Data breaches are alarmingly common today. In 2024 alone, the United States has (so far) witnessed 2,741 publicly disclosed breach incidents, compromising over 6 billion records.

One of the ways governments have responded to this crisis is by enacting data breach notification laws. These laws perform two key functions:

  1. Protect consumers from the fallouts of breaches (fraud, identity theft, etc.)
  2. Keep companies transparent and accountable when breaches occur

This article will take you on a state-by-state tour of U.S. data breach laws. We'll unpack what each law entails, what it requires, how to comply, and the penalties for non-compliance.


The Patchwork System of U.S. Data Breach Laws

To date, the U.S. doesn't have a federal data breach law, but not for lack of trying. And while some federal laws like HIPAA and GLBA include breach requirements for specific sectors, they aren't tailor-made for data breaches.

Instead, all 50 U.S. states have enacted their own laws, creating a patchwork of data breach regulations.

If your business has customers across multiple states or the entire U.S. market, managing data breach requirements is notably challenging because:

  • Each law defines "data breach" and "personal information" differently
  • Despite some similarities, each law has different triggers and timeframes for notifying consumers and the authorities about a breach
  • Notification requirements and penalties for non-compliance also vary by state

Long story short, a one-size-fits-all approach to compliance isn't feasible. To help you make sense of things, we've compiled the key data breach laws across all 50 U.S. states below.

While the breakdown below provides a solid starting point, they're general overviews of these laws. For added safety, we recommend consulting a legal professional to understand your state's nuances.

Data Breach Laws by U.S. State

The Alabama Data Breach Notification Act is the state's main data breach law. It applies to businesses that operate within the state or handle the "sensitive personally identifying information" of its residents, and experience a data breach.

Under Alabama's law, a data breach is defined as:

"the unauthorized acquisition of data in electronic form containing sensitive personally identifying information."

This definition notably excludes:

  • Good-faith data collection by an employee or agent for legitimate purposes
  • Disclosure of public records not bound by confidentiality agreements
  • Investigations carried out by law enforcement agencies

Notification Requirements

If a data breach will likely cause "substantial harm" to consumers, Alabama's law requires you to send consumers a written notification as quickly as possible within 45 days. You can send this notice to consumers by mail or email.

For breaches affecting over 1,000 Alabama residents, you must also notify the Alabama Attorney General and all consumer reporting agencies. You can notify the Attorney General via this form.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could hinder a criminal investigation or jeopardize national security.
  2. Third parties who suffer data breaches must notify the relevant businesses within 10 days.
  3. Compliance with federal laws like HIPAA or GLBA exempts you from all notification requirements except the notice to the Attorney General when affected consumers exceed 1,000.
  4. You can use substitute notices like posting the breach on your website or in broadcast/print media if any of the following is true:

    • The cost of sending notifications is over $500,000,
    • The number of affected consumers adds up to more than 100,000 people, or
    • You're missing sufficient contact details to notify affected consumers

Types of Personal Information Protected

Alabama's data breach law protects "sensitive personally identifying information." It defines this as:

An Alabama resident's first name or first initial and last name, along with at least one of the following data elements:

  • A non-truncated Social Security or tax ID number
  • A non-truncated driver's license, passport, military ID or other government ID numbers
  • Financial account numbers in combination with any security or access codes needed to use the financial account
  • Health records or health insurance policy numbers
  • Online usernames or email addresses in combination with a password or security question and answer

Keep in mind that Alabama's data breach law only applies to personal information in electronic form, not paper records. And the data type defined above excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with Alabama's data breach law is considered an unlawful trade practice under Alabama's Deceptive Trade Practices Act. Enforcement rests exclusively in the hands of Alabama's Attorney General.

Violators are liable to civil penalties of up to $5,000 per day for each consecutive day they fail to comply. Civil penalties are capped at $500,000 per breach.

Alaska's Personal Information Protection Act is the law overseeing data breach notifications in the state. This law applies to businesses with more than 10 employees that own, license or maintain covered information and suffer a "breach of security" involving the covered information of Alaska's residents.

Under Alaska's law, a breach of security means:

"unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector..."

That said, good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

If a breach of security occurs, Alaska's law requires you to notify affected consumers as soon as possible and without unreasonable delay. In other words, Alaska's law doesn't specify a concrete timeframe for notifying consumers.

Notification applies whether or not the information has been accessed by an unauthorized third party for legal or illegal purposes.

You can send notifications to consumers using either written or electronic notice in compliance with the E-SIGN Act.

If affected consumers exceed 1,000, you must also notify all consumer credit reporting agencies immediately. Your notice must include details about the timing and content of the notification sent to consumers.

Some important caveats to take note of:

  1. You can delay notification if Alaska's law enforcement decides that it would compromise a criminal investigation.
  2. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Alaska's data breach law protects "personal information" in both electronic and paper form.

It defines personal information as:

An Alaska resident's first name or first initial and last name combined with at least one of the following data elements when the name or information are not redacted or encrypted:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial accounts or credit/debit card numbers on their own if no access code is required to use them
  • Passwords, PINs, and other account access information
  • Any of the above if sufficient to steal or attempt to steal a person's identity

Penalties for Non-Compliance

Non-compliance with Alaska's data breach notification law attracts civil penalties of up to $500 for each resident not notified. Fines are capped at $50,000 per incident.

Arizona's data breach law applies to entities conducting business in the state that own, maintain, or license personal information and experience a breach. The legal text sits at A.R.S. §§ 18-551 and 18-552.

Under Arizona's data breach law, a breach is:

"an unauthorized acquisition of and unauthorized access that materially compromises the security or confidentiality of unencrypted and unredacted computerized personal information maintained as part of a database of personal information regarding multiple individuals."

Like many other state laws, Arizona's breach definition excludes good faith data acquisitions by an employee or agent for legitimate purposes.

Notification Requirements

If a breach occurs, Arizona's law requires you to notify affected residents within 45 days unless an investigation determines that the breach is not likely to cause substantial economic loss to consumers.

For breaches affecting over 1,000 Arizona residents, you must also notify:

  1. The three largest nationwide consumer reporting agencies
  2. The Arizona Attorney General using this form
  3. The Director of the Arizona Department of Homeland Security

In practice, you can notify affected consumers via mail, email, or telephone (if made directly with affected consumers).

Some important caveats to take note of:

  1. You can delay notification if law enforcement determines that it would hinder a criminal investigation.
  2. Compliance with relevant federal regulations or other laws with identical breach obligations exempts you from Arizona's breach notice requirements.
  3. You can use substitute notices like writing a letter to the Attorney General or posting the breach on your website (for at least 45 days) if any of the following is true:

    • The cost of sending notifications is over $50,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have sufficient contact details to notify affected consumers

Types of Personal Information Protected

Arizona's data breach law protects personal information containing:

An Arizona resident's first name or first initial and last name, plus one or more of the following data elements:

  • Social Security number
  • Driver's license, state ID, or passport number
  • Financial account numbers (such as credit/debit card numbers) in combination with any access or security codes required to use the financial account numbers
  • Taxpayer ID number
  • Health insurance ID number
  • Medical or mental health diagnosis or unique biometric data
  • Username or email address, along with the password for an online account

It's worth noting that the law applies only to computerized/electronic data, not paper records.

Penalties for Non-Compliance

An intentional violation of Arizona's data breach notification law is considered a breach of the Arizona Consumer Fraud Act.

Enforcement rests exclusively in the hands of Arizona's Attorney General, who can seek damages of up to $10,000 per affected consumer. The maximum penalty per breach or series of breaches is set at $500,000.

The Arkansas Personal Information Protection Act is the primary law regulating data breaches in the state.

Arkansas's law applies to entities that acquire, own, or license the computerized personal information of Arkansas residents and experience a breach.

The law defines a breach as:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person or business."

Like many others, Arkansas's data breach law excludes good-faith data acquisition by employees or agents for legitimate purposes, if the personal information is not otherwise used or subject to further unauthorized disclosure.

Notification Requirements

Arkansas law requires you to notify affected consumers about a security breach immediately following discovery, in the most expedient time and manner possible. That said, notification isn't necessary if an investigation finds that there's no reasonable likelihood of harm to consumers.

You can notify consumers using either written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 1,000 Arkansas residents, you must also notify the Arkansas Attorney General (via this form) at the same time you alerted consumers or within 45 days of discovering a harmful breach.

Some important caveats to take note of:

  1. You can delay notification if law enforcement determines that it would impede a criminal investigation.
  2. Businesses that already maintain identical notification procedures as Arkansas data breach law are considered already compliant under this law.
  3. You can use alternative notifice methods like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Arkansas's law protects personal information, which it defines as:

An Arkansas resident's first name or first initial and last name, combined with one or more of the following:

  • Social Security number
  • Driver's license number or Arkansas state ID card number
  • Financial account numbers in combination with any required access codes
  • Biometric data
  • Medical information

Like many others, Arkansas's personal information definition excludes encrypted or redacted data with an encryption key that's not compromised. Publicly available information is also exempt from this definition.

Penalties for Non-Compliance

Non-compliance with Arkansas's data breach notification law is considered a breach of Arkansas's Deceptive Trade Practice Code. Sanctions rest exclusively in the hands of Arkansas's Attorney General.

California's data breach law is the first of its kind in the United States. The legal text sits at Section 1798.80 - 1798.84 of the California Civil Code.

California's data breach law applies to businesses operating within the state or catering to its residents who suffer a security breach. The law defines this as:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

This definition notably excludes good-faith data collection by an employee or agent for legitimate business purposes.

Notification Requirements

Under California's law, you must notify affected consumers of a breach (or suspected breach) "in the most expedient time possible and without unreasonable delay..."

In other words, the law doesn't specify a concrete timeframe for notifying affected consumers. You can send breach notifications to consumers using either written or electronic notice in compliance with the E-SIGN Act.

Consumer notices must be written in plain language with at least a size 10 font, and include the following:

  • Name and contact information of the person or business reporting the breach
  • A list of the types of personal information involved or believed to be involved in the breach
  • The date of the breach, if known, or an estimation of it
  • The date of the notice
  • Whether the release of the breach notification was delayed due to an investigation by law enforcement, if it's possible to determine this at the time the notice is provided
  • A general description of the breach, if available at the time of the notice
  • Whether notification was delayed due to a law enforcement investigation
  • Toll-free numbers and addresses of major credit reporting agencies if the breach involves a Social Security number, driver's license number, or California ID card number

At the discretion of the person or business providing the notice, the following information may also be included in the notice:

  • What steps the person or business has done to protect the individuals whose information has been breached
  • Advice on steps that these people can take to help protect themselves from damages from the breach
  • In cases of breached biometric data, Instructions for notifying other businesses or individuals that used that data for authentication purposes to no longer use it since it has been compromised

For breaches affecting over 500 California residents, you must also notify the California Attorney General using this form.

Some important caveats to take note of:

  1. You can delay notifications if law enforcement determines that it could impede a criminal investigation or if you must take measures to fix system vulnerabilities.
  2. Compliance with federal laws like HIPAA exempts you from all notification requirements as long as you observe HIPAA's breach notice requirements.
  3. You can use substitute notices like sending emails, posting the breach on your website (for at least 30 days), or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers adds up to 500,000 or more, or
    • You don't have sufficient contact details to notify affected consumers

Type of Personal Information Protected

California's data breach law protects "personal information," which it defines as:

A California resident's first name or first initial and last name, along with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number, California state ID card number, tax ID number, military ID, passport number or other government-issued ID numbers
  • Financial accounts or credit/debit card numbers along with relevant security/access codes
  • Medical or health insurance information
  • Certain unique biometric data
  • Data collected via automated license plate recognition systems
  • Genetic data

Penalties for Non-Compliance

Non-compliance with California's data breach law can trigger civil action from California residents thanks to the law's private right of action. This means consumers can sue your business to recover the damages they incurred as a result of your non-compliance.

For a more in-depth breakdown of California's data breach law, check out our article: California Data Breach Law.

Colorado's data breach law applies to businesses that handle the personal information of Coloradans and experience a "security breach."

Under Colorado's law, a security breach means:

"unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity..."

That said, good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

In the event of a security breach, Colorado's law requires you to notify affected consumers, as soon as possible at most 30 days after discovering the breach.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act.

If the number of affected consumers exceeds 500, you must notify Colorado's Attorney General as soon as possible (via this form) within 30 days of discovering the breach.

And over 1,000 consumers are affected by the breach, you must also notify major consumer reporting agencies as soon as possible.

Some important caveats to take note of:

  1. You can delay notification for the legitimate needs of Colorado's law enforcement or to determine the breach's scope and address system vulnerabilities.
  2. You don't have to send notices if an investigation finds that the information has not been misused and is not reasonably likely to be misused.
  3. Compliance with federal laws like HIPAA or GLBA exempts you from most notification requirements except the notice to the Attorney General when affected consumers exceeds 500.
  4. If other applicable laws provide different timeframes, you must comply with the law having the shortest time frame.
  5. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected Coloradans exceeds 250,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Colorado's data breach law protects "personal information," which it defines as:

A Colorado resident's first name or first initial and last name, plus at least one of the following (unencrypted) data elements:

  • Social Security number
  • Student, military, or passport ID number
  • Driver's license number or ID card number
  • Medical information
  • Health insurance ID number
  • Biometric data
  • Username or email address in combination with password or security questions and answers that would allow access
  • Financial account number or credit/debit card number in combination with any required security or access code required to access the account

Penalties for Non-Compliance

Non-compliance with Colorado's data breach law triggers legal action from the state's Attorney General who can seek appropriate relief to recover direct economic damages resulting from a violation.

Connecticut's data breach law sits at Conn. Gen. Stat. § 36a-701b. This law applies to entities that handle the personal information of Connecticut residents and experience a "breach of security."

Under Connecticut's law, a breach of security means:

"unauthorized access to or unauthorized acquisition of electronic files, media, databases or computerized data, containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable..."

Notification Requirements

Under Connecticut's law, you must notify affected consumers of a breach of security without unreasonable delay and no later than sixty (60) days after discovering the breach.

You must also notify the Connecticut Attorney General (via this form) at the same time you notify consumers. In other words, you'll have to sync the timing of your notifications to both consumers and the Attorney General.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation.
  2. Notification isn't necessary if the breach is unlikely to result in harm to consumers.
  3. Compliance with laws like HIPAA or HITECH exempts you from all notification requirements except the notice to the Connecticut Attorney General.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Connecticut's data breach law defines personal information as:

A Connecticut resident's first name or first initial and last name in combination with one or more of the following:

  • Social Security number
  • Taxpayer ID number
  • Driver's license, passport numbers, or other government-issued ID numbers
  • Credit or debit card numbers
  • Identity protection PIN issued by the IRS
  • Medical or biometric information
  • Financial account numbers with required password or access/security codes
  • Username or email address with a password
  • Health insurance policy numbers or unique identifiers

If a Connecticut resident's Social Security number or Taxpayer ID number is compromised in a breach, you must offer them 24 months of credit monitoring services for free.

Penalties for Non-Compliance

Non-compliance with Connecticut's data breach law is considered an unfair trade practice under section 42-110b. Enforcement rests exclusively in the hands of Connecticut's Attorney General.

The Delaware data breach law sits at Title 6, Chapter 12B of the Delaware Code. This law applies to entities that do business in the state, handle the personal information of Delaware residents, and experience a "breach of security."

Under Delaware's law, a breach of security is:

"The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information... "

This definition notably excludes good-faith data collection by an employee or agent for legitimate purposes.

Note that if the exposed data is encrypted, it's not considered a security breach unless the encryption key is reasonably believed to be compromised.

Notification Requirements

If you experience a breach of security, Delaware's law requires you to notify affected consumers without unreasonable delay at most 60 days after discovering the breach.

You don't have to send notices if an investigation finds that the breach is unlikely to cause harm to affected consumers.

For breaches affecting over 500 Delaware residents, you must also notify the Delaware Attorney General (via the web form or pdf) at the same time you notify affected consumers.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

Some important caveats to take note of:

  1. You can delay notifications if law enforcement determines that sending them could hinder a criminal investigation.
  2. Applicable federal laws with shorter breach notification timeframes supersede Delaware's data breach law.
  3. Compliance with federal laws like HIPAA and GLBA exempts you from all notification requirements as long as you observe their notice requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $75,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have enough contact information to notify affected consumers

Types of Personal Information Protected

Delaware's data breach law protects "personal information," which it defines as:

A Delaware resident's first name or first initial and last name, along with at least one of the following data elements:

  • Social Security number
  • Driver's license number
  • State or federal ID card number
  • Account number or credit/debit card number with required password, or access/security code
  • Passport number or taxpayer ID number
  • A username or email address with a password or security question and answer that would provide access to the account
  • Medical history, medical treatment, or diagnosis of mental or physical condition, or DNA profile
  • Health insurance policy number, subscriber ID number, or any other unique identifier used by a health insurer for identification purposes
  • Biometric data

Note that if the breach of security includes a Social Security number, you must offer affected consumers 1 year of credit monitoring services for free.

You must also provide all necessary information for consumers to enroll in these services and place a credit freeze on their file.

Penalties for Non-Compliance

Violations of Delaware's data breach law can result in legal action from the state's Attorney General who can seek "appropriate relief" to recover direct economic damages as a result of a violation.

The Florida Information Protection Act is the primary law overseeing data breach notifications in the state. This law applies to any entity that experiences a "breach of security" involving the personal information of Florida's residents.

Under Florida's law, a breach of security is an "unauthorized access of data in electronic form containing personal information..."

Like many other state laws, Florida's breach definition excludes good faith data access by an employee or agent for legitimate business purposes.

Notification Requirements

In the event of a breach, Florida's law requires you to notify affected consumers as quickly as possible but not later than 30 days after discovering the breach (unless an authorized delay is allowed).

In practice, you must notify affected consumers via a written notice sent to their mailing addresses or an electronic notice sent to their email addresses.

For breaches affecting over 500 Florida residents, you must also notify the Florida Department of Legal Affairs within 30 days of discovering the breach.

You can request a 15-day extension if you have a legitimate reason. That said, you must provide the reason in writing to the Department of Legal Affairs within the original 30-day timeframe.

For breaches affecting more than 1,000 Florida residents, you must also notify all consumer reporting agencies "without unreasonable delay."

Some important caveats to take note of:

  1. You can delay notification if law enforcement determines that it would interfere with a criminal investigation.
  2. Notification isn't necessary if an investigation finds that the breach will not likely result in identity theft or any other financial harm to consumers. You must keep this result in writing and maintain it for at least five years.
  3. Third parties who experience a breach must notify the relevant data owners within 10 days.
  4. You can use substitute notices like posting a conspicuous notice of the breach on your website or in print/broadcast media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have the mailing or email addresses to notify affected consumers

Types of Personal Information Protected

The following is protected personal information:

A Florida resident's first name or first initial and last name, along with one or more of the following data elements:

  • Social Security number
  • Driver's license number, state ID number, or passport number
  • Military ID number, or other government-issued ID number
  • Financial account number or credit/debit card number plus any required password or security/access code
  • Medical history, mental or physical condition, medical treatment, or diagnosis
  • Health insurance policy number, subscriber ID number, or similar unique identifiers used by health insurance providers for identification purposes

Usernames or email addresses along with the necessary password or security question and answer also count as personal information.

Keep in mind that personal information doesn't include publicly available information or encrypted/secured data that renders the information unusable.

Penalties for Non-Compliance

Non-compliance with Florida's data breach law is considered an unfair or deceptive trade practice under Section 501.207 of Florida's Statutes.

Violators are liable to civil penalties of up to $500,000 administered as follows:

  • $1,000 a day up to the first 30 days after the violation
  • $50,000 for each subsequent 30-day period
  • Up to $500,000 if the violation goes on for over 180 days

The law doesn't allow for a private cause of action (i.e., legal action from consumers) and all proceeds from penalties are deposited in the General Revenue Fund.

Georgia's data breach law sits at Section 10-1-911 to 10-1-912 of Georgia's Official Code. It's otherwise known as the Georgia Personal Identity Protection Act.

This law applies to information brokers and data collectors who do business in Georgia or cater to its residents and experience a "breach of security."

Under Georgia's law, a breach is defined as:

"unauthorized acquisition of an individual´s electronic data that compromises the security, confidentiality, or integrity of personal information of such individual maintained by an information broker or data collector."

Like other state laws, Georgia's breach definition excludes good faith data acquisition or use by an employee or agent for legitimate business purposes.

Notification Requirements

If you experience a breach involving the unencrypted personal information of Georgia's residents, Georgia's law requires you to notify affected consumers in "the most expedient time possible and without unreasonable delay."

In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

For breaches affecting more than 10,000 Georgia residents, you must also notify all major consumer reporting agencies without unreasonable delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would compromise a criminal investigation or if you need time to determine the breach's scope and address system vulnerabilities.
  2. Third parties who experience a breach must notify the relevant information brokers and data collectors within 24 hours.
  3. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notifications is over $50,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have sufficient contact information to notify affected consumers

Types of Personal Information Protected

Georgia's data breach law protects "personal information," which it defines as:

A Georgia resident's first name or first initial and last name, combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Account number or credit/debit card number (if it can be used without additional information, access codes, or passwords)
  • Account passwords, PINs, or other access codes

Notably, all of the above are considered personal information even without a first name or first initial and last name if they can be used for identity theft.

Keep in mind that personal information doesn't include publicly available information or encrypted/redacted data that make the information unusable.

Penalties for Non-Compliance

Non-compliance with Georgia's data breach law is considered an unlawful practice under the state's Fair Business Practices Act.

Violators are liable to civil penalties of up to $100 for each offense against a specific consumer, among other penalties.

Hawaii's data breach notification law applies to businesses that handle the personal information of Hawaii's residents and experience a "security breach."

Under Hawaii's law, a security breach means:

"an incident of unauthorized access to and acquisition of unencrypted or unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur and that creates a risk of harm to a person"

Like other state laws, Hawaii's security breach excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Under Hawaii's law, you must notify affected consumers of a security breach "without unreasonable delay." Notably, the law doesn't specify a concrete timeframe for sending notifications.

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice in compliance with the E-SIGN Act
  • Telephonic notice (if made directly to affected consumers)

For security breaches affecting more than 1,000 Hawaii residents, you must also notify the Hawaii Office of Consumer Protection and all consumer reporting agencies without unreasonable delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation or threaten national security.
  2. Third parties who experience a breach must notify the relevant data owners or licensees immediately after discovering the breach.
  3. Compliance with federal laws like HIPAA exempts you from Hawaii security breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $100,000,
    • The number of affected consumers exceeds 200,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Hawaii's data breach law protects "personal information." It defines this as:

An individual's first name or first initial and last name in combination with one or more of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or Hawaii ID card number
  • Account number or credit/debit card number, along with relevant access codes or passwords

Like other laws, Hawaii's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with Hawaii's data breach law attracts civil penalties of up to $2,500 per violation. Violators will also be liable for actual damages suffered by affected consumers as a result of the violation.

Enforcement actions can be brought by Hawaii's Attorney General or the executive director of Hawaii's Office of Consumer Protection.

Idaho's data breach law sits at Section 28-51-104 of the Idaho State Code. This law applies to individuals, businesses, and state agencies that handle the personal information of Idaho's residents and experience a "breach of the security of the system."

Under Idaho's law, a breach means:

"illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one or more persons maintained by an agency, individual, or a commercial entity"

Like other state laws, Idaho's breach definition excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Idaho's data breach law requires people, businesses, and agencies that experience a breach to investigate whether the compromised information has or will likely be misused.

If the result yields positive, the law requires that you notify consumers "in the most expedient time possible and without unreasonable delay."

Notably, the law doesn't specify a concrete timeframe for individuals and businesses to send notifications. It also doesn't require individuals and businesses to notify the Idaho Attorney General's office (though they may choose to).

That said, state agencies must notify the Idaho Attorney General within 24 hours of discovering a breach.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would interfere with a criminal investigation or if you need time to determine the breach's scope and address system vulnerabilities.
  2. Third parties who suffer a breach must notify the relevant data owners or licensees immediately after discovering the breach.
  3. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $25,000,
    • The number of affected consumers exceeds 50,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Under Idaho's data breach law, personal information is:

An Idaho resident's first name or first initial and last name combined with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or Idaho ID card number
  • Account number, or credit/debit card number, along with relevant password or security/access code

Note that the law only applies to personal information in its electronic form, not paper records. This definition also excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with Idaho's data breach law attracts civil penalties of up to $25,000 for each security breach where notice is intentionally not given.

Enforcement actions can only be brought by the "primary regulator," typically Idaho's Attorney General.

Illinois data breach law sits at Section 815 ILCS 530 of its Statutes. It's otherwise known as the Illinois Personal Information Protection Act.

This law applies to "data collectors" who do business in Illinois or handle the personal information of its residents and experience a security breach.

Under Illinois law, a security breach is defined as:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector."

Like other state laws, the Illinois breach definition excludes good faith data acquisition or use by an employee or agent for legitimate business purposes.

Notification Requirements

If a data breach occurs, Illinois law requires you to notify affected consumers (free of charge) in "the most expedient time possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying consumers.

When sending consumer notices, the law requires that you include:

  • Toll-free numbers and addresses for consumer reporting agencies (CRAs)
  • The toll-free number, address, and website of the Federal Trade Commission (FTC)
  • A statement that consumers can get more information about fraud alerts and security freezes from the CRAs and the FTC

You can notify consumers using either written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting more than 500 Illinois residents, you must also notify the Illinois Attorney General (via this email address: [email protected]) at the time notice is given to consumers, or within 45 days maximum.

For breaches affecting more than 1,000 Illinois residents, consumer reporting agencies must be notified as well.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would interfere with a criminal investigation and they give you a written request for the delay.
  2. Third parties who experience a breach must notify the relevant data collectors immediately after its discovery.
  3. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify affected consumers

Types of Personal Information Protected

Illinois data breach law defines "personal information" as:

An Illinois resident's first name or first initial and last name combined with at least one of the following data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Account number or credit/debit card number, along with relevant access/security codes or passwords
  • Medical information
  • Health insurance information
  • Unique biometric data used to authenticate an individual (fingerprints, retina, etc.)

Usernames or email addresses along with relevant passwords or security questions and answers also qualify as personal information.

That said, personal information doesn't include publicly available information or encrypted/redacted data that make the information unusable.

Penalties for Non-Compliance

A violation of the data breach law requirements is considered to be an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act and penalties can be issued under it as appropriate.

The Indiana data breach law sits at Article 24-4.9 of the Indiana Code. This law applies to database owners (business entities) that operate within Indiana or handle the personal information of its residents for commercial purposes and experience a breach.

Under Indiana's law, a breach means:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person."

This definition includes computerized data that has been transferred into paper form, microfilm, or something similar.

That said, good-faith data acquisition by an employee or agent for legitimate purposes doesn't qualify as a breach.

Notification Requirements

If a security breach compromises the unencrypted or unredacted personal information of Indiana residents and could result in identity theft or fraud, the law requires you to notify affected residents, as well as the state's Attorney General via this form.

For breaches affecting over 1,000 Indiana residents, you must also notify all relevant consumer reporting agencies.

You can send notices to consumers using any of the following:

  • Mail
  • Telephone
  • Facsimile (fax)
  • Electronic mail if available

Some important caveats to take note of:

  1. You can delay notifications if sending them could impede a criminal investigation, jeopardize national security, or if you need time to determine the breach's scope and restore the integrity of the computer system.
  2. Third parties who suffer a data breach must notify the relevant database owners as soon as possible.
  3. Compliance with federal laws like HIPAA, GLBA, and other named laws exempts you from Indiana's breach notification requirements.
  4. You can use alternative notices like posting the breach on your website or notifying a major news media agency geographically relevant to Indiana if any of the following is true:

    • The cost of sending notifications is over $250,000, or
    • The number of affected consumers is more than 500,000

Types of Personal Information Protected

Indiana's data breach law defines "personal information" as:

An Indiana resident's first and last name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Driver's license number
  • State ID card number
  • Credit card number
  • Financial account number or debit card number along with relevant password or security/access code

An unencrypted Social Security number also counts as personal information.

Penalties for Non-Compliance

Enforcement rests exclusively in the hands of Indiana's Attorney General and has a maximum civil penalty of $150,000 per incident.

The Iowa data breach law sits at Chapter 715C of Iowa's Code. This law applies to entities that do business in the state, handle the personal information of Iowa residents, and experience a "breach of security."

Under Iowa's law, a breach of security means:

"unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information"

Note that this definition includes information in any medium, including paper, that was transferred to that medium from a computerized form.

Like other laws, Iowa's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, Iowa's law requires you to notify affected consumers "in the most expeditious manner possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

You can send notices to consumers using either written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 500 Iowa residents, you must also notify Iowa's Attorney General's consumer protection division director (via this email address: [email protected]) within 5 days of informing affected consumers.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant database owners.
  3. Compliance with federal laws like HIPAA and GLBA exempts you from Iowa's breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers is more than 350,000, or
    • You don't have enough contact information to notify affected consumers

Type of Personal Information Protected

Iowa's data breach law protects "personal information," which it defines as:

An Iowa resident's first name or first initial and last name along with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or other government-issued ID number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access code that would allow access to the account
  • Unique electronic identifier or routing code along with relevant security/access code or password that would allow access to the account
  • Unique biometric data (such as a fingerprint, retina, or iris image)

Like other state laws, Iowa exempts publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with Iowa's data breach law is considered an unlawful practice under Iowa's Consumer Fraud Act. Enforcement rests exclusively with Iowa's Attorney General who can seek appropriate remedies for violations.

The Kansas data breach law sits at Chapter 50, Article 7a of the Kansas Statute. This law applies to businesses that operate within Kansas or handle the personal information of its residents and experience a security breach.

Under Kansas law, a security breach means:

"unauthorized access and acquisition of unencrypted or unredacted computerized data that compromises the security, confidentiality or integrity of personal information maintained by an individual or a commercial entity and that causes, or such individual or entity reasonably believes has caused or will cause, identity theft to any consumer."

Good-faith data acquisition by an employee or agent for legitimate purposes doesn't qualify as a breach under Kansas data breach law.

Notification Requirements

The Kansas data breach law requires businesses that experience a breach to conduct a "good-faith, reasonable, and prompt investigation" to determine whether the compromised information has or will likely be misused.

If the result yields positive, the law requires businesses to notify affected consumers "in the most expedient time possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

You can send consumer notices either via written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 1,000 Kansas residents, you must also notify all relevant consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant database owners.
  3. Compliance with an internal information security policy that is consistent with Kansas security breach law exempts you from all breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $100,000,
    • The number of affected consumers is over 5,000, or
    • You don't have enough contact information to notify affected consumers

Type of Personal Information Protected

Kansas data breach law defines "personal information" as:

A Kansas resident's first and last name or first initial and last name combined with one or more of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID number
  • Financial account number, or credit/debit card number, alone or together with relevant password or security/access code that would allow access to the account

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with the Kansas data breach law triggers legal action from the Kansas Attorney General, who solely decides appropriate remedies.

The exceptions are state-licensed insurance companies in Kansas, in which case the Kansas insurance commissioner is responsible for addressing their violations.

Kentucky's data breach law sits at section 365.732 of Kentucky's Statute. This law applies to entities that do business in Kentucky, handle the personal information of its residents, and experience a "security breach."

Under Kentucky's law, a security breach means:

"unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of the Commonwealth of Kentucky."

Like other laws, Kentucky's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, Kentucky's law requires you to notify affected consumers as soon as possible and "without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

You can send notices to consumers using either written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 1,000 Kentucky residents, you must also notify, without unreasonable delay, all consumer reporting agencies and credit bureaus that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them will impede a criminal investigation.
  2. Compliance with federal laws like HIPAA and GLBA exempts you from Kentucky's breach notification requirements.
  3. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have enough contact information to notify affected consumers

Type of Personal Information Protected

Kentucky's data breach law protects "personally identifiable information," which it defines as:

A Kentucky resident's first name or first initial and last name along with at least one of the following (unredacted) data elements:

  • Social Security number
  • Driver's license number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access code in order to access the account

Penalties for Non-Compliance

At the time of this writing, Kentucky's data breach law doesn't specify any penalties for non-compliance. However, a party injured by a data breach may be able to recover damages under KRS 446.070.

Louisiana's Database Security Breach Notification law is the primary law overseeing data breach notifications in the state. This law applies to entities that do business in Louisiana or handle the personal information of Louisianians and experience a "security breach."

Under Louisiana's law, a security breach means:

"the compromise of the security, confidentiality, or integrity of computerized data that results in, or there is a reasonable likelihood to result in, the unauthorized acquisition of and access to personal information maintained by an agency or person."

That said, good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

In the event of a security breach, Louisiana's law requires you to notify affected consumers, as soon as possible but at most 60 days after discovering the breach.

Written notice with details of the breach must be sent to the Consumer Protection Section of the Attorney General's office within 10 days of sending notice to consumers. The notice sent to the Attorney General needs to include the names of all Louisiana citizens affected by the breach.

That said, you don't have to send breach notifications if an investigation finds that there is no reasonable chance of harm to affected residents.

You can send notices to consumers using either written or electronic notice in compliance with the E-SIGN Act. If you have to notify consumers, you must also notify the Consumer Protection Section of the Attorney General's Office as soon as possible.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation or if you need to determine the breach's scope and address system vulnerabilities.
  2. Compliance with an existing information security policy that is consistent with Louisiana's security breach law exempts you from notification requirements.
  3. Third parties who suffer a data breach must notify the relevant businesses.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of providing notification is over $100,000,
    • The number of affected Louisianians exceeds 100,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Under Louisiana's data breach law, "personal information" is:

A Louisiana resident's first name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or State ID card number
  • Account number or credit/debit card number and any required security or access code that would permit access to the account
  • Passport number
  • Biometric data

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Louisiana's data breach law is considered an unfair trade practice under Louisiana's law. In response, the Attorney General can initiate legal action to recover damages from violators.

Anyone who fails to notify the Attorney General of a breach within 10 days of notifying affected individuals may be fined up to $5,000 per violation.

Affected Louisiana residents can also bring private action against violators. For a more in-depth breakdown of Louisiana's data breach law, check out our article: Louisiana Data Breach Law

Maine's data breach law sits at Sections 1347 to 1349 of Maine's Statutes. The law applies to businesses and information brokers who operate in Maine or handle the personal information of its residents and experience a "breach of security."

Under Maine's law, a breach of security is defined as:

"unauthorized acquisition, release or use of an individual's computerized data that includes personal information that compromises the security, confidentiality or integrity of personal information of the individual maintained by a person."

Like other state laws, Maine's breach definition excludes good faith data acquisition or use by an employee or agent for legitimate business purposes.

Notification Requirements

If you experience a breach involving the unencrypted personal information of Maine's residents, the law requires you to notify affected consumers as soon as possible, within 30 days of discovering the breach.

You can send notices to affected consumers using either written or electronic notice in compliance with the E-SIGN Act.

When consumer notices are required, you must notify the appropriate state regulators within the Department of Professional and Financial Regulation. If your business isn't covered by the department, you must then notify Maine's Attorney General.

For breaches affecting more than 1,000 Maine residents, you must also notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would compromise a criminal investigation or if you need time to determine the breach's scope and address system vulnerabilities.
  2. Once the law enforcement agency confirms that notifications won't interfere with a criminal investigation, you have 7 days to send notices.
  3. Third parties who experience a breach must notify relevant businesses and information brokers immediately after discovering the breach.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notifications is over $5,000,
    • The number of affected consumers exceeds 1,000, or
    • You don't have sufficient contact information to notify affected consumers

Types of Personal Information Protected

Maine's data breach law protects "personal information," which it defines as:

A Maine resident's first name or first initial and last name plus at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Account number or credit/debit card number (if it can be used without additional information, access codes, or passwords)
  • Account passwords, PINs, or other access codes

Any of the above on its own will count as personal information under this law even if it's not connected with a first name, or first initial and last name, if the information on its own, if compromised, would be enough to lead to identity theft.

Note that personal information doesn't include publicly available information or data from third-party claims databases maintained by property and casualty insurers.

Penalties for Non-Compliance

Non-compliance with Maine's data breach law is considered a civil violation. For applicable businesses, enforcement can be carried out by appropriate state regulators within the Department of Professional and Financial Regulation. Enforcement for all other covered entities rests with Maine's Attorney General.

Violators are liable to fines of not more than $500 per violation. Fines are capped at $2,500 for each day of violation.

The Maryland Personal Information Protection Act (PIPA) is the primary law overseeing data breach notifications in the state. This law applies to entities that suffer a "security breach" involving the personal information of Maryland's residents.

Under Maryland's law, a breach of security is:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by a business."

Like many other state laws, Maryland's breach definition excludes good faith data access by an employee or agent for legitimate business purposes.

Notification Requirements

When a breach occurs, Maryland's data breach law requires you to investigate whether the compromised information has or will likely be misused.

If the result yields positive, the law requires that you notify as quickly as possible but at most 45 days after discovering the breach (unless an authorized delay is allowed).

Note that you must notify the Maryland Office of the Attorney General before sending notifications to consumers. In practice, you must notify affected consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

For breaches affecting 1,000 or more Maryland residents, you must also notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency finds that it would interfere with a criminal investigation or jeopardize national security.
  2. Once the law enforcement agency confirms that notifications won't interfere with a criminal investigation, you have 7 business days to send notices.
  3. Compliance with federal laws like GLBA exempts you from notification requirements as long as you observe appropriate procedures.
  4. Notification isn't necessary if an investigation finds that the breach will not likely result in identity theft or any other financial harm to consumers. You must keep this conclusion in writing and maintain it for at least three years.
  5. Third parties who experience a breach must notify the relevant data owners within 10 days.
  6. You can use substitute notices like posting a conspicuous notice of the breach on your website or in print/broadcast media if any of the following is true:

    • The cost of sending notifications is over $100,000,
    • The number of affected consumers exceeds 175,000, or
    • You don't have sufficient contact details to notify affected consumers

Types of Personal Information Protected

Maryland's data breach law protects "personal information" which is defined as:

A Maryland's resident first name or first initial and last name along with one or more of the following data elements (unencrypted or unredacted):

  • Social Security number, driver's license number, individual taxpayer ID number, passport number or other government-issued ID number
  • Financial account number or credit/debit card number in combination with any password or security/access code required to access the account
  • Medical history, mental or physical condition, medical treatment, or diagnosis
  • Health insurance policy number, subscriber ID number, or similar unique identifiers that permits access to an individual's health information
  • Biometric data

A username/email address along with the necessary password or security question required for access counts as personal information on its own.

Note that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Maryland's data breach law is considered an unfair or deceptive trade practice under Maryland's Consumer Protection Act. Violators are liable to civil penalties of up to $10,000 per violation and up to $25,000 for each repeated violation.

The Massachusetts General Law 93H is the primary law regulating data breach notifications in the state. This law applies to entities that acquire, own, or license the computerized personal information of Massachusetts residents and experience a breach.

The law defines a breach as:

"unauthorized acquisition or use of unencrypted data or encrypted electronic data and the confidential process or key that is capable of compromising the security, confidentiality, or integrity of personal information maintained by a person or agency that creates a substantial risk of identity theft or fraud against a resident of the commonwealth"

Like many others, Massachusetts's breach definition excludes good-faith data acquisition by employees or agents for legitimate business purposes.

Notification Requirements

Massachusetts law requires you to notify affected consumers about a security breach "as soon as practicable and without unreasonable delay."

You can notify affected consumers via written or electronic notice in compliance with the E-SIGN Act.

You must also notify the Massachusetts Attorney General (via this form) and the Director of Consumer Affairs and Business Regulation at the same time you alert consumers. They'll then pass on relevant information to consumer reporting agencies.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify relevant businesses or data owners as soon as possible.
  3. Complying with relevant federal laws or breach notification policies similar to Massachusetts law exempts you from the state's breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Massachusetts's law protects "personal information," which it defines as:

A Massachusetts resident's first name or initial and last name combined with one or more of the following:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account numbers, with or without any required access codes or passwords

Like many others, Massachusetts's data breach law exempts publicly available information from its personal information definition.

Penalties for Non-Compliance

Non-compliance with Massachusetts's data breach law is considered a civil violation with sanctions resting exclusively in the hands of Massachusetts's Attorney General.

The Michigan data breach law sits at sections 445.63 and 445.72 of the state's statutes. It's otherwise known as the Michigan Compiled Laws.

This law applies to people and agencies that do business in Michigan or handle the personal information of its residents and experience a security breach.

Under Michigan law, a security breach is defined as:

"unauthorized access and acquisition of data that compromises the security or confidentiality of personal information maintained by a person or agency as part of a database of personal information regarding multiple individuals."

Like other state laws, the Michigan breach definition excludes good faith data acquisition or use by an employee or agent for legitimate business purposes.

Notification Requirements

If a data breach occurs, Michigan law requires you to notify affected consumers "without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying consumers.

In practice, you must notify affected consumers using any of the following:

  • Written notice sent to postal addresses
  • Written notice sent electronically
  • Telephonic notice via direct contact (unless prohibited)

If you have to notify more than 1,000 Michigan residents, you must also (without unreasonable delay) notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would interfere with a criminal investigation or determine the breach's scope and restore database integrity.
  2. Compliance with federal laws like HIPAA and GLBA exempts you from Michigan's security breach notification requirements.
  3. Third parties who experience a breach must notify the relevant businesses immediately after its discovery.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify affected consumers

Types of Personal Information Protected

Michigan data breach law defines "personal information" as:

A Michigan resident's first name or first initial and last name along with at least one of the following data elements:

  • Social Security number
  • Driver's license or state ID card number
  • Demand deposit, financial account number, or credit/debit card number, along with relevant access/security codes or passwords required to access the account

Penalties for Non-Compliance

Non-compliance with Michigan's data breach law attracts civil penalties of $250 per incident. However, the total fine for each incident can't exceed $750,000.

False notifications with the intent to defraud is a misdemeanor punishable as follows:

  • First violation: Imprisonment for at most 93 days or a fine of up to $250
  • Second violation: Imprisonment for at most 93 days or a fine of at most $500
  • Third/subsequent violation: Imprisonment for at most 93 days or a fine of up to $750

Minnesota's data breach law sits at Section 325E.61 of the state's statutes. Enacted in 2005, this law applies to businesses that suffer a "breach of security" involving the personal information of Minnesota's residents.

Under Minnesota's law, a breach of security means:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

Note that good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

If a breach of security occurs, Minnesota's law requires you to notify affected consumers "in the most expedient time possible and without unreasonable." In other words, Minnesota's law offers no concrete timeframe for data breach notifications.

You can send notifications to consumers using either written or electronic notice in compliance with the E-SIGN Act.

If affected consumers exceeds 500, you must also notify all consumer credit reporting agencies that compile and maintain consumer files on a nationwide basis within 48 hours of discovering the breach.

Some important caveats to take note of:

  1. You can delay notification if Minnesota's law enforcement finds that it would compromise a criminal investigation.
  2. Third parties who suffer data breaches must notify the relevant businesses immediately.
  3. Complying with an internal information breach procedure that aligns with Minnesota's law exempts you from the state's data breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Minnesota's data breach law protects "personal information" which it defines as:

A Minnesota resident's first name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or Minnesota ID card number
  • Financial account number or credit/debit card numbers, along with any required security or access codes that would allow access to the accounts

Penalties for Non-Compliance

Non-compliance with Minnesota's data breach law is considered a violation of trade practices with enforcement resting in the hands of Minnesota's Attorney General.

The Mississippi data breach law sits at Section 75-24-29 of the Mississippi Code. Enacted in 2010, this law applies to entities that do business in the state, own, license, or handle the personal information of Mississippi residents, and experience a "security breach."

Under Mississippi's law, a security breach means:

"unauthorized acquisition of electronic files, media, databases or computerized data containing personal information of any resident of this sta when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."

Notification Requirements

If you experience a breach of security, Mississippi's law requires you to notify affected consumers "without unreasonable delay." That said, you don't have to send notifications if an investigation finds that the breach is unlikely to cause harm to affected consumers.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

Some important caveats to take note of:

  1. You can delay notifications if law enforcement determines that sending them could hinder a criminal investigation.
  2. Third parties who suffer data breaches must notify the relevant businesses "as soon as practicable."
  3. Following an internal breach procedure that aligns with the timings of Mississippi's law exempts you from the state's breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $5,000,
    • The number of affected consumers adds up to over 5,000, or
    • You don't have sufficient contact information to notify affected consumers

Type of Personal Information Protected

Mississippi's data breach law protects "personal information," which it defines as:

A Mississippi resident's first name or first initial and last name along with at least one of the following data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Account number or credit/debit card number with required password, or access/security code that would allow access to the account

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Mississippi's data breach law is considered an unfair trade practice and penalties are enforced by the state's Attorney General. Note that the law doesn't provide for a private right of action (i.e., legal action from affected consumers).

Missouri's data breach notification law applies to businesses that handle the computerized personal information of Missouri's residents and experience a "security breach."

Under Missouri's law, a security breach means:

"unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information."

Like other state laws, Missouri's security breach excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Under Missouri's law, you must notify affected consumers of a security breach "without unreasonable delay." Notably, the law doesn't specify a concrete timeframe for sending notifications.

When sending consumer notices, the law requires that you include the following:

  • Details of the incident
  • The type of personal information compromised
  • A telephone number consumers may call to get more information and assistance
  • Contact information for consumer reporting agencies (CRAs)

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice in compliance with the E-SIGN Act
  • Telephonic notice (if made directly to affected consumers)

For breaches affecting more than 1,000 Missouri residents, you must also notify the Missouri Attorney General and all consumer reporting agencies without unreasonable delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation or threaten national security.
  2. Third parties who experience a breach must notify the relevant data owners or licensees immediately after discovery.
  3. Compliance with relevant federal laws or an internal breach notice policy that aligns with the timings of Missouri's law exempts you from all breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $100,000,
    • The number of affected consumers exceeds 150,000,
    • You don't have sufficient contact information to notify consumers, or
    • You are unable to identify affected customers

Types of Personal Information Protected

Missouri's data breach law protects "personal information," which it defines as:

A Missouri resident's first name or first initial and last name plus at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or other unique government-issued ID number
  • Account number or credit/debit card number, along with relevant access codes or passwords required to access the account
  • Unique electronic identifier/routing code, along with relevant security code or passwords
  • Medical information
  • Health insurance information

Like many other laws, Missouri's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with Missouri's data breach law attracts civil penalties of up to $150,000 per violation.

Violators may also be liable for actual damages suffered by affected consumers as a result of the violation. Enforcement actions rests exclusively with Missouri's Attorney General.

The Montana Code 30-14-1704 is the primary law overseeing data breach notifications in the state. This law applies to any entity that experiences a "computer security breach" or "breach" involving the computerized personal information of Montana's residents.

Under Montana's law, a breach is defined as:

"unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident."

Like many other state laws, Montana's breach definition excludes good faith data access by an employee or agent for legitimate business purposes.

Notification Requirements

In the event of a breach, Montana's law requires you to notify affected consumers "without unreasonable delay."

In practice, you must notify affected consumers through any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

To disclose a breach to affected consumers, you must coordinate with the consumer reporting agency in the timing, content, and distribution of the notice.

If the breach affects more than one Montana resident, you must also submit an electronic copy of the notice to the Attorney General's consumer protection office at the same time you notify consumers. This notice must include the number of affected individuals.

Some important caveats to take note of:

  1. You can delay notification if law enforcement determines that it would interfere with a criminal investigation.
  2. Complying with an internal breach notice policy that aligns with Montana's data breach law exempts you from the state's breach notice requirements.
  3. Third parties who experience a breach must notify the relevant businesses immediately after discovering the breach.
  4. You can use substitute notices like posting a conspicuous notice of the breach on your website or in print/broadcast media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have the mailing or email addresses to notify affected consumers

Types of Personal Information Protected

Montana's data breach law protects "personal information" defined as:

A Montana's resident first name or first initial and last name along with one or more of the following data elements (unencrypted):

  • Social Security number
  • Driver's license number, state ID card number or tribal ID card number
  • Financial account number or credit/debit card number plus any required password or security/access code to gain access to the account
  • Medical record information
  • Taxpayer ID number
  • Identity protection personal ID number issued by the United States Internal Revenue Service

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Montana's data breach law is considered an unfair or deceptive trade practice under Section 30-14-1705 of Montana's Statutes.

The state department has exclusive rights to bring actions against violators in the name of the state.

The Nebraska data breach law is at Sections 87-801 to 87-808 of the Nebraska Revised Statute. Enacted in 2006, this law applies to businesses that operate within Nebraska or handle the personal information of its residents and experience a security breach.

Under Nebraska law, a security breach means:

"unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity."

Good-faith data acquisition by an employee or agent for legitimate purposes, as well as data acquisition for legal actions, doesn't qualify as a breach under Nebraska data breach law.

Notification Requirements

Nebraska data breach law requires you to conduct a "good-faith, reasonable, and prompt investigation" if you experience a breach to determine whether the compromised information has or will likely be misused.

If the result yields positive, the law requires you to notify affected consumers "as soon as possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

Once consumer breach notices are required, you must also notify the Nebraska Attorney General (via this form) before or at the same time you notify affected consumers.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant businesses as soon as possible.
  3. Businesses subject to relevant federal laws or an internal information security policy that aligns with Nebraska data breach law are exempt from notification requirements.
  4. Any waiver of the Nebraska data breach law contradicts public policy and is, therefore, invalid and unenforceable.
  5. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $75,000,
    • The number of affected consumers is over 100,000, or
    • You don't have sufficient contact information to notify affected consumers

Type of Personal Information Protected

Nebraska data breach law defines "personal information" as:

A Nebraska resident's first name or first initial and last name combined with one or more of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account number or credit/debit card number in combination with relevant password or security/access codes needed to gain access to the account
  • Unique electronic ID number/routing code, along with relevant security/access code
  • Username or email address in combination with a password or security question required to gain access to the related account
  • Unique biometric data

Personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with the Nebraska data breach law invites legal action from Nebraska's Attorney General, who solely decides appropriate remedies for violations. In other words, the law offers no private right of action for consumers.

Section 603A.010 to 603A.290 of Nevada Revised Statutes is the primary law regulating data breaches in the state.

Enacted in 2005, Nevada's data breach law applies to "data collectors" that acquire, own, or license computerized personal information of Nevada residents and experience a security breach.

The law defines a security breach as:

"unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector."

Like many others, Nevada's breach definition excludes good-faith data acquisition by employees or agents for legitimate purposes.

Notification Requirements

Nevada's data breach law requires you to notify affected consumers about a security breach "in the most expedient time possible and without unreasonable delay." In essence, the law offers no concrete timeframe for sending consumer notifications.

You can notify affected consumers either through written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 1,000 Nevada residents, you must also notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis without unreasonable delay.

Some important caveats to take note of:

  1. You can delay notification if law enforcement determines that it would impede a criminal investigation.
  2. Businesses that already maintain identical notification procedures as Nevada data breach law or comply with relevant federal laws like GLBA are considered compliant with all breach notice requirements.
  3. You can use substitute notification methods like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • Affected consumers exceed 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Nevada's law protects "personal information," which it defines as:

A Nevada resident's first name or initial and last name combined with one or more of the following (unencrypted):

  • Social Security number
  • Driver's license number, driver authorization card, or ID card number
  • Financial account numbers or credit/debit card numbers in combination with any security or access codes required to access the account
  • Medical ID number or health insurance ID number
  • Username, unique identifier, or email address plus passwords, access codes/security questions, and answers to access an online account

Nevada's personal information definition exempts publicly available information as well as the last four digits of a social security number, the last four digits of a driver's license number, the last four digits of a driver authorization card number or the last four digits of an identification card number.

Penalties for Non-Compliance

Non-compliance with Nevada's data breach law is considered a deceptive trade practice and attracts civil action, restitution, or injunction. The Nevada Attorney General and District Attorneys are responsible for enforcing penalties.

New Hampshire's data breach law sits at sections 359-C:19, 359-C:20, and 359-C:21 of New Hampshire's Revised Statutes.

This law applies to entities that do business in New Hampshire, handle the computerized personal information of its residents, and experience a "security breach."

Under New Hampshire's law, a security breach means:

"unauthorized acquisition of computerized data that compromises the security or confidentiality of personal information maintained by a person doing business in this state."

Like other laws, New Hampshire's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, New Hampshire's law requires you to investigate whether the compromised information has or will likely be misused.

If the result yields positive, the law requires that you notify affected consumers "as soon as possible." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

People and businesses involved in trade and commerce operations must notify the appropriate regulatory authority while all other entities must notify the New Hampshire Attorney General.

In practice, you can send notices to affected consumers via any of the following mediums:

  • Written notice
  • Electronic notice
  • Telephonic notice

If you must notify over 1,000 New Hampshire residents, you must also notify all consumer reporting agencies by letting them know the expected date of the breach notice, the number of consumers you'll notify, and the content of the notice.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them will impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant database owners immediately.
  3. Compliance with federal laws like GLBA exempts you from New Hampshire's breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $5,000,
    • The number of affected consumers exceeds 1,000, or
    • You don't have sufficient contact details to notify affected consumers

Type of Personal Information Protected

New Hampshire's data breach law protects "personal information," which it defines as:

An individual's first name or first initial and last name along with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or other government ID number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access codes required to access the account

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

The New Hampshire Attorney General's office is responsible for enforcing penalties for non-compliance. In such cases, affected consumers can expect compensation equal to the actual damages.

For intentional violations of the data breach law, the court can award up to three times the amount of damages, but not less than two times the amount of damages.

New Jersey's data breach law can be found at NJ Statutes Sections 56:8-161 to 56:8-163. It applies to businesses that operate within the state or handle the computerized personal information of its residents and experience a security breach.

Note that businesses with less than 50 employees are exempt from the law.

Under New Jersey's law, a security breach is defined as:

"unauthorized access to electronic files, media or data containing personal information that compromises the security, confidentiality or integrity of personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable."

This definition excludes good-faith data collection by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, New Jersey's law requires you to notify affected consumers as soon as possible and "without unreasonable delay." However, notification must be sent within 45 days of discovering the breach.

You can send either written or electronic notices to consumers in compliance with the E-SIGN Act.

Once you discover a breach, you must make a report to New Jersey's State Police Division in the Department of Law and Public Safety for investigation/handling before notifying affected consumers.

For breaches affecting over 1,000 New Jersey residents, you must also notify all consumer reporting agencies that compile or maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could hinder a criminal or civil investigation.
  2. Notification isn't necessary if your investigation finds that misuse of the information is not likely. You must keep this conclusion in writing for five years.
  3. Third parties who suffer data breaches must notify the relevant businesses immediately after discovering the breach.
  4. You can use substitute notices like posting the breach on your website or in broadcast/print media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You're missing sufficient contact details to notify affected consumers

Type of Personal Information Protected

New Jersey's data breach law protects "personal information." It defines this as:

An individual's first name or first initial and last name along with at least one of the following data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account details in combination with passwords or security/access codes that would allow access to the account
  • Health records or insurance policy information
  • Online account credentials (username/email paired with a password or security question)

Penalties for Non-Compliance

Violations can come with a range of penalties depending on the scope and nature of the offense. Civil penalties of up to $10,000 per violation may be assessed, as well as jail time in the event of intentional breaches of data security.

New Mexico's Data Breach Notification Act applies to businesses that handle the computerized personal information of New Mexico's residents and experience a "security breach."

Under New Mexico's law, a security breach means:

"unauthorized acquisition of unencrypted computerized data, or of encrypted computerized data and the confidential process or key used to decrypt the encrypted computerized data, that compromises the security, confidentiality or integrity of personal identifying information maintained by a person."

Like other state laws, New Mexico's definition of a security breach excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Under New Mexico's law, you must notify affected consumers of a security breach as quickly as possible, but at most 45 days after discovering the breach.

When sending consumer notices, New Mexico's data breach law requires you to include the following:

  • Your name and contact information
  • The type of personal information compromised and details of the incident
  • Toll-free telephone numbers of consumer reporting agencies
  • Advice to review financial information to detect errors resulting from the breach
  • Advice on consumer notification rights under the Fair Credit Reporting Act

You can send notices to consumers using either the United States mail or electronic notice in compliance with the E-SIGN Act.

For breaches affecting more than 1,000 New Mexico residents, you must also notify the New Mexico Attorney General and consumer reporting agencies as soon as possible, and at most within 45 days.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify the relevant data owners or licenses within 45 days of discovery.
  3. Compliance with federal laws or an internal breach notice policy that aligns with New Mexico's data breach law exempts you from breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $100,000,
    • The number of affected consumers exceeds 50,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

New Mexico's data breach law protects "personal identifying information." It defines this as:

An individual's first name or first initial and last name in combination with one or more of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or other government-issued ID number
  • Account number or credit/debit card number, along with relevant access codes or passwords that would allow access to the account
  • Biometric data

Like other laws, New Mexico's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with New Mexico's data breach law is considered a civil violation. Intentional violations incur fines of up to $25,000, and failed notifications attract $10 per instance up to a maximum of $150,000.

Violators may also be liable for actual damages suffered by affected consumers as a result of the violation. And enforcement rests exclusively with the New Mexico Attorney General.

The New York data breach law sits at Chapter 20 of the New York General Business Law. This law applies to entities that do business in the state, handle the computerized personal information of New York residents, and experience a "security breach."

Under New York's law, a security breach means:

"unauthorized access to or acquisition of, or access to or acquisition without valid authorization, of computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business."

Like other laws, New York's definition of a security breach exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, New York's law requires you to notify affected consumers "in the most expedient time possible and without unreasonable delay."

You can send notices to consumers using any of the following:

  • Written notice
  • Telephone notice
  • Electronic notice

For any breach affecting New York residents, you must notify the New York Attorney General (via this form), the Department of State, and the Division of State Police without delaying notice to consumers.

For breaches affecting over 5,000 New York residents, you must also notify all consumer reporting agencies as quickly as possible.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant businesses or data owners immediately after discovery.
  3. Notification isn't necessary if you can establish that misuse of the exposed information is not reasonably likely. You must keep this result in writing and maintain it for five years.
  4. Compliance with federal laws like HIPAA and GLBA exempts you from New York's breach notice requirements.
  5. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify affected consumers

Type of Personal Information Protected

New York's data breach law protects "private information," which it defines as:

Any personal information (data/identifier that can be used to identify an individual), along with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or non-driver ID card number
  • Financial account number or credit/debit card number along with relevant passwords or security/access codes that will allow the accounts to be accessed
  • Account number or credit/debit card number that can be used to access an individual's financial account without relevant passwords and security/access code
  • Biometric data (such as a fingerprint, retina, or iris image)

Usernames or email addresses along with relevant passwords or security questions and answers also qualify as personal information on their own.

Like other state laws, New York exempts publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with New York's data breach law is considered a civil violation of the Information Security Breach and Notification Act. Enforcement rests exclusively with New York's Attorney General who can seek appropriate remedies for violations.

Intentional violations attract civil penalties of the greater of $5,000 or $20 per violation. Penalties are capped at $250,000.

The North Carolina data breach law sits at Sections 75-61 and 75-65 of the North Carolina General Statutes. This law applies to entities that acquire, own, or license personal information of North Carolina residents and experience a breach.

The law defines a breach as:

"unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Note that this definition includes information in any medium, including paper, that was transferred to that medium from a computerized form.

Like under many other laws, a breach in North Carolina doesn't include good-faith data acquisition by employees or agents for legitimate business purposes.

Notification Requirements

North Carolina law requires you to notify affected consumers about a security breach "without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for sending notifications.

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice in compliance with the E-SIGN Act
  • Telephonic notice

When sending consumer notices, the law requires that you include:

  • A description of the incident and the type of personal information compromised
  • Actions taken to prevent future occurrences
  • Telephone number to reach the business/entity (if available)
  • Advice to review and monitor financial information
  • Toll-free telephone numbers of major consumer reporting agencies
  • Toll-free numbers, addresses, and website for the Federal Trade Commission and the North Carolina Attorney General's Office

For breaches affecting more than 1,000 North Carolina residents, you must notify the Consumer Protection Division of the Attorney General's Office and all consumer reporting agencies.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation or jeopardize national security.
  2. Third parties who experience a breach must notify the relevant data owners immediately.
  3. Adherence to relevant federal laws exempts you from all data breach requirements.
  4. You can use substitute notification methods like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000,
    • You don't have sufficient contact information to notify consumers, or
    • You are unable to identify affected customers

Types of Personal Information Protected

North Carolina's law protects "personal information," which it defines as:

A North Carolina resident's first name or initial and last name combined with identifying information which includes:

  • Social Security number
  • Driver's license number, state ID card number, or passport number
  • Financial account numbers, credit/debit card numbers including any required security or access codes needed to access the accounts
  • Digital signatures
  • Biometric data

Like many others, North Carolina's data breach law exempts publicly available information.

Penalties for Non-Compliance

Non-compliance with North Carolina's data breach notification law is considered a civil violation of the state's Identity Theft Protection Act.

A private right of action is only allowed in cases where the violation results in an injury. Otherwise, North Carolina's Attorney General is solely responsible for initiating legal action.

The North Dakota Century Code Chapter 51-30 is the primary law overseeing data breach notifications in the state. It applies to businesses that handle the personal information of North Dakotans and experience a "security breach."

Under North Dakota's law, a security breach means:

"unauthorized acquisition of computerized data when access to personal information has not been secured by encryption or by any other method or technology that renders the electronic files, media, or databases unreadable or unusable."

Note that good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

If a security breach occurs, North Dakota's law requires you to notify affected consumers as quickly as possible and "without unreasonable delay."

For breaches affecting over 250 North Dakota residents, you must also notify the North Dakota Attorney General (via mail or email) without unreasonable delay.

You can send notices to affected consumers using either written or electronic notice in compliance with the E-SIGN Act.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify the relevant data owners immediately after discovering the breach.
  3. Compliance with certain federal laws or a similar notification policy as North Dakota's data breach law exempts you from all breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

North Dakota's data breach law protects "personal information," which it defines as:

A North Dakota resident's first name or first initial and last name plus at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or non-driver photo identification card number
  • Account number or credit/debit card number and any required security/access code to access the account
  • Date of birth
  • Mother's maiden name
  • Medical information
  • Health insurance information
  • Employee identification number and any required security/access code
  • Digital or electronic signature

Penalties for Non-Compliance

Non-compliance with North Dakota's data breach law is considered an unlawful sales or advertising practice. Enforcement rests with the North Dakota Attorney General who can seek appropriate remedies for violations.

Ohio's data breach law sits at Section 1349.19 of the Ohio Revised Code. This law applies to people, businesses, and state agencies that handle the computerized personal information of Ohio's residents and experience a "security breach."

Under Ohio's law, a security breach means:

"unauthorized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state."

Like other state laws, Ohio's breach definition excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Ohio's data breach law requires people, businesses, and agencies that experience a breach to notify consumers as quickly as possible within at most 45 days after discovering the breach.

For breaches affecting over 1,000 Ohio residents, you must also notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice
  • Telephonic notice

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would interfere with a criminal investigation or jeopardize homeland security.
  2. Third parties who suffer a breach must notify the relevant data owners or licenses without delay.
  3. Financial institutions that comply with relevant federal laws are exempted from notification requirements.
  4. You can use substitute notices like sending emails, advertising in a local newspaper, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers
    • You have 10 employees or fewer and the cost of sending notices is more than $10,000

Types of Personal Information Protected

Under Ohio's data breach law, "personal information" is:

An Ohio resident's first name or first initial and last name combined with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Account number, or credit/debit card number, along with relevant password or security/access code that would grant access to the account

Note that the law only applies to personal information in its electronic form, not paper records. This definition also excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with Ohio's data breach law triggers legal action from the state's Attorney General.

Intentional violations attract a civil penalty of $1,000 per incident (for the first 60 days), $5,000 (after 60 days), and up to $10,000 (after the 90th day).

The Oklahoma Security Breach Notification Act is the primary law overseeing data breach notifications in the state.

Enacted in 2008, this law applies to businesses that own or license the computerized personal information of Oklahoma residents, and experience a "security breach."

Under Oklahoma's law, a security breach means:

"unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of this state."

Like many other laws, Oklahoma's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, Oklahoma's law requires you to notify affected consumers "without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

In practice, you can send notices to consumers via any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them will impede a criminal or civil investigation.
  2. Third parties who suffer a data breach must notify the relevant database owners as soon as possible.
  3. Businesses that comply with relevant federal laws or identical notification policies as Oklahoma data breach law are exempt from the state's breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $50,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have enough contact information to notify affected consumers

Type of Personal Information Protected

Oklahoma's data breach law protects "personal information," which it defines as:

A person's first name or initial and last name along with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access code that would permit access to the account

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Oklahoma data breach law is considered an unlawful practice under the Oklahoma Consumer Protection Act.

For state-licensed financial institutions, enforcement can be carried out by the primary state regulator. Enforcement for all other entities rests with Oklahoma's Attorney General and the District Attorney, who can impose a civil penalty of up to $150,000 per breach.

Oregon's data breach law sits at Sections 646A.602 and 646A.604 of Oregon's Statutes. It's otherwise known as the Oregon Consumer Identity Theft Protection Act.

This law applies to entities that do business in Oregon or handle the computerized personal information of its residents and experience a "breach of security."

Under Oregon's law, a breach is defined as:

"unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains or possesses."

Like other state laws, Oregon's breach definition excludes good faith data acquisition or use by an employee or agent for legitimate business purposes.

Notification Requirements

If you experience a breach involving the personal information of Oregon's residents, Oregon's law requires you to notify affected consumers as quickly as possible, at most 45 days after discovering the security breach.

When sending consumer notices, the law requires that you include the following:

  • A description of the incident and the type of personal information compromised
  • Telephone number to reach the business/entity (if it exists)
  • Contact information for national consumer reporting agencies
  • Advice to report suspected identity theft

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice in compliance with the E-SIGN Act
  • Telephonic notice

Businesses that experience a breach, either directly or via a third party, must notify affected consumers as well as the Oregon Attorney General (in writing or electronically) if more than 250 consumers must be notified.

For breaches affecting more than 1,000 Oregon residents, you must also notify all consumer reporting agencies without delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would compromise a criminal investigation.
  2. Third parties who experience a breach must notify the relevant data owners within 10 days after discovery.
  3. Notification isn't necessary if you establish that misuse of the information is not reasonably possible. You must keep this result in writing and maintain it for at least five years.
  4. Compliance with federal laws like HIPAA, GLBA, and other named laws exempts you from Oregon's breach notification requirements.
  5. You can use substitute notices like posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 350,000, or
    • You don't have sufficient contact information to notify affected consumers

Types of Personal Information Protected

Oregon's data breach law protects "personal information," which it defines as:

An Oregon resident's first name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Passport number or other government-issued identification
  • Account number or credit/debit card number (if it can be used without additional information, access codes, or passwords)
  • Biometric data
  • Health insurance information
  • Medical history

Notably, all of the above are considered personal information even without a first name or first initial and last name if they can be used for identity theft.

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Oregon's data breach law is considered an unlawful trade practice and enforcement rests exclusively with the Oregon Attorney General. Violators are liable to civil penalties of up to $25,000 per violation.

The Breach of Personal Information Notification Act is Pennsylvania's main data breach law. It applies to businesses that operate within the state or cater to its residents and handle their computerized personal information.

Under Pennsylvania's law, a data breach is an

"unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the entity as part of a database of personal information regarding multiple individuals and that causes or the entity reasonably believes has caused or will cause loss or injury to any resident of this Commonwealth"

This definition notably excludes good-faith data collection by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a breach involving the computerized personal information of Pennsylvania's residents, Pennsylvania's law requires you to notify affected consumers "without unreasonable delay." In essence, the law offers no concrete timeframe for sending consumer notifications.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Email/Electronic notice in compliance with the E-SIGN Act

For breaches affecting over 500 Pennsylvania residents, you must concurrently notify all affected consumers, the state's Attorney General, and all consumer reporting agencies without unreasonable delay.

If the personal information involved in the breach includes an individual's name (first and last name or first initial and last name) as well as any of the following, access to a free credit report and credit monitoring services is required:

  • Social Security number,
  • Bank account number, or
  • Driver's license/state identification card number

The company involved in the breach is to pay for one independent credit report to each individual impacted by the breach, if the individual is not able or eligible to obtain one from a consumer reporting agency for free.

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could hinder a criminal or civil investigation.
  2. Compliance with federal laws like HIPAA and HITECH exempts you from Pennsylvania's breach notification requirements.
  3. Businesses with similar internal notification policies as Pennsylvania's data breach law are exempt from the state's breach notice requirements.
  4. You can use substitute notices like posting the breach on your website or in broadcast/print media if any of the following is true:

    • The cost of sending notifications is over $100,000,
    • The number of affected consumers exceeds 175,000, or
    • You're missing sufficient contact details to notify affected consumers

Type of Personal Information Protected

Pennsylvania's data breach law protects "personal information." It defines this as:

A Pennsylvania resident's first name or first initial and last name along with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or other government-issued ID numbers
  • Financial account details with access codes, passwords or similar information that would allow access to the account
  • Biometric data
  • Medical information in the possession of a State agency or State agency contractor
  • Health insurance policy information
  • Online account credentials (username/email paired with a password or security question)

And like many others, Pennsylvania's personal information definition doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Pennsylvania's data breach law is considered an unfair or deceptive practice under the state's Unfair Trade Practices and Consumer Protection Law. Enforcement rests exclusively in the hands of Pennsylvania's Attorney General.

Rhode Island's data breach law sits at Chapter 49.3 of the Rhode Island General Laws. It's otherwise known as the Rhode Island Identity Theft Protection Act.

This law applies to entities that do business in Rhode Island, handle the computerized personal information of its residents, and experience a "security breach."

Under Rhode Island's law, a security breach means:

"unauthorized access or acquisition of unencrypted, computerized data information that compromises the security, confidentiality, or integrity of personal information maintained by the municipal agency, state agency, or person."

Like other state laws, Rhode Island's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If a security breach occurs, Rhode Island's data breach law requires you to notify affected consumers as quickly as possible, at most 45 days after discovering the breach.

For breaches affecting more than 500 Rhode Island residents, you must also inform the Rhode Island Attorney General and major credit reporting agencies.

You can notify affected consumers using written or electronic notice in compliance with the E-SIGN Act. When sending consumer notices, the law requires that you include:

  • A description of the incident and the number of affected consumers
  • The type of personal information exposed and time of breach
  • Toll-free numbers of credit report agencies
  • Contact information of remediation service providers and the Attorney General
  • A statement acknowledging consumers' right to file or obtain a police report

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them will impede a criminal investigation.
  2. Complying with relevant federal laws or an internal security breach policy that aligns with Rhode Island's data breach law exempts you from the state's breach notice requirements.
  3. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $25,000,
    • The number of affected consumers exceeds 50,000, or
    • You don't have sufficient contact information to notify affected consumers

Type of Personal Information Protected

Rhode Island's data breach law protects "personal information," which it defines as:

An individual's first name or initial and last name along with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license, Rhode Island ID card number, tribal ID number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access code required to access the account
  • Medical or health insurance information
  • Email address with required security/access code that would permit access

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Rhode Island data breach law is considered a criminal offense under the Identity Theft Protection Act and enforcement rests with the Rhode Island Attorney General.

Reckless or accidental violations attract a civil penalty of at most $200 for each personal record that is compromised.

The South Carolina data breach law sits at Section 39-1-90 of the state's Code of Laws. South Carolina's law applies to businesses that handle the personal information of South Carolina's residents and experience a security breach.

The law defines a breach as:

"unauthorized access to and acquisition of computerized data that was not rendered unusable through encryption, redaction, or other methods that compromises the security, confidentiality, or integrity of personal identifying information maintained by the person, when illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to a resident."

Like with other state laws, a breach in South Carolina doesn't include good-faith data acquisition by employees or agents for legitimate business purposes.

Notification Requirements

If you experience a data breach, South Carolina's law requires you to notify affected consumers "in the most expedient time possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying consumers.

You can send notices to consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

For breaches affecting over 1,000 South Carolina residents, you must also notify the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation or jeopardize national security.
  2. Third parties who suffer a security breach must notify the relevant businesses immediately after discovering the breach.
  3. Complying with an internal breach notice policy that aligns with South Carolina's data breach law exempts you from the state's breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

South Carolina's law protects "personal identifying information," which it defines as:

A South Carolina resident's first name or initial and last name combined with at least one of the following (unencrypted or unredacted) identifying information:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account numbers, credit/debit card numbers in combination with any security or access codes required to access the accounts
  • Other numbers or information which may be used to access a person's financial accounts or numbers, or information issued by a governmental or regulatory entity that uniquely will identify an individual

Like many others, South Carolina's data breach law exempts publicly available information.

Penalties for Non-Compliance

Non-compliance with South Carolina's data breach notification law is considered a civil violation of the South Carolina Code of Laws. Intentional violations attract an administrative fine of up to $1,000 per affected resident, enforced by the Department of Consumer Affairs.

A private right of action is also allowed for residents injured as a result of the violation. Under the law, they can:

  • Recover attorney fees and court costs
  • Recover damages in cases of intentional violations
  • Take civil action limited to the actual damages incurred for negligent violations

The South Dakota data breach law sits at 22-40-19 to 22-40-26 of the state's Codified Laws. It applies to businesses that handle the personal information of South Dakotans and experience a "security breach."

Under South Dakota's law, a security breach means:

"unauthorized acquisition of unencrypted computerized data or encrypted computerized data and the encryption key by any person that materially compromises the security, confidentiality, or integrity of personal or protected information maintained by the information holder."

That said, good-faith data acquisitions by employees or agents for legitimate purposes are exempt from this definition.

Notification Requirements

In the event of a security breach, South Dakota's law requires you to notify affected consumers at most sixty days after discovering the breach.

You can send written or electronic notices to consumers in compliance with the E-SIGN Act.

For breaches affecting over 250 residents, you must also notify the South Dakota Attorney General, all consumer reporting agencies, and major credit bureaus/agencies.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation.
  2. Once the law enforcement agency confirms that notifications won't interfere with a criminal investigation, you have at most 40 days to send notices.
  3. Notification isn't necessary if you can establish that the exposed information will not likely be misused.
  4. Complying with federal laws like HIPAA or GLBA or notification policies similar to South Dakota data breach law exempts you from the state's breach requirements.
  5. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

South Dakota's data breach law protects "personal information," which it defines as:

A South Dakota resident's first name or first initial and last name plus at least one of the following data elements:

  • Social Security number
  • Driver's license number or other government-issued ID number
  • Financial account number or credit/debit card number, along with required security or access codes
  • Health information
  • Employee ID number and any required security/access code
  • A username or email address and any access codes or passwords required to gain access
  • Financial account numbers, debit/credit card numbers in combination with any access codes or passwords required to gain access

Penalties for Non-Compliance

Non-compliance with South Dakota's data breach law triggers enforcement actions from the state's Attorney General who can impose civil penalties of up to $10,000 per day per violation, recover attorney fees, and recoup any other costs incurred.

Tennessee's data breach notification law applies to businesses that handle the computerized personal information of Tennessee's residents and experience a "security breach."

Under Tennessee's law, a security breach means:

"acquisition of computerized data by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder."

Like other state laws, Tennessee's security breach excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Under Tennessee's law, you must notify affected consumers of a security breach as quickly as possible, but at most 45 days after discovering the breach.

You can send written or electronic notices to consumers in compliance with the E-SIGN Act.

For breaches affecting over 1,000 Tennessee residents, you must also notify all consumer reporting agencies and credit bureaus that compile and maintain consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation.
  2. Once the law enforcement agency confirms that notifications won't interfere with a criminal investigation, you have at most 45 days to send notices.
  3. Third parties who experience a breach must notify the relevant information holders within 45 days of discovering the breach.
  4. Complying with relevant federal laws or an internal breach policy that mirrors Tennessee's data breach law exempts you from breach notification requirements.
  5. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Tennessee's data breach law protects "personal information." It defines this as:

A Tennessee resident's first name or first initial and last name plus at least one of the following data elements:

  • Social Security number
  • Driver's license number
  • Account number or credit/debit card number, along with relevant access codes or passwords required to gain access to the account

Like other laws, Tennessee's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

If a breach occurs and notification isn't appropriately sent out within 45 days, fines of up to $10,000 a day may be issued. A private right of action is allowed for residents injured as a result of the violation to recover damages and prevent future cases of non-compliance.

Texas's data breach law sits at Chapter 521 of the Texas Business and Commerce Code. It's otherwise known as the Texas Identity Theft Enforcement and Protection Act.

This law applies to people, businesses, and state agencies that handle the personal information of Texas's residents and experience a "security breach."

Under Texas's law, a security breach means:

"unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of sensitive personal information maintained by a person, including data that is encrypted if the person accessing the data has the key required to decrypt the data."

Like other state laws, Texas's breach definition excludes good faith data acquisition by an employee or agent for legitimate business purposes.

Notification Requirements

Texas's data breach law requires people, businesses, and agencies that experience a breach to notify consumers "without unreasonable delay, not later than 60 days."

You can notify consumers using either written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting at least 250 Texas residents, you must notify the Texas Attorney General (via this form) within 30 days of discovering the breach.

For breaches affecting over 10,000 Texas residents, you must also notify each consumer reporting agency that compiles and maintains consumer files on a nationwide basis.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would interfere with a criminal investigation.
  2. Third parties who suffer a breach must notify the relevant data owners or licensees immediately after discovering the breach.
  3. Complying with an internal breach notice policy that aligns with Texas's data breach law exempts you from the state's breach notification requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Texas's data breach law protects "sensitive personal information," which it defines as:

A Texas resident's first name or first initial and last name combined with at least one of the following (unencrypted) data elements:

  • Social Security number
  • Driver's license number or government-issued ID number
  • Account number, or credit/debit card number, along with relevant password or security/access code required to gain access to the account
  • Physical or mental health condition information that identifies an individual
  • Health care information that identifies an individual
  • Payment for health insurance information that identifies an individual

Penalties for Non-Compliance

Non-compliance with Texas's data breach law attracts civil penalties of at least $2,000 and at most $50,000 per violation.

Intentional violators are liable to a fine of up to $100 for each individual who should be notified per day, but fines are capped at $250,000 for all affected consumers. Note that enforcement rests exclusively with the Texas Attorney General.

The Utah data breach law sits at Title 13, Chapter 44 of the Utah Code. This law applies to entities that do business in the state, handle the personal information of Utah residents, and experience a "breach of security."

Utah's law defines a breach of security as:

"The unauthorized acquisition of computerized data maintained by a person that compromises the security, confidentiality, or integrity of personal information."

This definition notably excludes data collection by an employee or agent for legitimate purposes.

Notification Requirements

Utah data breach law requires businesses that experience a breach to conduct a "good-faith, reasonable, and prompt investigation" to determine whether the compromised information has or will likely be misused.

If the result yields positive, the law requires businesses to notify affected consumers "in the most expedient time possible and without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

For breaches affecting 500 or more Utah residents, you must notify Utah's Attorney General and the Utah Cyber Center (via this form).

For breaches affecting 1,000 or more Utah residents, you must also notify all consumer reporting agencies that compile and maintain consumer files on a nationwide basis.

You can send notices to consumers using any of the following:

  • Written notice by first-class mail
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

For affected consumers who are unreachable via the above methods, you can publish the notice in a newspaper of general circulation.

Some important caveats to take note of:

  1. You can delay notifications if law enforcement determines that sending them could hinder a criminal investigation.
  2. Third parties who suffer a breach must notify the relevant data owners or licensees immediately after discovering the breach.
  3. Compliance with federal laws like HIPAA and GLBA and internal procedures that align with Utah's data breach law exempts you from all notification requirements.

Type of Personal Information Protected

Utah's data breach law protects "personal information," which it defines as:

A Utah resident's first name or first initial and last name along with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Account number or credit/debit card number in combination with a password or access/security code required to access the account
  • Driver's license number or state ID number

Like other laws, Utah's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

Enforcement rests in the hands of Utah's Attorney General. There is no private right of action.

For breaches that affect under 10,000 consumers, the Attorney General can impose a civil penalty of at most $2,500 per affected consumer, up to $100,000 total.

Breaches that affect 10,000 or more consumers - either Utah residents or not - or in the event the breached business or organization agrees to higher penalties, higher ones can be assessed.

Vermont's data breach law sits at Sections 2430 and 2435 of the Vermont Statutes. This law applies to information brokers and data collectors who do business in Vermont or handle its residents' personally identifiable information and experience a "security breach."

Under Vermont's law, a security breach means:

"unauthorized acquisition of electronic data, or a reasonable belief of an unauthorized acquisition of electronic data, that compromises the security, confidentiality, or integrity of a consumer's personally identifiable information or login credentials maintained by a data collector."

Note that good-faith data acquisitions by employees or agents for legitimate purposes aren't considered security breaches.

Notification Requirements

In the event of a security breach, Vermont's law requires you to notify affected consumers as quickly as possible within at most 45 days after discovering the breach.

If the breach affects any Vermont residents, you must also notify the appropriate state regulators within the Department of Financial Regulation.

If your business isn't covered by the department, you can then notify Vermont's Attorney General (via this form) within 14 days.

Note that your notice to the Attorney General must include the date of the breach, the date of discovery, and a preliminary summary of the breach.

When notifying affected consumers, the law requires you to include:

  • The date of the breach
  • Details of the incident and type of personally identifiable information exposed
  • Actions taken to prevent further unauthorized access
  • Toll-free numbers for further assistance and information
  • Advice to review and monitor financial information

You can send notices to consumers using any of the following:

  • Written notice
  • Electronic notice in compliance with the E-SIGN Act
  • Telephonic notice (via direct contact)

For breaches affecting over 1,000 Vermont residents, you must also notify all consumer reporting agencies without delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify the relevant information brokers and data collectors immediately after discovery.
  3. You don't have to send notices if an investigation finds that the information has not been misused and is not likely to be misused.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying a state-wide media agency if any of the following is true:

    • The cost of providing notification is over $10,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

Under Vermont's data breach law, "personally identifiable information" is:

A Vermont resident's first name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number, driver's license number or Vermont ID card number
  • Passport number, taxpayer ID number, military ID number or other government-issued ID numbers
  • Financial account number, credit/debit card number if the number could be used without requiring any additional identifying information or passcodes
  • Any required security, access codes or passwords for financial account numbers, credit/debit card numbers
  • Biometric data
  • Genetic information
  • Health and medical records
  • Health insurance policy number

Note that personally identifiable information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with Vermont's data breach law is considered a violation of the Security Breach Act. For applicable (finance) businesses, enforcement is carried out by the Department of Financial Regulation.

Enforcement for all other entities rests with Vermont's Attorney General and the State's Attorney Offices, and penalties of up to $10,000 per violation may be assessed.

Virginia's data breach law sits at Section 18.2-186.6 of the Code of Virginia. This law applies to entities that do business in Virginia, handle the computerized personal information of its residents, and experience a "security breach."

Virginia's data breach law defines a security breach as:

"unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes, or the individual or entity reasonably believes has caused, or will cause, identity theft or other fraud to any resident of the Commonwealth,"

Like other laws, Virginia's security breach definition exempts good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

If you experience a security breach, Virginia's law requires you to notify affected consumers and Virginia's Attorney General "without unreasonable delay." In other words, the law doesn't specify a concrete timeframe for notifying affected consumers.

When sending consumer notices, the law requires that you include:

  • A description of the incident and the type of personal information exposed
  • Actions taken to prevent further unauthorized access
  • Toll-free numbers for further assistance and information
  • Advice to review and monitor financial information

You can send notifications to consumers using any of the following:

  • Written notice
  • Electronic notice
  • Telephonic notice

If more than 1,000 Virginia residents must be notified, you must also notify the Virginia Attorney General and all consumer reporting agencies.

Some important caveats to take note of:

  1. You can delay notification for the legitimate needs of Virginia's law enforcement or to determine the breach's scope and address system vulnerabilities.
  2. Third parties who experience a breach must notify the relevant data owners without delay after discovering the breach.
  3. Complying with federal laws like GLBA or an internal breach policy that aligns with Virginia's data breach law exempts you from the state's breach notice requirement.
  4. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $50,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have enough contact information to notify affected consumers

Type of Personal Information Protected

Virginia's data breach law protects "personal information," which it defines as:

A Virginia resident's first name or initial and last name along with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account number or credit/debit card number along with relevant passwords, expiration date, and security/access codes that would allow access to the account
  • Passport number or Military ID number

Keep in mind that personal information doesn't include publicly available information.

Penalties for Non-Compliance

The Virginia Attorney General can enforce a civil penalty of at most $150,000 per breach.

The Washington data breach law sits at Chapter 19.255 of the Washington Revised Code. This law applies to businesses that operate within Washington or handle the personal information of its residents and experience a "security breach."

Under Washington's law, a security breach means:

"unauthorized acquisition of data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business."

Note: Good-faith data acquisition by an employee or agent for legitimate purposes doesn't qualify as a breach under Washington's data breach law.

Notification Requirements

Washington's data breach law requires businesses that experience a security breach to notify affected consumers without unreasonable delay, at most 30 days after discovering the breach.

When sending consumer notices, the law requires that you include:

  • The name and contact information of the affected consumers
  • The date of the breach, date of discovery, and type of personal information exposed
  • Toll-free numbers and addresses of major credit reporting agencies

You can send consumer notices either via written or electronic notice in compliance with the E-SIGN Act.

For breaches affecting over 500 Washington residents, you must also notify the Washington Attorney General within 30 days (via this form), including the following information:
  • The number of Washington residents affected
  • The date of the breach, when it was discovered, and the type of personal information exposed
  • What steps you've taken to mitigate damage
  • A sample of notice sent to consumers (minus any personally identifiable information)

Some important caveats to take note of:

  1. You can delay notifications if a law enforcement agency determines that sending them could impede a criminal investigation.
  2. Third parties who suffer a data breach must notify the relevant database owners immediately after discovering the breach.
  3. Notification is not necessary if an investigation finds that the information has not been misused and is not reasonably likely to be misused.
  4. Compliance with federal laws like HIPAA or an internal breach notice policy that aligns with Washington's data breach law exempts you from all notification requirements.
  5. You can use substitute notices like sending emails, posting the breach notice on your website, or alerting major statewide media if any of the following is true:

    • The cost of sending notifications is over $250,000,
    • The number of affected consumers exceeds 500,000, or
    • You don't have sufficient contact information to notify affected consumers

Type of Personal Information Protected

Washington data breach law defines "personal information" as:

A Washington resident's first name or first initial and last name combined with one or more of the following data elements:

  • Social Security number
  • Driver's license number or Washington ID card number
  • Financial account number, or credit/debit card number in combination with any relevant password or security/access code that would allow access to the account
  • Full date of birth
  • Any unique private key that is used by the individual for authentication or digital signature
  • Student, military or passport ID number
  • Health insurance policy number or health insurance ID number
  • Medical records
  • Biometric data

Usernames or email addresses along with relevant passwords or security questions and answers in combination with anything on the above list will count as personal information, even if the first name/initial and last name are not included, if the information is unencrypted and the data elements together could facilitate identity theft.

Personal information doesn't include publicly available information.

Penalties for Non-Compliance

Non-compliance with the Washington data breach is considered an unfair or deceptive act. Enforcement rests exclusively with the Washington Attorney General, who can decide the appropriate remedies.

A private right of action is allowed for residents injured as a result of the violation to recover damages.

The West Virginia Consumer Credit and Protection Act is the primary law regulating data breach notifications in the state. This law applies to entities that handle the computerized personal information of West Virginia residents and experience a breach.

The law defines a breach as:

"the unauthorized access and acquisition of unencrypted and unredacted computerized data that compromises the security or confidentiality of personal information maintained by an individual or entity as part of a database of personal information regarding multiple individuals and that causes the individual or entity to reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of this state."

Like many others, West Virginia's breach definitions exclude good-faith data acquisition by employees or agents for legitimate business purposes.

Notification Requirements

West Virginia's law requires you to notify affected consumers about a security breach "without unreasonable delay." In essence, the law doesn't specify a concrete timeframe for individuals and businesses to send notifications.

You can notify affected consumers using any of the following:

  • Written notice
  • Telephonic notice
  • Electronic notice in compliance with the E-SIGN Act

When sending consumer notices, the law requires that you include the following:

  • The type of personal information exposed
  • Telephone number or website for further assistance and information
  • Toll-free numbers for the major credit reporting agencies

For breaches affecting over 1,000 West Virginia residents, you must also notify all consumer reporting agencies without delay.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency finds that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify the relevant data owners "as soon as practicable" after discovering the breach.
  3. Complying with relevant federal laws or an identical notification procedure similar to West Virginia law exempts you from the state's breach notice requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying state-wide media if any of the following is true:

    • The cost of sending notices exceeds $50,000,
    • The number of affected consumers exceeds 100,000, or
    • You don't have sufficient contact information to notify consumers

Types of Personal Information Protected

West Virginia's law protects "personal information," which it defines as:

A West Virginia resident's first name or first initial and last name combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID card number
  • Financial account numbers, credit/debit card numbers in combination with any required security or access codes in order to gain access to the account

Like other state laws, personal information under West Virginia's data breach law excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with West Virginia's data breach notification law is considered an unfair or deceptive act/practice under the West Virginia Code.

Sanctions rest exclusively in the hands of West Virginia's Attorney General who can impose a civil penalty of at most $150,000 per breach, but only in cases of repeat and intentional violations.

Wisconsin's data breach law sits at Section 134.98 of the Wisconsin Statutes. This law applies to entities that acquire, own, or license the personal information of Wisconsin residents and experience a breach.

The law defines a breach as:

"when an Entity whose principal place of business is located in WI or an Entity that maintains or licenses PI in WI knows that PI in the Entity's possession has been acquired by a person whom the Entity has not authorized to acquire the PI, or, in the case of an Entity whose principal place of business is not located in WI, when it knows that PI pertaining to a resident of WI has been acquired by a person whom the Entity has not authorized to acquire the PI."

Note that PI stands for Personal Information.

Notification Requirements

Wisconsin law requires you to notify affected consumers about a breach as quickly as reasonably possible, but at most 45 days after discovery of the breach.

You can send consumer notices by mail or other methods previously established with consumers. If you don't have the mailing address of affected consumers or any prior communication, you must set up a reliable method to successfully notify consumers.

That said, notification isn't necessary if an investigation finds that there is no reasonable likelihood of harm to consumers.

For breaches affecting over 1,000 Wisconsin residents, you must also notify all consumer reporting agencies that compile and maintain nationwide consumer files.

Some important caveats to take note of:

  1. You can delay notification if a law enforcement agency determines that it would impede a criminal investigation.
  2. Third parties who experience a breach must notify the relevant data owners as soon as possible after discovering the breach.
  3. Compliance with the breach notice requirements of federal laws like HIPAA and GLBA exempts you from Wisconsin's breach notice requirements.

Types of Personal Information Protected

Wisconsin's law protects "personal information," which it defines as:

A Wisconsin resident's last name or first name and first initial combined with at least one of the following (unencrypted or unredacted) data elements:

  • Social Security number
  • Driver's license number or state ID number
  • Financial account numbers, credit or debit card numbers in combination with any required security or access codes that would allow access to the account
  • DNA profiles
  • Biometric data

Like other state laws, personal information under Wisconsin's data breach law excludes publicly available information.

Penalties for Non-Compliance

Non-compliance with Wisconsin's data breach law can result in legal action from Wisconsin's Attorney General. Criminal charges are allowed when appropriate.

The Wyoming data breach law sits at Sections 40-12-501 and 40-12-502 of the Wyoming Statutes. It applies to entities that do business in the state, handle the personal information of Wyoming residents, and experience a "breach of security."

Wyoming's law defines a breach of security as:

"the unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal identifying information maintained by a person or business and causes or is reasonably believed to cause loss or injury to a resident of this state."

This definition notably excludes good-faith data acquisition by an employee or agent for legitimate purposes.

Notification Requirements

Wyoming's law requires businesses that experience a breach to conduct a prompt, reasonable investigation to determine whether the compromised information has or will likely be misused.

If the result yields positive, the law requires businesses to notify affected consumers "in the most expedient time possible and without unreasonable delay." In other words, Wyoming's law doesn't specify a concrete timeframe for notifying affected consumers.

When sending consumer notices, the law requires that you include the following:

  • The toll-free number of the affected businesses and major credit reporting agencies
  • The type of personal information exposed
  • Details of the incident and date of the breach
  • Actions taken to prevent further unauthorized access
  • Advice to monitor and review financial information
  • Whether notification was delayed due to a law enforcement investigation

You can send consumer notices either via written or electronic notice in compliance with the E-SIGN Act.

Some important caveats to take note of:

  1. You can delay notifications if law enforcement determines that sending them could hinder a criminal investigation.
  2. Third parties who suffer a breach must notify the relevant data owners or licensees immediately after discovering the breach.
  3. Compliance with federal laws like HIPAA exempts you from all notification requirements.
  4. You can use substitute notices like sending emails, posting the breach on your website, or notifying applicable local or state-wide media if any of the following is true:

    • The cost of sending notices exceeds $10,000 for Wyoming-based businesses and $250,000 for all non-Wyoming-based businesses,
    • The number of affected consumers exceeds 10,000 for Wyoming-based businesses and 500,000 for all others, or
    • You don't have sufficient contact information to notify consumers

Type of Personal Information Protected

Wyoming's data breach law protects "personal identifying information," which it defines as:

  • Address
  • Telephone number
  • Social Security number
  • Driver's license number
  • State or federally issued ID card number
  • Shared secrets or security tokens that are known to be used for data based authentication
  • Username or email address in combination with access codes, security codes or passwords that will allow account access
  • Marriage or birth certificate
  • Medical history
  • Health insurance information (policy number or subscriber ID number that will identify an individual)
  • Financial account number or credit/debit card number with required password, or access/security code that would allow access to the account
  • Biometric data

Like other laws, Wyoming's data breach law excludes publicly available information from its definition of personal information.

Penalties for Non-Compliance

Non-compliance with Wyoming's data breach law can trigger legal action from Wyoming's Attorney General, who can seek "appropriate relief" to recover direct economic damages as a result of a violation.


Summary

Data breaches are causing a global frenzy today. Not surprisingly, they're attracting regulatory attention from governments worldwide.

In the United States, data breach laws follow a patchwork system with each state having its own data breach law. This translates to 50 different sets of rules to consider depending on where your business operates.

Each state's law has different provisions when it comes to things like:

  • What qualifies as a data breach
  • How to define personal information
  • Breach notification deadlines for consumers and the authorities
  • Penalties for non-compliance and whether or not there's a private right of action

Long story short, it's important to carefully consider the nuances of all relevant U.S. state laws if and when a data breach occurs. We recommend consulting a legal professional for additional guidance and accurate compliance.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy