This website uses cookies. View our cookie policy
Close
USA
Select regional store:

Data Breach Notification Laws by State

Consumer data in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary. The challenge of compliance for organizations that conduct business across all 50 states is therefore considerable. This page provides a summary of the requirements of each of the 48 state data breach notification laws as of August 2017.

Download a free copy of the Data Breach Notification by State Table >>

Please note this is only an information summary and is in no way a substitute either for consulting the laws themselves or for taking appropriately qualified legal advice.

The 48 state data breach notification laws by state

Click on the individual states to see your data breach notification obligations.

WY CO NM KS SD ND WA OR CA NV AZ UT ID MT NE OK TX AR MO IA MN WI IL IN MI OH KY TN MS AL FL GA SC NC VA PA MD DE NJ NY CT RI MA VT NH ME AK HI LA WV
 

Alabama

No legislation.

Read more about compliance >>

Back to top

Alaska

Alaska Statutes 45.48: Personal Information Protection Act

  • Enacted in 2008, Alaska’s data breach notification legislation requires entities that own or license the personal information of Alaska residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm by the information’s loss and the Attorney General is informed of this fact.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), unless they are compliant with the GLBA.
  • Breached third parties must notify the relevant data owners or licensees.
  • Civil penalties of between $500 and $50,000 are stipulated.

Read more about compliance >>

Back to top

Arizona

Arizona Revised Statutes 44-7501

  • Enacted in 2006, Arizona’s data breach notification legislation requires entities that conduct business in Arizona, and that own or license unencrypted computerized personal information relating to Arizona residents, to inform affected individuals without unreasonable delay if an investigation determines that there has been a data breach that could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law.
  • Breached third parties must notify the relevant data owners or licensees.
  • Civil penalties of up to $10,000 per breach are stipulated.

Read more about compliance >>

Back to top

Arkansas

Arkansas Code 4-110-101: Personal Information Protection Act

  • Enacted in 2005, Arkansas’s data breach notification legislation requires entities - regardless of their location - that acquire, own or license computerized personal information relating to Arkansas residents to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Breached third parties must notify the relevant data owners or licensees.

Read more about compliance >>

Back to top

California

California Civil Code 1798:29 and 1798:80

  • Enacted in 2002, California’s data breach notification legislation requires entities that own or license computerized personal information to give notice to residents of California without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 500 individuals have to be notified of a breach the Attorney General must also be notified.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • HIPAA-covered entities are deemed to comply with this law.

Read more about compliance >>

Back to top

Colorado

Colorado Revised Statutes 6-1-717

  • Enacted in 2006, Colorado’s data breach notification legislation requires entities that conduct business in Colorado, and that own or license computerized personal information, to notify Colorado residents without unreasonable delay if an investigation determines that the misuse of their unencrypted or unredacted personal information has occurred or is likely to occur as the result of a data breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 Colorado residents have to be notified of a breach, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify and cooperate with the relevant data owners or licensees.
  • Entities in compliance with the GLBA are deemed to comply with this law.

Read more about compliance >>

Back to top

Connecticut

Connecticut General Statutes 36a-701b

  • Enacted in 2005 and updated in 2015, Connecticut’s data breach notification legislation requires entities that conduct business in Connecticut, and that own, license, or maintain computerized personal information, to inform Connecticut residents within 90 days of any data breach that affects their unencrypted personal information and to provide them with identity theft prevention services for at least a year.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm by the information's loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • The Attorney General must be informed at the same time as affected individuals.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that comply with relevant state regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Delaware

Delaware Code Title 6, Chapter 12B

  • Enacted in 2005, Delaware’s data breach notification legislation requires entities that conduct business in Delaware, and that own or license computerized personal information relating to Delaware residents, to notify affected individuals without unreasonable delay if an investigation determines that the misuse of their unencrypted or unredacted personal information has occurred or is likely to occur as the result of a data breach and that there is a reasonable likelihood that the affected individuals will be caused harm by the information's loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

Florida

CS/CS/SB 1524: Florida Information Protection Act of 2014

  • Originally enacted in 2005 and amended by the Florida Information Protection Act 2014 (FIPA), Florida’s data breach notification legislation requires entities that conduct business in Florida, and that acquire, maintain, store or use personal information, to inform Florida residents of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Notification must be carried out within 30 days of discovery of a breach if an investigation determines that there is a reasonable likelihood of identity theft or any other financial harm to the affected individuals.
  • The Department of Legal Affairs may grant an extra 15 days to inform individuals. If more than 500 individuals have to be notified of a breach, breached entities must also inform the Department of Legal Affairs within 30 days of the breach’s discovery.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals are affected, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), without unreasonable delay.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Breached third parties must notify the relevant data owners or licensees within ten days of the discovery of a breach if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person, and may also agree with the data owner or licensee to notify the affected individuals.
  • If the breached third parties do not agree to notify the affected individuals, the responsibility of notification falls on the data owner or licensee.
  • Civil penalties of up to $500,000 per breach are stipulated.

Read more about compliance >>

Back to top

Georgia

Georgia Code 10-1-912

  • Enacted in 2005, Georgia’s data breach notification legislation requires entities - except for certain governmental agencies - that collect and process personal information to inform Georgia residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Breached third parties must notify the relevant data owners or licensees within 24 hours of the discovery of a breach if personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

Read more about compliance >>

Back to top

Hawaii

Hawaii Revised Statutes 487N-1

  • Enacted in 2006, Hawaii’s data breach notification legislation requires entities that own or license the personal information of residents of Hawaii to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information and that creates a risk of harm to them.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, Hawaii’s Office of Consumer Protection must also be notified, as must all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Breached government agencies must submit a written report to the legislature within 20 days of the discovery of a security breach.
  • Health care organizations in compliance with HIPAA are deemed to comply with this law, as are financial institutions in compliance with the Federal Interagency Guidance Programs for Unauthorized Access to Customer Information and Customer Notice.
  • Penalties of up to $2,500 are stipulated for each violation except those committed by government agencies.

Read more about compliance >>

Back to top

Idaho

Idaho Code 28-51-104

  • Enacted in 2006, Idaho’s data breach notification legislation requires entities that conduct business in Idaho, and that own or license the computerized personal information of Idaho residents, to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • State agencies must inform the office of the Idaho Attorney General within 24 hours of the discovery of a data breach. Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that fail to meet the notice requirements are subject to a fine of up to $25,000 per breach.
  • Government employees who intentionally disclose personal information are subject to a fine of up to $2,000 and/or up to a year’s imprisonment.

Read more about compliance >>

Back to top

Illinois

815 ILCS 530: Personal Information Protection Act

  • Enacted in 2005, Illinois’s data breach notification legislation requires entities that own or license personal information relating to Illinois residents to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that maintain their own breach notification procedures are deemed to be in compliance with the notification requirements of this law.
  • Breached third parties must notify the relevant data owners or licensees.
  • State agencies that collect personal information must submit a written report to the General Assembly within five business days of the discovery or notification of a breach.

Read more about compliance >>

Back to top

Indiana

Indiana Code 24-4.9-3

  • Enacted in 2005, Indiana’s data breach notification legislation requires entities that own or license computerized personal information relating to Indiana residents to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information if it could result in identity theft or fraud.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities in compliance with HIPAA, the GLBA, the USA PATRIOT Act, and other named laws are deemed to comply with this law.

Read more about compliance >>

Back to top

Iowa

Iowa Code 715C.1

  • Enacted in 2008 and amended in 2014, Iowa’s data breach notification legislation requires entities that own or license computerized personal information relating to Iowa residents to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused financial harm by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 500 individuals have to be notified of a breach, breached entities must also notify the director of the consumer protection division of the Attorney General’s Office within five days of notice being given to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities in compliance with the GLBA and those that comply with notification requirements that provide greater protection for personal information are deemed to comply with this law.

Read more about compliance >>

Back to top

Kansas

Kansas Statutes 50-7a02

  • Enacted in 2006, Kansas’s data breach notification legislation requires entities that conduct business in Kansas, and that own or license computerized personal information relating to Kansas residents, to notify affected individuals without unreasonable delay if an investigation determines that the misuse of their unencrypted or unredacted personal information has occurred or is likely to occur as the result of a data breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

Kentucky

HB 232

  • Enacted in 2014, Kentucky’s data breach notification legislation requires entities that conduct business in Kentucky to notify Kentucky residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes. If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities that are in compliance with the GLBA, HIPAA, or with other named legislation, are deemed to comply with this law.
  • Provisions are also made for the processing of student data by Cloud Computing service providers.

Read more about compliance >>

Back to top

Louisiana

Louisiana Revised Statutes 51:3071 and Louisiana Administrative Code (Title 16, Part III, Chapter 7, Section 701)

  • Enacted in 2005, Louisiana’s data breach notification legislation requires entities that conduct business in Louisiana, or that own or license computerized personal information, to notify Louisiana residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law.
  • Civil actions to recover damages may be instituted.
  • Breached entities that fail to notify the Attorney General within 10 days of notifying affected individuals may be fined up to $5,000 per violation.

Read more about compliance >>

Back to top

Maine

Maine Revised Statutes Title 10, Chapter 210-B

  • Enacted in 2005, Maine’s data breach notification legislation requires entities – regardless of their location – that maintain computerized personal information relating to Maine residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information if an investigation determines that there is a reasonable likelihood of the personal information being misused.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • The relevant state regulators or the state Attorney General must also be informed.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Civil penalties of $500 per violation are stipulated, up to a maximum of $2,500 per day.

Read more about compliance >>

Back to top

Maryland

Maryland Commercial Code 14-3501

  • Enacted in 2007, Maryland’s data breach notification legislation requires entities – regardless of their location – that own or license computerized personal information relating to residents of Maryland to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information if an investigation determines that there is a reasonable likelihood of the personal information being misused.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • The Attorney General’s Office must be notified before the affected individuals.
  • If more than 1,000 individuals have to be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if it is likely that the breach has resulted or will result in the misuse of a Maryland resident’s personal information.
  • Organizations in compliance with the GLBA or with relevant federal or state regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Massachusetts

Massachusetts General Laws 93H, Section 1

  • Enacted in 2007, Massachusetts’s data breach notification legislation requires entities – regardless of their location – that own, license, maintain or store personal information relating to Massachusetts residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees.
  • Breached entities must also inform the Attorney General and the director of consumer affairs and business regulation, who will then pass on any relevant information to consumer reporting agencies and state agencies.
  • Entities that comply with relevant state or federal regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Michigan

Michigan Identity Theft Protection Act 452 of 2004

  • Enacted in 2006, Michigan’s data breach notification legislation requires entities – regardless of their location – that own or license the personal information of Michigan residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information, unless the breached entity determines that the security breach will not cause loss or injury to, or result in identity theft with respect to, one or more Michigan residents.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), unless they are subject to Title V of the GLBA.
  • Failure to provide notification is a misdemeanor punishable by up to 30 days’ imprisonment and/or a fine of up to $250 per violation. The fine increases to $500 per violation for second offences, and $750 per violation for third ones. Failure to provide notification may also result in a civil fine of up to $250 per violation, up to a maximum fine of $750,000 per breach.
  • Entities in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice and HIPAA-covered entities are deemed to comply with this law.

Read more about compliance >>

Back to top

Minnesota

Minnesota Statutes 325E.61

  • Enacted in 2005, Minnesota’s data breach notification legislation requires entities that conduct business in Minnesota, and that own or license personal information, to notify residents of Minnesota without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 500 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), within 48 hours.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own breach notification procedures are deemed to comply with the notification requirements of this law. HIPAA-covered entities are deemed to comply with this law.

Read more about compliance >>

Back to top

Mississippi

Mississippi Code 75-24-29

  • Enacted in 2010, Mississippi’s data breach notification legislation requires entities that conduct business in Mississippi, and that own, license or maintain personal information, to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information.
  • Notification is not required if an investigation determines that there is no reasonable likelihood that the affected individuals will be caused harm by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal data has been or is reasonably believed to have been acquired without authorization for fraudulent purposes.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities that comply with federal breach regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Missouri

Missouri Revised Statutes 407.1500

  • Enacted in 2009, Missouri’s data breach notification legislation requires entities that own or license the personal information of Missouri residents to inform them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information if an investigation determines that there is a reasonable likelihood of identity theft or fraud.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities regulated by other state or federal laws relating to data security are deemed to comply with this law, as are financial institutions subject to other relevant legislation, including the GLBA.

Read more about compliance >>

Back to top

Montana

Montana Code 30-14-1704

  • Enacted in 2006 and updated in 2015 by HB 74, Montana’s data breach notification legislation requires entities that conduct business in Montana, and that own or license computerized personal information, to notify Montana residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • The Attorney General must also be notified.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached entities must coordinate notification with consumer reporting agencies where necessary.
  • Breached third parties must notify the relevant data owners or licensees if personal data has been or is reasonably believed to have been acquired without authorization for fraudulent purposes.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

Nebraska

Nebraska Revised Statutes 87-801: Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006

  • Enacted in 2006, Nebraska’s data breach notification legislation requires entities that conduct business in Nebraska, and that own or license computerized personal information relating to Nebraska residents, to inform affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information if an investigation determines that there is a reasonable likelihood of the personal information being misused.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees if the personal information of a Nebraska resident has been used or is reasonably likely to be used for an unauthorized purpose.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities that maintain security procedures in compliance with other state or federal legislation are deemed to comply with this law.

Read more about compliance >>

Back to top

Nevada

Nevada Revised Statutes 603A.010

  • Enacted in 2005 and updated in 2015 by AB 179, Nevada’s data breach notification legislation requires entities that own or license computerized personal information to inform Nevada residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities in compliance with the GLBA and those that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

New Hampshire

New Hampshire Revised Statutes 359-C:20

  • Enacted in 2006, New Hampshire’s data breach notification legislation requires entities that conduct business in New Hampshire, and that own or license computerized personal information, to notify affected individuals without unreasonable delay of any data breach that results or could result in the misuse of their personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p) unless they are subject to Title V of the GLBA.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees.
  • Entities engaged in trade or commerce must notify the relevant regulator; all other entities must inform the Attorney General.
  • Entities regulated by other state or federal data security legislation are deemed to comply with this law.

Read more about compliance >>

Back to top

New Jersey

New Jersey Statutes 56:8-163: Identity Theft Prevention Act

  • Enacted in 2005, New Jersey’s data breach notification legislation requires entities that conduct business in New Jersey, and that compile or maintain computerized personal information, to inform New Jersey residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their computerized personal information, unless the entities determine that misuse of the personal information is not reasonably possible.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes; before notifying the affected individuals, breached entities must notify the Division of State Police in the Department of Law and Public Safety.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, accessed by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

New Mexico

New Mexico Data Breach Act - HB 15

Enacted in April 2017, New Mexico’s data breach notification legislation requires entities that conduct business in New Mexico to do the following when a breach occurs:

  • Notify individuals affected by a breach.
  • If the breach affects more than 1,000 residents of New Mexico, notify the office of the attorney general and consumer reporting. agencies.
  • Notification of the event must be made within 45 days.

A substitute notice is permitted in specific circumstances, and notification may be delayed for law enforcement purposes.

Organizations are exempt from the requirements of the legislation if they adhere to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA).

Read more about compliance >>

Back to top

New York

New York General Business Law 899-aa and State Technology Law 208

  • Enacted in 2005 and amended in 2013, New York’s data breach notification legislation requires entities that conduct business in New York, and that own or license computerized personal information, to notify New York residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their computerized personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • The Attorney General, the Consumer Protection Board, the NYS Division of State Police and the Office of Information Technology Services must also be notified.
  • If more than 5,000 New York residents have to be notified of a breach, breached entities must also notify those consumer reporting agencies specified by the state Attorney General.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.

Read more about compliance >>

Back to top

North Carolina

North Carolina General Statutes 75-61 and 75-65

  • Enacted in 2005, North Carolina’s data breach notification legislation requires entities that own or license the personal information of North Carolina residents to inform them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information as well as informing the Attorney General’s Office.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 North Carolina residents have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law.

Read more about compliance >>

Back to top

North Dakota

North Dakota Century Code 51-30-01

  • Enacted in 2005 and updated in 2015 by SB 2214, North Dakota’s data breach notification legislation requires entities that own or license computerized personal information to inform North Dakota residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • The Attorney General must be notified if more than 250 North Dakota residents are affected.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial institutions in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, and entities that are subject to Title 45 of the Code of Federal Regulations, subpart D, part 164 are deemed to comply with this law.

Read more about compliance >>

Back to top

Ohio

Ohio Revised Code 1349.19

  • Enacted in 2005, Ohio’s data breach notification legislation requires entities that conduct business in Ohio, and that own or license computerized personal information, to notify Ohio residents no more than 45 days after the discovery or notification of any data breach that results or could result in the unauthorized access to and acquisition of their unencrypted and unredacted personal information and is likely to cause the risk of identity theft or fraud.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, unless they are covered by HIPAA.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, accessed and acquired by an unauthorized person, and if there is a material risk of identity theft or fraud to an Ohio resident.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law.

Read more about compliance >>

Back to top

Oklahoma

Oklahoma Statutes Title 24, Chapter 8: Security Breach Notification Act

  • Enacted in 2008, Oklahoma’s data breach notification legislation requires entities that own or license computerized personal information relating to Oklahoma residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
  • The state Attorney General or a district attorney may obtain damages for the violation of this law, or a civil penalty of up to $150,000 per breach.

Read more about compliance >>

Back to top

Oregon

Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act

  • Enacted in 2007 and updated in 2015, Oregon’s data breach notification legislation requires entities that own or license personal information to notify affected individuals without unreasonable delay of any data breach that affects their unencrypted personal information.
  • Notification is not required if an investigation or consultation with relevant authorities determines that the affected individuals will be unlikely to be harmed by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that are compliant with the GLBA, with their federal regulators’ notification requirements, or with state or federal laws that provide greater protection for personal information are deemed to comply with this law.

Read more about compliance >>

Back to top

Pennsylvania

Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act

  • Enacted in 2006, Pennsylvania’s data breach notification legislation requires entities that conduct business in Pennsylvania, and that maintain, store or manage computerized personal information relating to Pennsylvania residents, to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
  • The Attorney General may bring a civil action against an entity that willfully or intentionally violates this law.

Read more about compliance >>

Back to top

Rhode Island

Rhode Island General Laws 11-49.3: Rhode Island Identity Theft Protection Act of 2015

  • Enacted in 2015, Rhode Island’s data breach notification legislation requires entities that own, maintain or license personal information about a Rhode Island resident to implement and maintain a risk-based information security program, and not to retain personal information for longer than is reasonably required.
  • Entities must notify residents of Rhode Island within 45 days of the discovery of any data breach that poses a risk of identity theft.
  • The Attorney General must be notified if more than 500 Rhode Island residents are affected.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if unencrypted personal information has been, or is reasonably believed to have been, acquired by an unauthorized person and there is a significant risk of identity theft.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are HIPAA-covered entities and entities that comply with relevant notification requirements of federal regulators.

Read more about compliance >>

Back to top

South Carolina

South Carolina Code 39-1-90

  • Enacted in 2008, South Carolina’s data breach notification legislation requires entities that conduct business in South Carolina, and that own or license computerized personal information, to notify South Carolina residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition and illegal use of their unencrypted and unredacted personal information, and creates a material risk of harm.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must notify the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial organizations in compliance with the GLBA are deemed to comply with this law, as are those that are compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice.
  • The Department of Consumer Affairs can levy administrative fines of up to $1,000 per affected South Carolina resident for persons who knowingly and willfully violate this law.

Read more about compliance >>

Back to top

South Dakota

No legislation.

Read more about compliance >>

Back to top

Tennessee

Tennessee Code 47-18-2107

  • Enacted in 2005, Tennessee’s data breach notification legislation requires entities that own or license computerized personal information to notify Tennessee residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes. If more than 1,000 individuals have to be notified of a breach, breached entities must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities subject to the provisions of Title V of the GLBA are deemed to comply with this law.

Read more about compliance >>

Back to top

Texas

Texas Business and Commerce Code 521.002 and 521.053

  • Enacted in 2007, Texas’s data breach notification legislation requires entities that conduct business in Texas, and that own or license computerized personal information, to notify affected individuals without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information.
  • If the affected individuals are residents of states that have their own data breach notification laws then the notification requirements of those laws should be followed.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 10,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

Utah

Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act

  • Enacted in 2006, Utah’s data breach notification legislation requires entities that own or license computerized personal information relating to Utah residents to notify them without unreasonable delay if an investigation determines that there is a reasonable likelihood of their personal information being misused for identity theft or fraud as the result of a data breach.
  • Notification may be delayed for law enforcement purposes.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees if misuse of the personal information has occurred or is reasonably likely to occur.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law, as are those regulated by other relevant state or federal security laws.
  • Civil penalties of between $2,500 and $100,000 are stipulated for violations of this law.

Read more about compliance >>

Back to top

Vermont

Vermont Statutes Annotated 9-2430 and 2435

  • Enacted in 2006, Vermont’s data breach notification legislation requires entities that own or license computerized personal information to notify Vermont residents no later than 45 days after the discovery or notification of any data breach that that results or could result in the unauthorized acquisition of their personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 Vermont residents have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • The Attorney General or the Department of Financial Regulation must be notified of any breach within 14 days of its discovery or the date on which affected individuals were notified.
  • Breached third parties must notify the relevant data owners or licensees.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are those that are subject to the National Credit Union Administration’s Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Read more about compliance >>

Back to top

Virginia

Virginia Code 18.2-186.6 and 32.1-127.1:05

  • Enacted in 2008, Virginia’s data breach notification legislation requires entities that own or license computerized personal information to notify Virginia residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information and could cause identity theft or fraud.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • The state Attorney General must also be notified.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • If health information is involved, the Commissioner of Health must also be notified.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Entities that comply with HIPAA, the GLBA or relevant federal or state regulations also deemed to comply with this law.

Read more about compliance >>

Back to top

Washington

Washington Revised Code 19.255.010

  • Enacted in 2005 and updated in 2015, Washington’s data breach notification legislation requires entities that own or license personal information to inform Washington residents without unreasonable delay, and within 45 days, of the discovery of any data breach that results or could result in the unauthorized acquisition of their unsecured personal information unless the breach is not reasonably likely to subject the affected individuals to a risk of harm.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • HIPAA covered entities and entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

West Virginia

West Virginia Code 46A-2A-101

  • Enacted in 2008, West Virginia’s data breach notification legislation requires entities that own or license computerized personal information to inform West Virginia residents without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information and could cause identity theft or fraud.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are those that comply with relevant regulations.

Read more about compliance >>

Back to top

Wisconsin

Wisconsin Statutes 134.98

  • Enacted in 2006, Wisconsin’s data breach notification legislation requires entities that conduct business in Wisconsin, and that maintain or license personal information, to make reasonable efforts to notify affected individuals within 45 days of the discovery or notification of any data breach that results in the unauthorized acquisition of their unencrypted and unredacted personal information if there is a material risk of identity theft or fraud to the affected individual.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees. HIPAA-covered entities and those that are compliant with Title V of the GLBA are deemed to comply with this law.

Read more about compliance >>

Back to top

Wyoming

Wyoming Statutes 40-12-502

  • Enacted in 2007 and updated in 2015 by SF 35 and SF 36, Wyoming’s data breach notification legislation requires entities that conduct business in Wyoming, and that own or license computerized personal information relating to Wyoming residents, to notify affected individuals without unreasonable delay if an investigation determines that their unredacted personal information has been or is reasonably likely to be misused as the result of a data breach. Notice must be 'clear and conspicuous' and fulfil a number of listed requirements.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person, and may also agree with the data owner or licensee to notify the affected individuals.
  • If the breached third parties do not agree to notify the affected individuals, the responsibility of notification falls on the data owner or licensee.
  • Financial institutions that maintain notification procedures subject to certain other named requirements are deemed to comply with this law.
  • Health care organizations in compliance with HIPAA are deemed to comply with this law.

Read more about compliance >>

Back to top

A note on consumer reporting agencies

15 USC Section 1681a(p) is cited by many state laws. It states:

The term ‘consumer reporting agency that compiles and maintains files on consumers on a nationwide basis’ means a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:

  1. Public record information.
  2. Credit account information from persons who furnish that information regularly and in the ordinary course of business.

Compliance

Complying with the many state data breach notification laws can be complex. However, implementing and maintaining an Information Security Management System (ISMS) as laid out in the international information security management Standard ISO 27001 will help organizations achieve compliance with a host of related legislative and regulatory requirements.

The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO 27001:2013 has been developed in order to harmonize with other ISO standards, so the auditing process will be integrated and smooth, and will remove the need for multiple audits.

Furthermore, the additional external validation demonstrated by accredited registration to ISO 27001 will improve an organization’s cyber security posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.

IT Governance, a specialist in the field of information security, has created ISO 27001 packaged solutions to give US organizations online access to world-class expertise.

Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Alan Calder, Founder and Executive Chairman of IT Governance, commented: “If understood and implemented correctly, ISO 27001 can help to rationalize security expenditure and reduce the impact of cyber crime, while giving a business a competitive edge.”

Get started today with ISO 27001 >>