This website uses cookies. View our cookie policy
Close
USA
Select regional store:

Data Breach Notification Laws by State

Personal information in the United States is currently protected by a patchwork of industry-specific federal laws and state legislation whose scope and jurisdiction vary. The challenge of compliance for organizations that conduct business across all 50 states is therefore considerable. This page provides a summary of the requirements of each of the 50 state data breach notification laws as of July 2018.

Download a free copy of the Data Breach Notification by State Table >>

Please note this is only an information summary and is in no way a substitute either for consulting the laws themselves or for taking appropriately qualified legal advice. Laws may be subject to change.


The 48 state data breach notification laws by state

Click on the individual states to see your data breach notification obligations.

WY CO NM KS SD ND WA OR CA NV AZ UT ID MT NE OK TX AR MO IA MN WI IL IN MI OH KY TN MS AL FL GA SC NC VA PA MD DE NJ NY CT RI MA VT NH ME AK HI LA WV
 

Alabama

2018 S.B. 318, Act No. 396

  • Enacted in 2018, Alabama’s data breach notification legislation requires entities that acquire or use “sensate personally identifying information” of Alabama residents to notify affected individuals of any unauthorized acquisition of data.   
  • Notification in writing must be made as expeditiously as possible and without unreasonable delay, and no later than 45 days of receipt of notice of the breach. Notification is not required if it is determined the breach is not reasonably likely to cause substantial harm to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees within 10 days.
  • If more than 1,000 individuals must be notified of a breach, breached entities must also notify the Attorney General, and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law. They must still provide written notice to the Alabama Attorney General when the number of individuals the entity notified exceeds 1,000.
  • Civil penalties as high as $500,000 per breach are stipulated. Failure to properly notify can result in additional penalties of up to $5,000 per day for each consecutive day there is a failure to comply with notification provisions

Read more about compliance >>

Back to top

Alaska

Alaska Statutes 45.48.010: Personal Information Protection Act

  • Enacted in 2008, Alaska’s data breach notification legislation requires entities that own or license the personal information of Alaska residents to notify them without unreasonable delay of any data breach that results or could result in the unauthorized acquisition of their personal information. Acquisition can include paper-based methods.
  • Notification is not required if an investigation determines that there is no reasonable likelihood to the affected individuals has resulted or will result from the information’s loss and the Attorney General is informed of this fact in writing
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), unless they are compliant with the GLBA.
  • Breached third parties must notify the relevant data owners or licensees.
  • Civil penalties of between $500 and $50,000 are stipulated.

Read more about compliance >>

Back to top

Arizona

Arizona Revised Statutes 18-545

  • Enacted in 2006, Arizona’s data breach notification law requires entities that conduct business in Arizona which own, maintain, or license unencrypted and unredacted computerized personal information to notify affected individuals within 45 days of determining that a breach has occurred. 
  • Notification is not required if an investigation determines a breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities must notify the Attorney General in writing if the entity is required to notify more than 1,000 Arizona residents. 
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law, if the procedures are consistent with statute and are followed in the event of a breach.
  • Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law.
  • Breached third parties must notify the relevant data owners or licensees as soon as possible.
  • Civil penalties of up to $10,000 to $500,000 are stipulated.

Read more about compliance >>

Back to top

Arkansas

Arkansas Code 4-110-101: Personal Information Protection Act

  • Enacted in 2005, Arkansas’s data breach notification legislation requires entities - regardless of their location - that acquire, own, or license computerized personal information relating to Arkansas residents to notify affected individuals of unauthorized acquisitions of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the entity.
  • Notification must be made in the most expedient time and manner possible without unreasonable delay.
  • Notification is not required if an investigation determines that there is no reasonable likelihood of harm to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the unauthorized acquisition.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law, if the procedures are consistent with statute and are followed in the event of a breach.

Read more about compliance >>

Back to top

California

California Civil Code 1798:29 and 1798:80

  • Enacted in 2002, California’s data breach notification legislation requires entities that own or license computerized personal information to give notice to residents of California of any data breach that results or could result in the unauthorized acquisition of unencrypted personal information.
  • Notification must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities must notify the Attorney General if the entity is required to notify more than 500 California residents. The entity can electronically submit a sample copy of the notification.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the unauthorized acquisition. 
  • Entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law, if the procedures are consistent with statute and are followed in the event of a breach.
  • HIPAA-covered entities are deemed to comply with the notice requirements of this law if they comply with the notice requirements of HIPAA. 
  • Any customer injured by a violation of this title may institute a civil action to recover damages.

Read more about compliance >>

Back to top

Colorado

Colorado Revised Statutes 6-1-716

  • Enacted in 2006, Colorado’s data breach notification law requires entities that conduct business in Colorado, and that own, license, or maintain computerized personal information on Colorado residents to notify those individuals of unauthorized acquisition of unencrypted data that compromises the security, confidentiality, or integrity of personal information. 
  • Notice shall be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after determining a breach occurred. 
  • If notice is provided to more than 500 CO residents, the entity must also notify the Attorney General. 
  • If notice is provided to more than 1,000 CO residents, the entity must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees immediately following discovery of a breach, if misuse of personal information about a CO resident occurred or is likely to occur.
  • Notification pursuant to laws, rules, regulations, guidance, or guidelines established by an entity’s primary state regulator is sufficient for compliance with this law.

Read more about compliance >>

Back to top

Connecticut

Connecticut General Statutes 36a-701b

  • Enacted in 2005, Connecticut’s data breach notification law requires entities that conduct business in Connecticut, and that own, license, or maintain computerized personal information, to notify Connecticut residents of any unauthorized access or acquisition of electronic files, media, databases, or computerized data containing readable, usable, or unencrypted personal information.
  • Notification shall be made without unreasonable delay, but no later than 90 days after the discovery of a breach, unless a shorter time is required under federal law. Notice must also be provided to the Attorney General. 
  • Notification is not required if an investigation, along with consultation with relevant government agencies, determines that there is no reasonable likelihood that the breach will result in harm to affected individuals. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees immediately following the actual discovery or reasonable belief that a breach has occurred.
  • Notification pursuant to laws established by an entity’s primary state regulator is sufficient for compliance with this law.

Read more about compliance >>

Back to top

Delaware

Delaware Code Title 6, Chapter 12B

  • Enacted in 2005, Delaware’s data breach notification law requires entities that conduct business in Delaware, and own or license computerized personal information Delaware residents, to notify affected individuals of any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information which renders such information readable or usable. 
  • Notice must be made without unreasonable delay but not later than 60 days after determination of a security breach, unless a shorter time period applies under federal law. 
  • Notification is not required if, after appropriate investigation, the entity reasonably determines the entity reasonably determines the breach is unlikely to result in harm to the affected individuals.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees immediately following determination of a breach.
  • Entities which maintain their own notification procedures as part of an information security policy that contains timing requirements consistent with state law are deemed to comply with the notification requirements of this law if the entity notifies affected Delware residents in accordance with its policies

Read more about compliance >>

Back to top

Florida

Fla. Stat. § 501.171

  • Enacted in 2014, Florida’s data breach notification law requires any entity that acquires, maintains, stores, or uses personal information to notify individuals in the state of unauthorized access to personal information in electronic form.
  • Notice to individuals must be made as expeditiously as practicable and without unreasonable delay, no later than 30 days after determination of a security breach. Entities may receive 15 additional days if good causes if provided to the Department of Legal Affairs in writing within the original 30-day period. 
  • Entities must also provide notice to the Department of Legal Affairs if the breach affects more than 500 individuals in Florida.
  • If more than 1,000 individuals are affected, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), without unreasonable delay. 
  • Notice is not required if an appropriate investigation and consultation with relevant government agencies determines the breach has not and likely will not result in identity theft or any other financial harm to affected individuals. Such determination must be documented in writing and maintained for at least five years. Entities must provide this written determination to the Department of Legal Affairs within 30 days after the determination.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify relevant data owners or licensees within ten days of the discovery of a breach. After receiving notice from a third party, the data-owner-entity must provide notices to the Department and Affected Individuals.
  • Failure to properly notify either the Department of Legal Affairs or affected individuals may result civil penalties of $1,000 per day that the breach goes undisclosed for up to 30 days; $50,000 for each 30-day period thereafter, up to 180 days; not to exceed $500,000. 

Read more about compliance >>

Back to top

Georgia

Georgia Code 10-1-912

  • Enacted in 2005, Georgia’s data breach notification legislation requires information brokers and data collectors to notify Georgia residents when unencrypted personal information is, or is reasonably believed to have been, acquired by an unauthorized person. 
  • Notice shall be made in the most expedient time possible and without unreasonable delay.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees within 24 hours of the discovery of a breach if personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
  • If more than 10,000 Georgia residents have to be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a, without unreasonable delay.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 

Read more about compliance >>

Back to top

Hawaii

Hawaii Revised Statutes 487N-1

  • Enacted in 2006, Hawaii’s data breach notification law requires entities to notify affected individuals of any unauthorized access or acquisition of unencrypted or unredacted personal information, where illegal use of the personal information has occurred or is reasonably likely to occur and creates a risk of harm to an individual.
  • Notice must be made without unreasonable delay. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • If more than 1,000 individuals must be notified, Hawaii’s Office of Consumer Protection must also be notified, as must all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach
  • Breached government agencies must submit a written report to the legislature within 20 days of the discovery of a breach.
  • Health care organizations in compliance with HIPAA are deemed to comply with this law, as are financial institutions in compliance with the Federal Interagency Guidance Programs for Unauthorized Access to Customer Information and Customer Notice.
  • Penalties of up to $2,500 are stipulated for each violation. Businesses may also be liable for any actual damages suffered by individuals. 

Read more about compliance >>

Back to top

Idaho

Idaho Code 28-51-104

  • Enacted in 2006, Idaho’s data breach notification law requires entities that conduct business in Idaho, and that own or license the computerized personal information of Idaho residents, to notify affected individuals of an illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information.      
  • Notice shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach, identify affected individuals, and restore the reasonable integrity of data system(s). State agencies must inform the office of the Idaho Attorney General within 24 hours of the discovery of a data breach.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.    
  • Entities that intentionally fail to give notice are subject to a fine of up to $25,000 per breach.
  • Government employees who intentionally disclose personal information are subject to a fine of up to $2,000 and/or up to a year’s imprisonment.

Read more about compliance >>

Back to top

Illinois

815 ILCS 530: Personal Information Protection Act

  • Enacted in 2005, Illinois’s data breach notification law requires entities that own or license personal information relating to Illinois residents to notify affected individuals of any unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice shall be made in the most expedient time possible and without unreasonable delay.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.   
  • State agencies that collect personal information must submit a written report to the General Assembly within five business days of the discovery or notification of a breach.

Read more about compliance >>

Back to top

Indiana

Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.

  • Enacted in 2005, Indiana’s data breach notification law requires entities that own or license computerized personal information  to notify Indiana residents of any unauthorized acquisition of their unencrypted or unredacted personal information if it could result in identity theft or fraud.
  • Notice shall be made without unreasonable delay. Data base owners must also disclose the breach to the Attorney General. 
  • If more than 1,000 individuals must be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Entities in compliance with HIPAA, the GLBA, the USA PATRIOT Act, and other named laws are deemed to comply with this law.
  • Knowingly or intentionally failing to comply with database maintenance obligations is actionable only by the state Attorney General with penalties up to $150,000 per violation.

Read more about compliance >>

Back to top

Iowa

Iowa Code 715C.1

  • Enacted in 2008, Iowa’s data breach notification law requires entities that own or license computerized personal information relating to Iowa residents to notify affected individuals of any unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice shall be made in the most expeditious manner possible and without unreasonable delay. 
  • If more than 500 individuals must be notified of a breach, breached entities must also notify the director of the consumer protection division of the Attorney General’s Office within five days of notice being given to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees.
  • Notification is not required if, after appropriate investigation or consultation with relevant government authorities, the entity determines no reasonable likelihood of financial harm to affected individuals has resulted or will result from the breach.  
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities in compliance with the GLBA and those that comply with notification requirements that provide greater protection for personal information are deemed to comply with this law.

Read more about compliance >>

Back to top

Kansas

Kansas Statutes 50-7a01

  • Enacted in 2006, Kansas’s data breach notification law requires entities that conduct business in Kansas and that own or license computerized personal information, to notify Kansas residents of any unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice must be made without unreasonable delay.Notification is not required if a good-faith, reasonable and prompt investigation determines personal information has not been and will not be misused.
  • If more than 1,000 individuals must be notified of a breach, breached entities must also inform all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Breached third parties must notify the relevant data owners or licensees following discovery of the breach.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.  

Read more about compliance >>

Back to top

Kentucky

KY Rev. Stat. §365.732

  • Enacted in 2014, Kentucky’s data breach notification law requires entities that conduct business in Kentucky to notify Kentucky residents of any unauthorized acquisition of their unencrypted personal information.
  • Notice must be made without unreasonable delay. 
  • Breached third parties must notify the relevant data owners as soon as reasonably practical following discovery of a breach. 
  • If more than 1,000 individuals must be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes. 
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Entities in compliance with the GLBA, HIPAA, or with other named legislation, are deemed to comply with this law.

Read more about compliance >>

Back to top

Louisiana

Louisiana Revised Statutes 51:3071 and Louisiana Administrative Code (Title 16, Part III, Chapter 7, Section 701)

  • Enacted in 2005, Louisiana’s data breach notification law requires entities that conduct business in Louisiana or that own or license computerized personal information of Louisiana residents, to notify affected individuals of any unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice must be made without unreasonable delay, but no later than 60 days following discovery of the breach. 
  • Notification is not required if an investigation determines there is no reasonable likelihood of harm to affected individuals.
  • Breached third parties must notify the relevant data owners or licensees if personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
  • When notice to Louisiana residents is required, written notice must also be provided to the Consumer Protection Section of the Attorney General’s Office. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Entities in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law. 
  • Breached entities that fail to notify the Attorney General within 10 days of notifying affected individuals may be fined up to $5,000 per day. Civil actions to recover actual damages may also be instituted.

Read more about compliance >>

Back to top

Maine

10 Me. Rev. Stat. § 1346 et seq.

  • Enacted in 2005, Maine’s data breach notification law requires entities that maintain computerized personal information relating to Maine residents to notify affected individuals of unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice shall be made without unreasonable delay. Relevant state regulators or the state Attorney General must also be informed.
  • Notice is not required if the entity conducts an investigation which determines there is no reasonable likelihood personal information has been or will be misused.
  • If more than 1,000 individuals must be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify the relevant data owners or licensees.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Civil penalties of $500 per violation are stipulated, up to a maximum of $2,500 per day.

Read more about compliance >>

Back to top

Maryland

Maryland Commercial Code 14-3501

  • Enacted in 2007, Maryland’s data breach notification law requires entities that own or license computerized personal information relating to Maryland residents to notify affected individuals of unauthorized acquisition of their unencrypted and unredacted personal information if an investigation determines there is a reasonable likelihood of the personal information being misused.
  • Notice must be made as soon as reasonably practicable, but no later than 45 days after any internal investigation. 
  • The Attorney General’s Office must be notified before affected individuals.
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Breached third parties must notify relevant data owners or licensees if it is likely that the breach has resulted or will result in the misuse of a Maryland resident’s personal information.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Organizations in compliance with the GLBA or with relevant federal or state regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Massachusetts

Massachusetts General Laws 93H, Section 1

  • Enacted in 2007, Massachusetts’s data breach notification law requires entities that own, license, maintain or store personal information of Massachusetts residents to notify them of unauthorized acquisition or use of unencrypted/de-encrypted data that creates a substantial risk of identity fraud or theft. 
  • Notice must be made without unreasonable delay when the entity knows or has reason to know of a breach.
  • Breached entities must also inform the Attorney General and the director of consumer affairs and business regulation, who will then pass on any relevant information to consumer reporting agencies and state agencies.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees without unreasonable delay
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that comply with relevant state or federal regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Michigan

Mich. Comp. Laws §§ 445.63, 445.72

  • Enacted in 2006, Michigan’s data breach notification law requires any entity which owns or licenses personal information of Michigan residents to notify affected individuals of unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice must be made without unreasonable delay, unless the breached entity determines the security breach will not cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.
  • reached third parties must notify the relevant data owners or licensees.
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p), unless they are subject to Title V of the GLBA.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • False notification with intent to defraud is a misdemeanour criminal offense subject to monetary penalties or imprisonment. 
  • Failure to provide proper notification may also result in a civil fine of up to $250 per violation, up to a maximum fine of $750,000 per breach.
  • Entities in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice and HIPAA-covered entities are deemed to comply with this law.

Read more about compliance >>

Back to top

Minnesota

Minnesota Statutes 325E.61

  • Enacted in 2005, Minnesota’s data breach notification law requires entities that conduct business in Minnesota, and that own or license personal information, to notify residents of Minnesota of any unauthorized acquisition of their unencrypted personal information.
  • Notice must be given without unreasonable delay 
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach
  • If more than 500 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a, within 48 hours.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. HIPAA-covered entities are deemed to comply with this law.

Read more about compliance >>

Back to top

Mississippi

Mississippi Code 75-24-29

  • Enacted in 2010, Mississippi’s data breach notification law requires entities that conduct business in Mississippi, and that own, license or maintain personal information of a Mississippi resident, to notify affected individuals of unauthorized acquisition of their unsecured personal information. 
  • Notice must be made without unreasonable delay, subject to the completion of appropriate investigation. 
  • Notification is not required if an investigation determines there is no reasonable likelihood affected individuals will be harmed by the information’s loss.
  • Breached third parties must notify the relevant data owners or licensees as soon as practicable following discovery of a breach. Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Entities that comply with federal breach regulations are deemed to comply with this law.

Read more about compliance >>

Back to top

Missouri

Missouri Revised Statutes 407.1500

  • Enacted in 2009, Missouri’s data breach notification law requires entities that own or license the personal information of Missouri residents to notify them of any unauthorized acquisition of their unencrypted or unredacted personal information
  • Notice must be made without unreasonable delay after discovery of the breach. 
  • Notification is not required if, after appropriate investigation or consultation with relevant government agencies, the entity determines there is no reasonable likelihood of identity theft or fraud. Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach.
  • If more than 1,000 individuals must be notified, breached entities must also notify the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Entities compliant other state or federal laws relating to data security are deemed to comply with this law, as are financial institutions subject to other relevant legislation, including the GLBA.

Read more about compliance >>

Back to top

Montana

Montana Code 30-14-1704

  • Enacted in 2006, Montana’s data breach notification law requires entities that conduct business in Montana and own or license computerized personal information, to notify Montana residents of any unauthorized acquisition of their unencrypted personal information.
  • Notice must be made without unreasonable delay. An electronic copy of the notice, along with supporting information, must also be submitted to the Attorney General’s consumer protection office. 
  • Breached entities must coordinate notification with consumer reporting agencies where necessary.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.

Read more about compliance >>

Back to top

Nebraska

Nebraska Revised Statutes 87-801

  • Enacted in 2006, Nebraska’s data breach notification law requires entities that conduct business in Nebraska and own or license computerized personal information of Nebraska residents to inform affected individuals of any unauthorized acquisition of unencrypted personal information.
  • Notice must be made without unreasonable delay, unless an investigation determines it is unlikely the personal information will be used for unauthorized purposes. 
  • Breached third parties must notify and cooperate with the relevant data owners or licensees when it becomes aware of a breach. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Entities that maintain security procedures in compliance with other state or federal legislation are deemed to comply with this law.

Read more about compliance >>

Back to top

Nevada

Nevada Revised Statutes 603A.010

  • Enacted in 2005, Nevada’s data breach notification law requires entities that own or license computerized personal information to inform Nevada residents of any unauthorized acquisition of their unencrypted personal information.
  • Notice must be made without unreasonable delay 
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of a breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.

Read more about compliance >>

Back to top

New Hampshire

New Hampshire Revised Statutes 359-C:20

  • Enacted in 2006, New Hampshire’s data breach notification law requires entities doing business in New Hampshire that own or license computerized personal information to notify affected individuals of any unauthorized acquisition of personal information where misuse of the information has occurred or is reasonably likely to occur. 
  • Notice must be made as soon as possible. 
  • Entities engaged in New Hampshire trade or commerce must notify the relevant regulator; all other entities must inform the Attorney General.
  • Breached third parties must notify and cooperate with the relevant data owners or licensees immediately following discovery of the breach.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p) unless they are subject to Title V of the GLBA.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with other state or federal law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.

Read more about compliance >>

Back to top

New Jersey

New Jersey Statutes 56:8-163: Identity Theft Prevention Act

  • Enacted in 2005, New Jersey’s data breach notification law requires any entity that compiles or maintains computerized personal information to notify affected individuals of unauthorized access to unencrypted or unsecured personal information. 
  • Notice must be made without unreasonable delay, unless the entity determines misuse of the personal information is not reasonably possible. Disclosure is not required if the entity establishes that misuse of the information is not reasonably possible.
  • Prior to disclosure, the entity must report the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling, which may include dissemination or referral to other appropriate law enforcement entities.     
  • Breached third parties must notify relevant data owners or licensees immediately following discovery of a breach. 
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 

Read more about compliance >>

Back to top

New Mexico

New Mexico Data Breach Act - HB 15

  • Enacted in 2017, New Mexico’s data breach notification law requires entities that own or license personal information of a New Mexico resident to notify affected individuals of any unauthorized acquisition of unencrypted/de-encrypted computerized data.
  • Notification must be made no later than 45 calendar days after discovery of the breach. Breached third parties must also notify relevant data owners or licensees within 45 days. 
  • If notice must be provided to more than 1,000 New Mexico residents, notice must also be given to the attorney general and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. The notice must include the number of New Mexico residents affected and include a copy of the notice that went to affected residents.
  • Substitute notice is permitted in specific circumstances, and notification may be delayed for law enforcement purposes. 
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.
  • Organizations are exempt from the requirements of the legislation if they adhere to the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA).

Read more about compliance >>

Back to top

New York

New York General Business Law 899-aa and State Technology Law 208

  • Enacted in 2005, New York’s data breach notification law requires entities which conduct business in New York and which own or license computerized private information, to notify New York residents of any unauthorized acquisition of their computerized personal information.
  • Notice must be made without unreasonable delay. The Attorney General, the Consumer Protection Board, the NYS Division of State Police, and the Office of Information Technology Services must also be notified.
  • If more than 5,000 New York residents must be notified, breached entities must also notify consumer reporting agencies.
  • Breached third parties must notify relevant data owners or licensees immediately following discovery of the breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.

Read more about compliance >>

Back to top

North Carolina

North Carolina General Statutes 75-61 and 75-65

  • Enacted in 2005, North Carolina’s data breach notification law requires entities that own or license the personal information of North Carolina residents to inform them of unauthorized acquisition of their unencrypted and unredacted personal information where illegal use of the personal information has occurred or is reasonably likely to occur or creates a material risk of harm to a consumer.
  • Notice must be made without unreasonable delay. Notification must also be made to the Consumer Protection Division of the state’s Attorney General’s office. 
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach. 
  • If more than 1,000 North Carolina residents must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 USC Section 1681a(p).
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law.

Read more about compliance >>

Back to top

North Dakota

North Dakota Century Code 51-30-01

  • Enacted in 2005, North Dakota’s data breach notification law requires entities that conduct business in North Dakota and that own or license computerized personal information to notify affected individuals of any unauthorized acquisition of their unencrypted personal information.
  • Notice must be made without unreasonable delay. The Attorney General must be notified if more than 250 North Dakota residents are affected.
  • Breached third parties must notify the relevant data owners or licensees immediately following discovery of the breach. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Financial institutions in compliance with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice, and entities that are subject to Title 45 of the Code of Federal Regulations, subpart D, part 164 are deemed to comply with this law.

Read more about compliance >>

Back to top

Ohio

Ohio Revised Code 1349.19

  • Enacted in 2005, Ohio’s data breach notification law requires entities that conduct business in Ohio and that own or license computerized personal information, to notify Ohio residents of any data breach that does result or could result in the unauthorized access and acquisition of their unencrypted or unredacted personal information that is likely to cause a risk of identity theft or fraud.
  • Notice must be made in the most expedient time possible, no later than 45 days after discovery or notification of the breach. Breached third parties must notify the relevant data owners or licensees as well.
  • If more than 1,000 individuals have to be notified of a breach, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, unless they are covered by HIPAA.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law.

Read more about compliance >>

Back to top

Oklahoma

24 Okla. Stat. § 161 et seq.

  • Enacted in 2008, Oklahoma’s data breach notification law requires entities that own or license computerized personal information of Oklahoma residents to notify them of any data breach that results in unauthorized access and acquisition of their unencrypted or unredacted personal information that is likely to cause a risk of identity theft or fraud.
  • Notice must be made without unreasonable delay. 
  • Breached third parties must notify the relevant data owners or licensees as soon as practicable.  
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.
  • The state Attorney General or a district attorney may obtain actual damages for the violation of this law, or a civil penalty of up to $150,000 per breach.

Read more about compliance >>

Back to top

Oregon

Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act

  • Enacted in 2007, Oregon’s data breach notification law requires entities that own, license, or possess personal information used in the course of the entity’s business to notify affected individuals of any unauthorized acquisition of unencrypted or unredacted personal information. 
  • Notice must be made in the most expedient manner possible and without unreasonable delay, no later than 45 days after discovering or receiving notice of the breach. At least one copy of the notice must also be sent to the Attorney General or other primary regulator.
  • If more than 250 individuals must be notified, breached entities must also notify the Attorney General in the same manner as consumers. 
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Breached third parties must notify relevant data owners or licensees as soon as practicable following discovery of the breach.
  • Notification is not required if an investigation or consultation with relevant authorities determines that the affected individuals are unlikely to be harmed by the information’s loss.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities that are compliant with the GLBA, with their federal regulators’ notification requirements, or with state or federal laws that provide greater protection for personal information are deemed to comply with this law.

Read more about compliance >>

Back to top

Pennsylvania

Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act

  • Enacted in 2006, Pennsylvania’s data breach notification law requires entities doing business in Pennsylvania that maintain, store, or manage computerized personal information of Pennsylvania residents to notify affected individuals of any data breach that results or could result in the unauthorized acquisition of their unencrypted and unredacted personal information.
  • Notice must be made without unreasonable delay 
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Breached third parties must notify relevant data owners or licensees.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are entities that comply with relevant notification requirements of federal regulators.

Read more about compliance >>

Back to top

Rhode Island

Rhode Island General Laws 11-49.3

  • Enacted in 2006, Rhode Island’s data breach notification law requires entities that store, own, collect, process, maintain, acquire, use, or license personal information to notify Rhode Island residents of any unauthorized access or acquisition of their unencrypted personal information which poses a significant risk of identity theft. 
  • Notice must be made in the most expedient time possible but no later than 45 calendar days after confirmation of the breach.
  • If more than 500 Rhode Island residents must be notified, the Attorney General must be notified, along with major credit reporting agencies. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.   
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are HIPAA-covered entities and entities that comply with relevant notification requirements of federal regulators.

Read more about compliance >>

Back to top

South Carolina

South Carolina Code 39-1-90

  • Enacted in 2008, South Carolina’s data breach notification law requires entities that conduct business in South Carolina, and that own or license computerized personal information, to notify South Carolina residents of unauthorized access to and acquisition of unencrypted or unredacted personal information when illegal use of the information creates a material risk of harm. 
  • Notice must be made without unreasonable delay. 
  • If more than 1,000 individuals must be notified, breached entities must notify the Consumer Protection Division of the Department of Consumer Affairs and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Breached third parties must notify relevant data owners or licensees immediately following discovery of a breach. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.   
  • Financial organizations in compliance with the GLBA are deemed to comply with this law, as are those that are compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice.
  • The Department of Consumer Affairs can levy administrative fines of up to $1,000 per affected South Carolina resident for entities that knowingly and wilfully violate this law.

Read more about compliance >>

Back to top

South Dakota

South Dakota’s Senate Bill 62

  • Enacted in 2018, South Dakota’s data breach notification law requires entities that conduct business in South Dakota, and that own or license computerized personal information of South Dakota residents, to notify affected individuals of the unauthorized acquisition of their unencrypted personal information. 
  • Notice must be made within 60 days of discovering the breach. Consumer reporting agencies and any credit bureaus must be notified without unreasonable delay. 
  • If more than 250 South Dakota residents must be notified, breached entities must also notify the Attorney General. 
  • Notice is not required if, following appropriate investigation and notification to the Attorney General, the entity reasonably believes the breach will not result in harm to affected individuals. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities in compliance with relevant federal and state regulations, HIPAA or the GLBA are deemed to comply with this law.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.   
  • Financial organizations in compliance with the GLBA are deemed to comply with this law, as are those that are compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice.
  • The Attorney General is authorized to impose fines of up to $10,000 per day, per violation. 

Read more about compliance >>

Back to top

Tennessee

Tennessee Code 47-18-2107

  • Enacted in 2005, Tennessee’s data breach notification law requires entities that conduct business in Tennessee and that own or license computerized personal information to notify Tennessee residents of the unauthorized acquisition of their unencrypted personal information.
  • Notice must be made immediately, but no later than 45 days from the discovery or notification of the breach. Breached third parties must also notify the relevant data owners or licensees within 45 days.
  • If more than 1,000 individuals must be notified, breached entities must notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Entities subject to the provisions of Title V of the GLBA are deemed to comply with this law.

Read more about compliance >>

Back to top

Texas

Texas Business and Commerce Code 521.002 and 521.053

  • Enacted in 2007, Texas’s data breach notification law requires entities that conduct business in Texas and own or license computerized personal information to notify affected individuals of the unauthorized acquisition of their personal information.
  • Notice must be made as quickly as possible. 
  • Breached third parties must notify relevant data owners or licensees immediately after discovering the breach.
  • If more than 10,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • The Attorney General is authorized to enforce civil penalties of at least $2,000 but not more than $50,000 for each violation. Civil penalties for failure to comply with notification requirements are $100 per person to whom notification is due, per day, not to exceed $250,000 per breach.

Read more about compliance >>

Back to top

Utah

Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act

  • Enacted in 2006, Utah’s data breach notification law requires entities that own or license computerized personal information relating to Utah residents to notify them of unauthorized acquisition of their personal information. 
  • Notice must be made without unreasonable delay, but notification is not required if a reasonable investigation determines it is unlikely that personal information has been or will be misused for identity theft or fraud.
  • Breached third parties must notify and cooperate with relevant data owners or licensees immediately following discovery of the breach.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Civil penalties include fines of no more than $2,500 for a violation(s) concerning a specific consumer, and no more than $100,000 in the aggregate for related violations concerning more than one consumer.

Read more about compliance >>

Back to top

Vermont

Vermont Statutes Annotated 9-2430 and 2435

  • Enacted in 2006, Vermont’s data breach notification law requires entities that own or license computerized personal information relating to individuals residing in Vermont to notify them of the unauthorized acquisition of their personal information. 
  • Notice must be made without unreasonable delay, no later than 45 days after the discovery or notification of the breach. 
  • The Attorney General or the Department of Financial Regulation must be notified of any breach within 14 days of its discovery or the date on which affected individuals were notified.
  • Notice is not required if the entity establishes that misuse of personal information is not reasonably possible, and the entity provides this determination along with a detailed explanation for said determination to the Attorney General, or to the Department of Banking, Insurance, Securities, and Health Care Administration.
  • If more than 1,000 Vermont residents must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.  
  • Breached third parties must notify relevant data owners or licensees immediately following discovery of the breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are those that are subject to the National Credit Union Administration’s Final Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice.

Read more about compliance >>

Back to top

Virginia

Virginia Code 18.2-186.6 and 32.1-127.1:05

  • Enacted in 2008, Virginia’s data breach notification law requires entities that own or license computerized personal information to notify Virginia residents any unauthorized acquisition of their unencrypted and unredacted personal information that could cause identity theft or fraud.
  • Notice must be made without unreasonable delay. The Attorney General must also be notified.
  • If health information is involved, the Commissioner of Health must also be notified. 
  • If more than 1,000 individuals must be notified, breached entities must also alert all consumer reporting agencies and the Attorney General as to the notification. 
  • Breached third parties must notify relevant data owners or licensees without unreasonable delay following discovery of the breach.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes. 
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies.       
  • Entities that comply with HIPAA, the GLBA or relevant federal or state regulations also deemed to comply with this law.
  • The Attorney General may impose a civil penalty not to exceed $150,000 per breach discovered in a single investigation. (This provision does not apply to health information breaches.)

Read more about compliance >>

Back to top

Washington

Washington Revised Code 19.255.010

  • Enacted in 2005, Washington’s data breach notification law requires entities that own or license personal information to notify Washington residents of unauthorized acquisition of unsecured personal information. 
  • Notice must be made without unreasonable delay, no later than 45 calendar days after discovery of the breach. 
  • Notice is not required if the breach is not reasonably likely to subject consumers to a risk of harm.
  • If more than 500 Washington residents must be notified, the entity must also electronically submit a sample copy of the breach notification to the Attorney General, along with the number of Washington consumers affected by the breach. Breached third parties must notify relevant data owners or licensees immediately following discovery of the breach. 
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • HIPAA covered entities and entities that maintain their own notification procedures are deemed to comply with the notification requirements of this law.

Read more about compliance >>

Back to top

West Virginia

West Virginia Code 46A-2A-101

  • Enacted in 2008, West Virginia’s data breach notification law requires entities that own or license computerized personal information to inform West Virginia residents of the unauthorized access and acquisition of their unencrypted and unredacted personal information that could cause identity theft or fraud.
  • Notice must be made without unreasonable delay. 
  • Breached third parties must notify relevant data owners or licensees as soon as practicable following discovery of the breach.
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Entities which maintain their own notification procedures as part of an information security policy consistent with state law are deemed to comply with the notification requirements of this law if the entity makes notifications in accordance with its policies. 
  • Financial institutions compliant with the Federal Interagency Guidance Response Programs for Unauthorized Access to Consumer Information and Customer Notice are deemed to comply with this law, as are those that comply with relevant regulations.

Read more about compliance >>

Back to top

Wisconsin

Wisconsin Statutes 134.98

  • Enacted in 2006, Wisconsin’s data breach notification law requires entities that maintain or license personal information in Wisconsin to make reasonable efforts to notify affected individuals of the unauthorized acquisition of their unencrypted and unredacted personal information if there is a material risk of identity theft or fraud to the affected individual.
  • Notice must be made within a reasonable time, not to exceed 45 dats after discovery of the breach. 
  • If more than 1,000 individuals must be notified, breached entities must also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis.
  • Breached third parties must notify relevant data owners or licensees as soon as practicable
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • HIPAA-covered entities and those that are compliant with Title V of the GLBA are deemed to comply with this law.

Read more about compliance >>

Back to top

Wyoming

Wyoming Statutes 40-12-501

  • Enacted in 2007, Wyoming’s data breach notification law requires entities that conduct business in Wyoming and own or license computerized personal information relating to Wyoming residents, to notify affected individuals of any unauthorized acquisition of personal information that may cause loss or injury to the resident. 
  • Notice must be made without unreasonable delay, and as soon as possible after an investigation determines personal information has been or is reasonably likely to be misused. 
  • Breached third parties must notify relevant data owners or licensees as soon as practicable. If breached third parties do not agree to notify affected individuals, the responsibility of notification falls on the data owner or licensee.
  • Substitute notice is permitted in specific circumstances and notification may be delayed for law enforcement purposes.
  • Financial institutions that maintain notification procedures compliant with certain, other laws are deemed to comply with this law.
  • Health care organizations in compliance with HIPAA are deemed to comply with this law.

Read more about compliance >>

Back to top

A note on consumer reporting agencies

15 U.S.C. Section 1681a(p) is cited by many state laws. It states:

The term ‘consumer reporting agency that compiles and maintains files on consumers on a nationwide basis’ means a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity, each of the following regarding consumers residing nationwide:

  1. Public record information.
  2. Credit account information from persons who furnish that information regularly and in the ordinary course of business.

Compliance

Complying with the many state data breach notification laws can be complex. However, implementing and maintaining an Information Security Management System (ISMS) as laid out in the international information security management Standard ISO 27001 will help organizations achieve compliance with a host of related legislative and regulatory requirements.

The latest version of the Standard, ISO 27001:2013, is simple to follow and has been developed with business in mind. It presents a comprehensive and logical approach to developing, implementing and managing an ISMS, and provides associated guidance for conducting risk assessments and applying the necessary risk treatments. In addition, ISO 27001:2013 has been developed in order to harmonize with other ISO standards, so the auditing process will be integrated and smooth, and will remove the need for multiple audits.

Furthermore, the additional external validation demonstrated by accredited registration to ISO 27001 will improve an organization’s cyber security posture while providing a higher level of confidence in customers and stakeholders, which is essential for securing certain global and government contracts.

IT Governance, a specialist in the field of information security, has created ISO 27001 packaged solutions to give US organizations online access to world-class expertise.

Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Alan Calder, Founder and Executive Chairman of IT Governance, commented: “If understood and implemented correctly, ISO 27001 can help to rationalize security expenditure and reduce the impact of cyber crime, while giving a business a competitive edge.”

Get started today with ISO 27001 >>