if notices are sent to more than 1,000 residents.
Covered Information
Covered information includes the first name or initial and surname and one or more of the following:
- Social Security Number
- Driver’s license or a state ID card number
- Biometric data
- Debit or credit card account numbers (and security and access codes or passwords)
Penalties
The Attorney General can initiate legal action with penalties up to $25,000. Fines anywhere from $10.00 to $150,000 are possible if the company does not send appropriate notifications to individuals and regulatory bodies.
New York
Statute - N.Y. Gen. Bus. Law § 899-aa
New York defines a breach as an unauthorized acquisition of digital data that compromises and endangers the security and privacy of personal information maintained by a business. Good-faith acquisitions by employees or agents do not fall under this definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security.
Notifications to Regulators
The offices of the Attorney General, the New York State Division of State Police, and the Department of the State’s Division of Consumer Protection need to be informed immediately if a breach occurs. All nationwide consumer reporting agencies also have to be notified immediately if over 500 residents are to be notified about the breach. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
New York State makes a distinction between personal information (name, number, personal mark, and other identifiers) and private information (social security number, driver’s license number, non-driver ID card number, account number, credit card or debit card number). The only information that constitutes a breach is private information.
Penalties
The Attorney General can initiate legal action and decide on the appropriate response. The court then awards damages and fines appropriate to the violation.
North Carolina
Statute - N.C. Gen. Stat. §§ 75-61, 75-65
North Carolina defines a breach as the acquisition of personal information, whether encrypted, unencrypted, or unredacted. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security. Anyone maintaining covered information must immediately notify the owner or licensee in case of a breach.
Notification may be provided in the form of a written or electronic notice or by telephone. If the costs of notification are too high (over $250,000), or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General is to be informed of a data breach at the same time as the impacted individuals. The notice should specify the number of individuals impacted, the timing of the notification to those individuals and further steps to be taken.
All consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents.
Covered Information
Covered information includes first name or first initial and last name and one or more of the following:
- Social security or employer taxpayer ID numbers
- Driver’s license, State ID card, or passport numbers
- Personal Identification Code as defined in G.S. 14-113.8(6)
- Digital signatures
- Credit card, debit card, savings account or checking account (plus data needed to access them)
- Biometric data
Penalties
The Attorney General decides on the appropriate response to any violations, having all powers provided, but not exclusive to, chapter 51-15.
North Dakota
Statute - N.D. Cent. Code §§ 51-30-01 – 07
North Dakota defines a breach as an unauthorized acquisition of computerized personal information that is not encrypted, secured, or otherwise in an unreadable or unusable condition. Good faith acquisitions are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation. Anyone maintaining covered information must immediately notify the owner or licensee in case of a breach.
Notification may be provided in the form of a written notice or electronic notice. If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
If more than 250 residents must be notified, the Attorney General is also to be informed of the breach as soon as possible.
Covered Information
Covered information includes first name or first initial and last name and any of the following:
- Social security number
- Driver’s license or state ID numbers
- Financial account numbers (with passwords or access codes)
- Date of Birth
- Mother’s maiden name
- Medical information
- Health insurance identification or policy numbers
- Employer assigned ID number (with a password or access code)
- Digitized or other electronic signature
- Not applicable to publicly available records.
Penalties
The Attorney General decides on the appropriate response to any violations as provided in, but not exclusive to, North Dakota State Chapter 51-15.
Ohio
Statute - Ohio Rev. Code §§ 1349.19 – 192
A breach is unauthorized access and acquisition of computerized personal information that compromises the security or identity of residents in which potential risk for identity fraud or other fraud may be encountered. Good-faith acquisitions by employees or agents and acquisitions for judicial purposes, do not fall under this definition. The encrypted or redacted information is exempt from the statute.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 45 days. Delay is accepted if the notice interferes with a criminal investigation or national security. Anyone maintaining covered information must immediately notify the owner or licensee in case of a breach.
Notices are to be sent by the company's primary method of communication with the customer (telephone, written, or electronic form). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Should the company have no more than 10 workers and notification costs go over $10,000, it may opt for notifications via email, ads in a local paper (for 3 successive weeks), or visible notices on its website or in the local media.
Trust companies, credit unions, and their affiliates, which have other notification requirements and are subject to examinations by their own regulators, are excluded from these data breach notification obligations.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes first name or first initial and last name and any of the following:
- Social security number
- Driver’s license or state ID numbers
- Financial account numbers with passwords or access codes
Penalties
The Attorney General can initiate legal action with penalties including temporary restraining order and short-term or permanent injunction. Fines can go up to $1,000 a day (the first 60 days), $5,000 a day (after 60 days) or up to $10,000 a day (after 90 days of noncompliance).
Oklahoma
Statute - Ok. Stat., Tit. 24, §§ 161–166
Oklahoma defines a breach as “unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state.”
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Steps need to be taken in order to evaluate the scope of the breach and to enable the restoration of the data system. Delay is accepted if the notice interferes with a criminal investigation or national security.
Notification may be provided in the form of a written or electronic notice and by telephone. If the costs of notification are too high (over $50,000), there is not enough contact information, or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
None required.
Covered Information
Covered information includes first and last name or first initial and last name of an individual and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Financial account numbers
- Credit or debit card numbers (plus any security or access codes)
- Applicable only to computerized data.
Penalties
The Attorney General or the district attorney of Oklahoma decide on the appropriate response to any violations under the Oklahoma Consumer Protection Act, with penalties not exceeding $150,000 per breach.
Oregon
Statute - Or. Rev. Stat. §§ 646A.600 - 646A.628
In the state of Oregon, a breach is defined as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information that a person maintains or possesses.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 45 days. No notice is necessary if it is deemed that no misuse has happened or will happen in the future in which case this decision is to be kept in written form for 5 years. Steps need to be taken in order to evaluate the scope of the breach and to enable the restoration of the data system. Delay is accepted if the notice interferes with a criminal investigation.
Notifications to Regulators
If more than 250 residents must be notified, the Attorney General is to be informed of a data breach at the same time as the impacted individuals. All nationwide consumer reporting agencies also have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes first name or first initial and last name (unencrypted and unredacted) and one or more of the following:
- Social security number
- Driver’s license number or state ID card number
- Passport number or other ID number
- Financial accounts, credit card and/or debit card numbers with security codes, access codes or passwords
- Biometric data
- Health insurance information
- Medical information
- Any of the items listed above are considered covered information even without a first and last name or first initial and last name if they can be used for identity theft.
Penalties
Anyone procuring, aiding, or abetting someone in violation of this act will have to pay a fine up to $1000 per violation. Individual penalties can go up to $500,000. Civil penalties are in accordance with Or. Rev. Stat. § 183.745.
Pennsylvania
Statute - 73 Pa. Stat. § 2301 et seq.
A breach is defined as unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or will cause loss or injury to a Pennsylvania resident.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Steps need to be taken in order to evaluate the scope of the breach and to enable the restoration of the data system. Delay is accepted if the notice interferes with a criminal investigation or national security.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach.
Covered Information
Covered information includes first and last name or first initial and last name of an individual (if not encrypted or redacted)and one or more of the following: •Social Security number
- Driver’s license or state ID card number
- Financial account numbers
- Credit or debit card numbers (plus any security or access codes)
- Applicable only to computerized data.
Penalties
The Attorney General decides on the appropriate response to any violations, with no limitations on the extent of the penalties.
Rhode Island
Statute - R.I. Gen. Laws §§ 11-49.3-1–11-49.3-6
Rhode Island defines a breach as the unauthorized acquisition of unencrypted, computerized data compromising the security, integrity, or confidentiality of personal information, which is in the safekeeping of a municipal or state agency or individual. Good-faith acquisitions by employees or agents do not fall under this definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Notices need to include the number of impacted individuals, the type of info breached, the date and description of the breach, contact information, further steps to be taken, and info on the right to file a police report and freeze any credits.
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations in 15 U.S.C. § 7001). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
The Attorney General as well as all credit reporting agencies are to be informed if notices are sent to more than 500 residents.
Delay is accepted if the notice interferes with a criminal investigation.
Covered Information
Covered information includes first name or initial and surname and one or more of the following:
- Social Security Number
- Driver’s license or a State ID card number
- Medical or health insurance information
- Debit or credit card account numbers with security, access codes or passwords
- Email address with security, access codes or passwords
Penalties
The Attorney General decides on the appropriate response to any violations with civil penalties going between $100 or $200 per violation.
South Carolina
Statute - S.C. Code Ann. § 39-1-90
A breach is unauthorized access and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security.
Notification may be provided in the form of a written or electronic notice and by telephone. If the costs of notification are too high (over $250,000) or there is not enough contact information, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notices need to include the number of impacted individuals, the type of info breached, the date and description of the breach, contact information, further steps to be taken, and info on consumer assistance.
Notifications to Regulators
The Consumer Protection Division of the Department of Consumer Affairs as well as all consumer reporting agencies, are to be informed if notices are sent to more than 1,000 residents.
Covered Information
Covered information includes first name or initial and surname and one or more of the following:
- Social security number
- Driver’s license number or state ID card number
- Debit or credit card account numbers (with security, access codes or passwords)
- Any other numbers or identifying information enabling access to financial accounts
- Any unique information issued by the government or regulatory entity
Penalties
Failure to inform individuals is punishable by fines of $1,000 per affected individual. Exceptions include any institutions which comply with the Gramm-Leach-Bliley Act. Civilian rights include initiating a civil action to recover damages (in case of deliberate violations), starting a civil action limited to actual damages (in case of negligence), and enforcing compliance through an injunction.
South Dakota
Statute - SDCL §§ 22-40-19 - 22-40-26
A breach is the unauthorized attainment of unencrypted computerized data, or encrypted data with the encryption key which puts at risk the confidentiality, security or integrity of covered information. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 60 days.
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations in 15 U.S.C. § 7001). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
If more than 250 residents must be notified, the Attorney General is to be informed of a data breach at the same time as the impacted individuals.
All nationwide consumer reporting agencies and reporting agencies as defined by 15 U.S.C. § 1681a, also have to be notified immediately about the breach.
Delay is accepted if the notice interferes with a criminal investigation or national security.
Covered Information
Covered information includes a person’s first name or initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Debit, account or credit card numbers (with access or security codes)
- Health information
- Employee issued identification number (with security codes or passwords)
- Biometric data
- Applicable only to the data in electronic form.
Penalties
The Attorney General can initiate legal action and award penalties up to $10,000 dollars per day, per violation.
Institutions that comply with the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act of 1996 are excluded from these obligations.
Tennessee
Statute - Tenn. Code Ann. §§ 47-18-2105-2107
A breach is defined as the unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
Credit bureaus and all consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information includes the first name and last name, or the first initial and last name and one or more of the elements below (if not encrypted):
- Social security number
- Driver's license number
- Financial account number
- Credit or debit card number (with passwords, security codes and/or access codes)
Not applicable to publicly available information.
Penalties
All impacted individuals or businesses can file a lawsuit to recover actual damages. Additional penalties under the Tennessee Consumer Protection Act can also apply.
Texas
Statute - Tex. Bus. & Com. Code §§ 521.002, 521.053, 521.151-152
Texas defines a breach as the unauthorized acquisition of electronic consumer data that compromises the privacy, security, and integrity of the personal identifying information of an individual. This also includes encrypted information, but only if the access key has also been breached. Good-faith acquisitions are exempt from the definition.
Notifications to Individuals
Notification may be provided in the form of a written notice or electronic notice (subject to stipulations). If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
All nationwide consumer reporting agencies and credit bureaus have to be notified immediately if over 10,000 residents are to be notified about the breach.
The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information includes the first name and last name, or first initial and last name and one or more of the following:
- Social security number
- Date of birth
- Mother's maiden name
- Government issued ID such as a driver's license
- Biometric data
- Unique computerized ID, routing code or address
- Financial account number
- Credit card or debit card number (with passwords, transaction codes, or PIN numbers)
- Medical information
- Healthcare provision and payment history
Penalties
Civil penalties from $2000 to $50,000 per violation apply for the failure to provide notifications about the breach. Each day that passes without notifications being provided is punishable by $100 per day per notification, the maximum being $250,000 per pending notification. The Attorney General can also give a restraining order or an injunction.
Utah
Statute - Utah Code §§ 13-44-101 et seq.
The state of Utah defines a breach as an unauthorized person acquiring computerized or electronic data of an individual that compromises the security, integrity and confidentiality of the sensitive information of that given individual. Good-faith acquisitions are exempt from the definition. Companies (excluding some financial institutions) need to destroy all personal information retained.
Notifications to Individuals
The notice can be given in written form (sent to the last known address of the individual), telephone (using lawful automated dialing systems) or electronic form (subject to stipulations). Other methods of notification are also possible provided that they comply with the Utah Code. In Utah, data protection laws can be applicable even outside the state in which case specific rules and procedures have to be followed.
Notifications to Regulators
None required.
Covered Information
Covered information includes the first and last name, or first initial and last name and one or more of the following (if not encrypted or unreadable):
- Social security number
- Financial or bank account number
- Credit card or debit card number (with passwords, security codes, or PIN numbers)
- Driver’s license number or state ID number
- Applicable to both paper and electronic records.
Penalties
The Attorney General decides on the appropriate response to any violations, with civil penalties of $2,500 per impacted individual, and up to $100,000 for violations affecting more than one resident.
Vermont
Statute - 9 V.S.A. §§ 2430, 2435
A breach is defined as the unauthorized acquisition, or the reasonable belief of such an acquisition, of electronic data that compromises the security, integrity and confidentiality of the information. Good-faith acquisitions are exempt from the definition. Certain provisions do not apply to some financial institutions.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 45 days. Delay is accepted if the notice interferes with a criminal investigation.
The notice can be given in written form (sent to the last known address of the individual), by telephone (if direct contact is made) or by email (if the previous two methods are not possible, or email has already been the primary form of communication with the individual).
If the costs of notification are too high (over $5,000), there is not enough contact information, or the impacted number of individuals exceeds 5,000 people, other ways of notification may be used. The company may put a prominent notice on its website or in print and broadcast media.
Notifications to Regulators
All credit reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach. The notice needs to contain information on the timing, content, and distribution of the notification given to residents.
Covered Information
Covered information includes the first name and last name, or first initial and last name and any of the following elements:
- Social security number
- Driver's license number or non-driver identification number
- Bank/financial account number
- Credit or debit card number (with passwords and/or access codes)
- Financial account passwords, access codes or PIN numbers
- The front of a check with the individual's name, account and routing number, address and signature
Penalties
The Data Breach Notification Act has the same power as the Consumer Protection Act. The Attorney General can give injunctions or issue a Civil Investigative Demand, with civil penalties not exceeding $10,000 per violation. Each uninformed citizen counts as a separate violation.
Virginia
Statute - Va. Code § 18.2-186.6; Va. Code § 32.1-127.1:05; Va. Code § 58.1-341.2
Virginia defines a breach as unauthorized access of unencrypted electronic personal information or medical information that compromises the confidentiality or security of that information and is maintained as part of a collective database by an individual or entity, with reason to believe the breach has or will cause theft of personal identifying data to a resident. Good-faith acquisitions of personal and medical information are exempt from the definition.
Notifications to Individuals
Notification may be provided in the form of a written or electronic notice or by telephone. If the costs of notification are too high (over $50,000), there is not enough contact information, or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Notices need to include the type of info breached, the date and description of the breach,
contact information, further steps to be taken, and info on consumer assistance.
Notifications to Regulators
The Attorney General and all consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents.
In case medical information has been breached, the Office of the Attorney General and the Commissioner of Health are to be informed as soon as possible.
Covered Information
Covered information includes the first and last name, or first initial and last name and one or more unencrypted or unredacted elements below:
- Social security number
- Driver’s license or state ID number
- Financial account number
- Credit card or debit card details (with passwords or PIN numbers)
- Medical information
- Treatment protocols or diagnosis
- Health insurance information
- Claims or appeals history
Penalties
The Attorney General decides on the appropriate response to any violations, with civil penalties going up to $150,000 per breach, or a set of similar breaches discovered at the same time.
Washington
Statute - Wash. Rev. Code § 19.255.010 et seq.
Washington defines a breach as an unauthorized acquisition of data owned or maintained by a business or person that compromises the security, confidentiality or integrity of personal information. Good-faith acquisitions are exempt from the definition. Encrypted or redacted information, whose encryption key was not accessed is also excluded from the statute.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security. No notice is necessary if it is deemed that no misuse has happened or will happen in the future.
Notification may be provided in the form of a written or electronic notice. If the costs of notification are too high (over $250,000), there is not enough contact information, or the impacted number of individuals exceeds 500,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Federal health insurance companies, some financial institutions and any other companies that have established their own security policies and notification procedures (in accord with the requirements of the security code), can use them to inform impacted individuals if a breach occurs.
Notifications to Regulators
If more than 500 residents must be notified, the Attorney General is to be informed of a data breach at the same time as the impacted individuals and no later than within 45 days. A copy of the notice to individuals should be provided as well as the number of residents affected.
Covered Information
Covered information includes first name or first initial and last name and one or more of the following:
- Social security number
- Driver’s license or state ID card number
- Financial account numbers with passwords or access codes
- Not applicable to publicly available personal information.
Penalties
The Attorney General decides on the appropriate response to any violations.
West Virginia
Statute - W.V. Code § 46A-2A-101 et seq.
In West Virginia, a breach is unauthorized access and acquisition of computerized personal information that is unencrypted or redacted in which there is probable cause for identity theft or other fraud to any resident of the state. Good-faith acquisition done by employees or agents are exempt from the definition. Encrypted or redacted information, whose encryption key was not accessed is also excluded from the statute.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security. Anyone maintaining covered information must immediately notify the owner or licensee in case of a breach.
Notification may be provided in the form of a written or electronic notice, or by telephone. If the costs of notification are too high (over $50,000), there is not enough contact information, or the impacted number of individuals exceeds 100,000 people, other ways of notification may be used. The company may send emails, put a prominent notice on its website or in print and broadcast media.
Companies that have established their own security policies and notification procedures (in accord with the requirements of the security code), can use them to inform impacted individuals if a breach occurs.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach. The notices do not need to reveal any names or other personal information, just the timing and the scope of the breach.
Covered Information
Covered information includes first name or first initial and last name and one or more of the following:
- Social security number
- Driver’s license or state ID card number
- Financial account numbers with passwords or access codes
Not applicable to publicly available personal information.
Penalties
Only the Attorney General can initiate legal action against the violators. If notification obligations are not met, the Attorney General sees it as an unfair or deceptive act and responds accordingly. Civil action is possible only in case of recurring or deliberate violations. Maximum penalty does not go over $150,000 per breach for civil action cases. Financial institutions respond to their functional regulatory bodies.
Wisconsin
Statute - Wis. Stat. § 134.98
The statute is applicable to companies operating primarily in the state of Wisconsin and dealing directly with personal information, but also to companies doing business in Wisconsin, but not stationed in the State. It is mandatory for such businesses to notify any State residents in case of a breach of their personal information. Good-faith acquisitions done by employees and agents are exempt from the definition.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified within 45 days of the breach. The notice can be given by the company's primary method of communication with the customer.
Notifications to Regulators
All nationwide consumer reporting agencies have to be notified immediately if over 1,000 residents are to be notified about the breach. No notice is necessary if it is deemed that no misuse has happened or will happen in the future. Delay is accepted if the notice interferes with a criminal investigation or national security.
Covered Information
Covered information includes a person’s first name or initial and last name and one or more of the following:
- Social Security number
- Driver’s license or state ID card number
- Debit, account, or credit card numbers with access or security codes
- Biometric data
- DNA (defined in 939.74 (2d) (a))
Penalties
Anyone who assists in the violation or commits a data breach will be charged accordingly.
Wyoming
Statute - Wyo. Stat. §§ 40-12-501, 40-12-502
A breach is the unauthorized acquisition of computerized data if such acquisition compromises the privacy, integrity or security of the covered information held by an individual or entity and causes or could cause harm to a resident.
Notifications to Individuals
If it is estimated that the affected individuals will be harmed by the breach, they must be notified immediately. Delay is accepted if the notice interferes with a criminal investigation or national security. Notification may be provided in the form of a written or electronic notice.
Other ways of notification may be used if:
- The costs of notification are too high ($10,000 for those stationed in Wyoming, $250,000 for out-of-state companies doing business in Wyoming).
- There is not enough contact information
- The impacted number of individuals exceeds 10,000 for those stationed in Wyoming or 500,000 for out-of-state companies operating in Wyoming.
In such cases, the company may send emails, put a prominent notice on its website or in print and broadcast media. A toll-free information line number also has to be made available.
Notifications to Regulators
None required.
Covered Information
Covered information includes a person’s first name or initial and last name and one or more of the following:
- Address
- Telephone number
- Social Security Number
- Driver’s License Number
- Federal, state, or tribal identification number
- Debit, account, or credit card numbers with access or security codes
- A birth or marriage certificate
- Medical information
- Health insurance information
- Username or email address with a password
- Biometric data
- Tax ID number
- Information enabling data-based authentication (security tokens or shared secrets)
Penalties
The Attorney General initiates legal action and decides on the appropriate response to any violations.