Articles

The Great Big List of Data Privacy Laws by State

Written by Noah Ramirez, JD / CIPP | December 18, 2019

The United States of America has 50 states. all of those American states have at least one state data privacy law. This is a great big list of data privacy laws by state created. If we have missed any state privacy laws or if you believe any of these state privacy laws may be incorrect, please get in touch.

Alabama

  1. Data Breach Notification
    1. If a Data Collector or third-party processor reasonably believes that a data breach has occurred, the entity must report the breach to consumers “as expeditiously as possible and without unreasonable delay…” If a third-party data processor discovers the breach the contracting entity has 45 days to disclose the breach
      1. A data breach is defined as an unauthorized person gaining access to sensitive personal information. This includes data like a Social Security number, driver’s license number, passport number, and banking information.
    2. If the breach affects more than 1,000 consumers within the state of Alaska, the business must report the breach to the Attorney General of Alaska and the major consumer reporting agencies. Failure to report the breach leaves the business open to liability under the Deceptive Trade Practices Act.

Alaska


  1. Data Breach Notification
    1. A business must notify consumers if it discovers a data breach. The business does not have to notify consumers if the business investigates the breach and reasonably believes that no harm will come to any consumers affected by the breach. The business must notify the authorities and keep the records of the investigation for 5 years. Notice of the breach must be done expeditiously
      1. The scope of this act is all sensitive personal information. This includes data like a Social Security number, driver’s license, passport number, and banking information. It is not considered a breach if the information is encrypted.
    2. The penalty for breaching this act is the lesser of $500 per resident or $50,000 per incident. Additionally, consumers are entitled to seek injunctive relief and recover additional damages.
  2. Protection of Social Security Number
    1. SSNs cannot be made available to the public. Also, businesses cannot require a SSN to access any products or services. Businesses are prohibited from printing a SSN on information mailed to a consumer unless required by law. Similarly, the disclosure, sale, lease, loan, or trade of an SSN is prohibited unless otherwise authorized.
  3. Disposal of Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.
  4. Truncation of Card Information
    1. Businesses cannot print or sell a device that prints more than the last four digits of a credit or debit card. Knowing violations of this section are subject to a $3,000 fine plus any actual damages, court costs, and reasonable attorney’s fees.

Arizona


  1. Data Breach Notification
    1. If a business is responsible for unencrypted and unredacted personal information and becomes aware of a security incident, the business must investigate to determine whether there has been a security breach. If it is determined that there has been a breach, the business must notify the affected individuals within 45 days of the determination.
    2. If the breach affects greater than 1,000 Arizona individuals the business is required to notify the three largest nationwide consumer reporting agencies. The business must also notify the state’s attorney general in writing.
      1. A third party data processor must notify the data controller and provide any applicable records and associated information at the request of the data controller.

Arkansas

  1. Disposal of Records
    1. Businesses must take all reasonable steps to destroy or arrange for destruction of consumer records containing personal information once the data is no longer needed. This can be accomplished by shredding, erasing, or modifying the information to make it unreadable or undecipherable.
      1. Liability is passed on by contracting with a third party to dispose of personal data.
  2. PI Security Requirements
    1. Businesses that acquire, own, or license personal information about Arkansas residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.
  3. Data Breach Notification
    1. A business must disclose any data security breaches to the affected consumers “without unreasonable delay.” This does not apply to encrypted information. Notification is not required if a reasonable investigation finds that there is no likely harm to consumers.
      1. The business is only required to report the breach if there is a reasonable belief that the data was actually acquired by an unauthorized person. In some cases notification is required if an unauthorized person had access. The difference here is that there could be a security gap where an unauthorized person could have access, but unless there is a reasonable belief that the unauthorized person actually acquired the information the business is not required to notify consumers.
      2. Also missing from this statute is a defined deadline for the business to provide notice of the security breach.
    2. A business is not required to provide written notice if the cost of providing notice exceeds $250,000 or the number affected exceeds 500,000. Additionally, a business that maintains its own notification procedures as part of a broader security policy will be in compliance with this statute by following its own procedures.

California

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Third party data collectors must report the security breach to the contracting business.
      1. California has a breach notification format that must be followed when notifying consumers. That form can be found at: Cal. Civ. Code §§ 1798.82.
    2. For a breach affecting greater than 500 California residents, businesses must notify the Attorney General. The Attorney General is empowered to seek civil penalties and recover damages on behalf of affected consumers.
  2. California Consumer Privacy Act
    1. California has recently passed the CCPA. Read about the CCPA and view the original text of the CCPA.

Colorado

  1. Disposal of Records
    1. Businesses must develop and implement a written policy to ensure that PI is destroyed when it is no longer required. A business is compliant if it follows the guidelines established by another state in which the business operates.
      1. Acceptable methods of destruction are shredding, erasing, modifying, or making unreadable or indecipherable.
  2. PI Security Requirements
    1. Businesses are required to take reasonable security measures to protect against unauthorized access, use, modification, disclosure, or destruction of any personal information that the business maintains, owns, or licenses. Businesses must also require third-party service providers to provide the same level of protection or agree to provide its protection for the third-party service provider. If the business is regulated by another state or federal law with which the business is compliant, the business will be in compliance with this statute.
  3. Data Breach Notification
    1. Businesses are required to notify affected Colorado residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 30 days after a determination that a breach has occurred. The business is not required to notify residents if, after conducting a brief good faith investigation, the business determines that Colorado residents are not reasonably likely to be affected.
      1. If the breach only involves encrypted data, a business is only required to provide notice if the encryption key or some other means to decipher the secured information was also reasonably believed to have been acquired.
    2. If a third party service provider discovers a security breach it must notify the contracting business without unreasonable delay and cooperate with the business. This includes sharing information relevant to the breach, and this excludes the disclosure of confidential business information or trade secrets.
    3. If the number of affected residents is greater than one thousand then the business must provide notice to all consumer reporting agencies that operate on a nationwide basis.
    4. Violations of this section may open the business civil liability from the affected residents. The business may also face civil and criminal liability from the attorney general’s office.

Connecticut

  1. SSN Restrictions
    1. Business are prohibited from publicly posting or displaying an individual’s SSN. It is also prohibited to require an individual to provide a SSN to access a website unless there is other authentication required prior to requiring a SSN. Businesses that collect SSNs must create a privacy policy that is published and publicly displayed.
      1. Publicly posting and displaying refers to things like printing an SSN on a card required to access products or services,
      2. It is also prohibited to require an individual to transmit such individual’s SSN over the internet unless the connection is secure or the SSN is encrypted.
      3. SSN policy must state: Confidentiality of SSN is protected, unlawful disclosure of SSN is prohibited, and access to SSN is limited.
    2. Violations of this statute are prosecuted by the attorney general. The first offense is a penalty of $100. The second is $500. Each ensuing offense carries a penalty of $1,000 and/or 6 months imprisonment. Civilly, the attorney general can seek damages of $500 for each offense, but the civil penalties are not to exceed $500,000 for any single event.
  2. PI Security Requirements
    1. Businesses are required to protect consumers’ personal information from misuse by third parties. Data must be destroyed, erased, or made unreadable before disposal.
      1. Personal information is defined as information that is capable of being associated with a particular individual through one or more identifiers. (SSN, driver’s license number, etc.)
    2. The penalty for a violation of this section is $500 per violation, but the total cannot exceed $500,000 for any single event. Businesses are not liable under this statute if the breach was unintentional.

Delaware

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information
      1. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      2. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.
    2. Notice should be provided without unreasonable delay, but it must be provided within 60 days of the date that the breach was discovered. For a breach of greater than 500 people, notice must also be provided to the Attorney General. If a SSN is reasonably believed to have been included in the breach the business must provide credit monitoring services for no charge for a period of one year after the breach, and the business must provide the consumer information on how to obtain a credit freeze. These additional services are not required if an appropriate investigation determines that the breach is unlikely to result in additional harm to the individuals affected.
    3. The Attorney General is empowered to bring civil actions against businesses in violation of this statute, but there are no mandatory fines or limits on the business’s liability. Additionally, this statute does not modify the rights of the affected consumers.
  2. Insurance Data Security Act
    1. Insurers must provide a comprehensive, written information security program based on a risk assessment by the insurer that contains administrative, technical, and physical safeguards for the protection of personal information of consumers. The security program must be proportionate to the size and complexity of the insurer’s organization, the nature and scope of the insurer’s activities, use of third-party service providers, and the sensitivity of the information the insurer maintains.
    2. The insurer’s security program must be designed to do the following:
      1. Protect personal information and the security of the program;
      2. protect against threats to personal information and the program;
      3. protect against unauthorized access and limit the likelihood of harm to a consumer;
      4. create and periodically reevaluate a schedule for retention and mechanism for destruction of personal information when the information is no longer needed;
      5. In order to mitigate risks, the insurer must also:
        1. Designate one or more employees or contract with a third party to oversee the security program;
        2. Identify reasonably foreseeable threats that could cause unauthorized access, transmission, disclosure, misuse, alteration, or destruction of personal information including the security of an information system or personal information that a third party holds or can access. The insurer must also assess the likelihood of this occurring, and ensure that there are policies and procedures in each area of the insurer’s operation to prohibit this.
        3. As part of ensuring that policies and procedures are in place, the insurer must assess their employee training and management, information systems, detection, prevention, and response to attacks and intrusion.
    3. This is a newly passed act, and it will likely take some time for Delaware Insurance regulators to determine which practices are in compliance with this act. There are dozens more requirements than those listed here, but for the sake of brevity insurers operating within the state of Delaware should have subject matter experts and attorneys on hand to help meet the rigorous requirements mandated by this act.

Florida

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information
      1. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      2. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.
    2. Notice should be provided without unreasonable delay, but it must be provided within 30 days of the date that the breach was discovered. For a breach of greater than 500 people, notice must also be provided to the Attorney General. A business may receive an additional 15 days to provide notice to the Attorney General if good cause for the delay is provided in writing within the original 30-day window.

Georgia

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. The Attorney General and all national credit reporting agencies must be notified for a breach exceeding 10,000 consumers. Violations of this act are prosecuted by the Attorney General under the Fair Business Practices Act. Fines are not to exceed $100 for any specific customer.

Hawaii

  1. Data Breach Notification
    1. If a Data Collector or third party processor reasonably believes that a data breach has occurred, the entity must report the breach to consumers “as expeditiously as possible and without unreasonable delay…” If a third-party data processor discovers the breach the contracting entity has 45 days to disclose the breach
      1. A data breach is defined as an unauthorized person gaining access to sensitive personal information. This includes data like a Social Security number, driver’s license number, passport number, and banking information.
    2. If the breach affects more than 1,000 consumers within the state of Alaska, the business must report the breach to the Attorney General of Hawaii and the major consumer reporting agencies. All nationwide credit reporting agencies must also be notified. Violations of this statute are subject to a fine of up to $2,500 per violation.

Idaho

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. There is no requirement for private businesses to notify the Attorney General. Similarly, there is no upper limit on the amount of time a business has to disclose a breach. Violations will be punished by a fine of up to $25,000 per breach.

Illinois

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay and in fewer than 45 days. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      1. Notification to affected individuals must include a toll-free number and addresses for consumer reporting agencies and the Federal Trade Commission. It must also include a statement about obtaining security freezes and fraud alerts from these sources.
    2. If a data breach affects 500 or more residents the business must notify the Attorney General. A violation of this statute constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. The Attorney General and the affected consumer have the ability to file a civil suit against the business under that cause of action.
  2. Disposal of Personal Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.
    2. A violation of this statute is subject to a fine of up to $100 per consumer affected by improper disposal but limited to $50,000 per instance of improper disposal.
  3. Data Security Measures
    1. Businesses that acquire, own, or license personal information about Arkansas residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.

Indiana

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. If more than 1,000 consumers are affected, the business must notify the attorney general and each consumer reporting agency of the breach. A violation of this statute is considered a deceptive act, and is subject to a civil penalty not to exceed $150,000.
  2. Disposal of Personal Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.
  3. Data Security Measures
    1. Businesses that acquire, own, or license personal information about Arkansas residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.

Iowa

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. For a breach that affects greater than 500 consumers, the business must notify the Attorney General within five days of notifying the affected consumers. A violation of this statute is considered an unlawful practice, and the business is subject to civil litigation from both the affected consumers and the Attorney General under the Iowa Consumer Protection Act.

Kansas

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. For a breach affecting greater than 1,000 consumers the business must notify all national consumer reporting agencies without unreasonable delay. The Attorney General will have discretion as to seeking remedies for violations of this statute. In the case of an insurance company, the insurance commissioner has sole authority of penalizing violations.

Kentucky

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. For a breach affecting greater than 1,000 consumers the business must notify all nationally operating consumer reporting agencies and credit bureaus. A violation of this statute allows the affected consumers to bring a civil action against the business. The rights and remedies of the consumer are cumulative, as in being awarded damages for one cause of action does not prohibit the consumer from being awarded damages for other causes of action stemming from the same incident.
  2. Disposal of Records
    1. The business must take reasonable steps to destroy or arrange for the destruction of consumer records that are no longer needed. The information can be disposed of through shredding, erasing, or otherwise modifying the personal information to be made unreadable or indecipherable through any means.

Louisiana

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers. The business must make the determination in writing and retain the written determination for 5 years following the breach, and, if requested, the business must send a copy of the written determination to the Attorney General within 30 days of the request.
    2. A violation of this statute may result in a civil action filed by a consumer to recover actual damages of the business’s failure disclose the breach in a timely fashion.
  2. Disposal of Records
    1. The business must take reasonable steps to destroy or arrange for the destruction of consumer records that are no longer needed. The information can be disposed of through shredding, erasing, or otherwise modifying the personal information to be made unreadable or indecipherable through any means.

Maine

  1. Data Breach Notification
    1. If a business engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring or communicating personal information for the primary purpose of furnishing personal information to nonaffiliated 3rd Parties, that business is an “information broker.” If an information broker suffers a security breach, the information broker must notify consumers if, after a good faith and prompt investigation, the information broker determines that personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.
    2. For businesses that are not classified as information brokers, consumers must be notified after the discovery of a security breach if there is a reasonable belief that the personal information has been, or will be, misused. If a good faith and prompt investigation determines that misuse is unlikely then notification is not required.
    3. If a breach requires notification of more than 1,000 consumers the business must notify all nationally operating consumer reporting agencies without unreasonable delay. The notification must include the date of the breach, an estimate of the number of consumers affected, and the actual or anticipated date that the consumers will be notified of the breach. For any breach that requires notifying consumers, the business must also notify the appropriate state regulators within the Department of Professional and Financial Regulation. If the business is not regulated by this department, the business must notify the Attorney General. A violation of this statute is subject to a fine of $500 per violation up to $2,500 per day that the business is in violation of the statute. The business is also subject to equitable relief and enjoinment from further violations. The remedies granted do not prevent consumers from other rights and remedies under state and federal law.

Maryland

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information
      1. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      2. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.
    2. Notice should be provided without unreasonable delay, but it must be provided within 30 days of the date that the breach was discovered. For a breach of greater than 500 people, notice must also be provided to the Attorney General.

Massachusetts

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. A sample of the notice to be sent to affected consumers must also be sent to the attorney general. If a SSN was disclosed in the security breach, the business must provide free credit monitoring services to the affected consumer for 18 months. The attorney general may bring an action against the business for a violation of this statute.
  2. Data Security
    1. If a business complies with federal regulations regarding the safeguarding of personal information, the business is also in compliance with the regulations of the department of consumer affairs and business regulation. Additionally, the supervisor of records sets regulations regarding technological requirements for data security.

 

Michigan

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. If a business knowingly fails to provide notice the business will be subject to a fine of up to $250 for each failure to provide notice. The total amount of fines for each breach is not to exceed $750,000. Additionally, for a breach affecting greater than 1,000 consumers a business must notify any nationally operating consumer reporting agencies of the breach.

Minnesota

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
      1. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.
    2. Businesses cannot retain bank or credit card data for more than 48 hours after a consumer uses the card to make a purchase. If there is a breach that involves card data or a violation of this statute, the business must reimburse the financial institution for expenses connected with the following:
      1. The cancellation and reissuance of credit/debit cards;
      2. The closure of any deposit, transaction, share draft, or other accounts affected by the breach and any action to stop payments or block transactions associated with these accounts;
      3. The opening or reopening of any deposit, transaction, share draft, or other accounts affected by the breach;
      4. Any refund or credit made to a cardholder to cover the cost of any unauthorized transaction relating to the breach;
      5. Notification of cardholders affected by the breach
    3. For any breach affecting more than 500 consumers the business must notify nationally operating consumer reporting agencies within 48 hours of discovery of the breach.

Mississippi

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. A violation of this statute is considered an unfair trade practice, and the business is subject to enforcement by the attorney general. This statute does not create a private right of action for affected consumers.

Missouri

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. For a breach affecting greater than 1,000 consumers the business must notify the attorney general and all nationally operating consumer reporting agencies without unreasonable delay. The attorney general is empowered to seek damages for an intentional violation of this statute. The penalty is not to exceed $150,000 per breach.

Montana

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
      1. Third parties that receive data from state agencies are required to maintain an information security policy and breach notification procedures. These parties must notify the state’s chief information officer and the attorney general in the case of any breach and provide details of the notification to consumers.
    2. A business that stores personal information electronically is required to maintain a security policy for the safeguarding of personal information and breach notification procedures.
      1. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.

Nebraska

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. For a violation of this statute, the Attorney General may issue subpoenas, and seek to recover direct economic damages for every affected consumer.
  2. Data Security
    1. Businesses that are required to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure. A business that contracts with a third party service provider must require by contract that the service provider implement and maintain reasonable security procedures.
      1. The procedures must be appropriate to the nature of the personal information disclosed; and
      2. The procedures must be reasonably designed to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.

Nevada

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
      1. Notification may be delayed if it is necessary to determine the scope of the breach and restore reasonable security to the system.
    2. For a breach affecting greater than 1,000 consumers a business must also notify all nationally operating consumer reporting agencies. Violations of this statute will be prosecuted by the Attorney General.
  2. Disposal of Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.
  3. PI Security Requirements
    1. Businesses that acquire, own, or license personal information about Arkansas residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.
    2. Businesses that accept card payments must be Payment Card Industry (PCI) compliant. A business will not be liable for damages related to a breach if the business is PCI compliant and the breach is not caused by gross negligence or intentional misconduct of any officers, employees, or agents of the business.

New Hampshire

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information
    2. All breaches affecting consumers must be reported to the Attorney General unless the business is engaged in trade or commerce. In that instance the regulator which has primary regulatory authority must be notified. For a breach affecting greater than 1,000 consumers a business must also notify all nationally operating consumer reporting agencies. An intentional or knowing violation of this statute allows an affected consumer to be awarded at least 2 but not more than 3 times the actual damages suffered. The statute is enforced by the Attorney General.

New Jersey

  1. Data Breach Notification
    1. A business must notify consumers if it discovers a data breach. Unauthorized access does not constitute a breach if the information accessed was encrypted. The business does not have to notify consumers if the business investigates the breach and reasonably believes that no harm will come to any consumers affected by the breach. The business must notify the authorities and keep the records of the investigation for 5 years. Notice of the breach must be done expeditiously
      1. The scope of this act is all sensitive personal information. This includes data like a Social Security number, driver’s license, passport number, and banking information. It is not considered a breach if the information is encrypted.
    2. For a breach affecting greater than 1,000 consumers a business must also notify all nationally operating consumer reporting agencies. A violation of this section is considered an unlawful practice under the Consumer Fraud Act of New Jersey and is prosecuted by the Attorney General.
  2. Protection of Social Security Number
    1. SSNs cannot be made available to the public. Also, businesses cannot require a SSN to access any products or services. Businesses are prohibited from printing a SSN on information mailed to a consumer unless required by law. Similarly, the disclosure, sale, lease, loan, or trade of a SSN is prohibited unless otherwise authorized.
  3. Disposal of Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.
  4. PI Security Requirements
    1. Businesses that acquire, own, or license personal information about New Jersey residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.

New Mexico

  1. Data Breach Notification
    1. Businesses are required to notify affected New Mexico residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 45 days after a determination that a breach has occurred. The business is not required to notify residents if, after conducting a brief good faith investigation, the business determines that New Mexico residents are not reasonably likely to be affected. If the breach only involves encrypted data, a business is only required to provide notice if the encryption key or some other means to decipher the secured information was also reasonably believed to have been acquired.

New York

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
    2. For a breach affecting greater than 5,000 consumers the business must notify the Attorney General and Equifax, Experian, and Transunion. A knowing or reckless violation of this statute is subject to a civil penalty of the greater of $5,000 or $10 per consumer up to $150,000.
  2. PI Security Requirements
    1. Businesses that acquire, own, or license personal information about Arkansas residents must implement and maintain reasonable security procedures and practices to protect against unauthorized access, destruction, use, modification, or disclosure.

New York has the infamous New York Shield Law - Read more about New York's Data Privacy Law Here

North Carolina

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
      1. Personal information in this statute only includes information that would permit access to a person’s financial account or resources.
    2. The business must also notify the Attorney General without unreasonable delay in the event of a data breach. The notification must include the nature of the breach, the number of consumers affected, steps taken to investigate and prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. A consumer may only bring a cause of action against the business if the consumer was directly affected by the breach.

North Dakota

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. For a breach affecting greater than 250 consumers, the business must notify the Attorney General. The penalty for a violation of this statute is up to $5,000 per consumer.

Ohio

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay but within 45 days of discovery of the breach. Unauthorized access does not constitute a breach if the information accessed was encrypted. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. The Attorney General is empowered to conduct investigations to determine if a business has declined to notify consumers of a breach. A penalty of up to $5,000 per day of noncompliance can be levied by the Attorney General. After 60 days of noncompliance this penalty increases to $10,000 per day of noncompliance.

Oklahoma

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Third party data collectors must give notice and cooperate with the business responsible for the personal information.
    2. The Attorney General has exclusive authority to bring an action against a violator of this statute. The Attorney General may obtain actual damages or a civil penalty not to exceed $150,000 per breach.

Oregon

  1. Identity Theft Protection
    1. Businesses that store, collect, process, maintain, acquire, use, own, or license personal information are required to implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected. This program must protect against unauthorized access, use, modification, destruction, or disclosure and preserve the confidentiality, integrity, and availability of the information. It is prohibited to retain personal information for a period longer than reasonably required to provide the requested services; meet the purpose it was collected; or align with a written security policy.
    2. If a business discloses personal information to a third party, there must be a written contract that requires the third party to maintain reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected. This program must protect against unauthorized access, use, modification, destruction, or disclosure.
  2. Disposal of Records
    1. A business must destroy all personal information, regardless of medium, in a secure manner.
      1. Some acceptable forms of destruction are shredding, pulverization, incineration, or erasure.
  3. Data Breach Notification
    1. If a business is responsible for unencrypted and unredacted personal information and becomes aware of a security incident, the business must conduct an investigation to determine whether there has been a security breach. If it is determined that there has been a breach, the business must notify the affected individuals as soon as possible or within 45 days of the determination. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired.
    2. For a breach affecting greater than 250 consumers the business must notify the Attorney General. The business must, for all breaches, provide the affected consumers with contact information for national consumer reporting agencies. The burden of notifying the agencies and securing a credit freeze is the responsibility of the affected consumer. A violation of this statute is considered an unlawful practice, and the Attorney General is empowered to seek damages under the Unlawful Business, Trade Practices statute.

Pennsylvania

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted.
    2. If a third party service provider discovers a security breach it must notify the contracting business without unreasonable delay and cooperate with the business. This includes sharing information relevant to the breach but excludes the disclosure of confidential business information or trade secrets.
    3. A violation of this statute is considered an unfair or deceptive act. The Attorney General has sole authority to bring an action under the Pennsylvania Unfair Trade Practices and Consumer Protection Law as remedy for a violation of this statute.
  2. CCPA Clone
    1. Recently Pennsylvania passed its own version of the CCPA. The requirements mirror those of the CCPA, so you can refer to the page that discusses the CCPA at length.

Rhode Island

  1. Identity Theft Protection
    1. Businesses that store, collect, process, maintain, acquire, use, own, or license personal information are required to implement and maintain a risk-based information security program that contains reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected. This program must protect against unauthorized access, use, modification, destruction, or disclosure and preserve the confidentiality, integrity, and availability of the information. It is prohibited to retain personal information for a period longer than reasonably required to provide the requested services; meet the purpose it was collected; or align with a written security policy.
    2. If a business discloses personal information to a third party, there must be a written contract that requires the third party to maintain reasonable security procedures and practices appropriate to the size and scope of the organization; the nature of the information; and the purpose for which the information was collected. This program must protect against unauthorized access, use, modification, destruction, or disclosure.
  2. Disposal of Records
    1. A business must destroy all personal information, regardless of medium, in a secure manner.
      1. Some acceptable forms of destruction are shredding, pulverization, incineration, or erasure.
  3. Data Breach Notification
    1. If a business is responsible for unencrypted and unredacted personal information and becomes aware of a security incident, the business must conduct an investigation to determine whether there has been a security breach. If it is determined that there has been a breach, the business must notify the affected individuals within 45 days of the determination.
    2. For a breach affecting greater than 500 consumers, the business must notify the Attorney General and all major credit reporting agencies without delaying notice to consumers. Each reckless violation is subject to a penalty of up to $100 per consumer. Each knowing violation is subject to a penalty of up to $200 per person. If it is deemed to be within the public interest the Attorney General is authorized to bring an action against a business against the violator.

South Carolina

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. A consumer affected by a violation of this statute is entitled to recover damages. All damages are recoverable for an intentional or knowing violation, but only actual damages are recoverable for a negligent violation. The Department of Consumer Affairs will levy a fine of up to $1,000 per resident for an intentional violation of this statute.

South Dakota

  1. Data Breach Notification
    1. Businesses are required to notify affected South Dakota residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 30 days after a determination that a breach has occurred. The business is not required to notify residents if, after conducting a brief good faith investigation, the business determines that South Dakota residents are not reasonably likely to be affected. If the breach only involves encrypted data, a business is only required to provide notice if the encryption key or some other means to decipher the secured information was also reasonably believed to have been acquired.
    2. The Attorney General is empowered to prosecute violations of this statute. Fines are not to exceed $10,000 per day per violation. The Attorney General may also seek attorney’s fees and reasonable costs associated with bringing the action including investigation costs.

Tennessee

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay and in fewer than 45 days. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired.
    2. The Attorney General has the authority to levy fines against violators, and individual citizens have a private right of action against violators.

Texas

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers and the Attorney General without unreasonable delay, and within 60 days of discovery of a breach affecting at least 250 consumers. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
    2. For a breach affecting greater than 10,000 consumers the business must notify all nationally operating credit reporting agencies. The Attorney General has the authority to investigate and prosecute violators of this statute. Fines range from $2,000 to $50,000 per violation. Additionally, violators are liable to the state for a civil penalty of $100 per individual affected, but it is not to exceed $250,000. This does not prohibit affected consumers from initiating their own cause of action against the violating business.

Utah

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. A violation of this statue affecting a single consumer is subject to a fine of up to $2,500. For a violation affecting multiple consumer the fine is at most $100,000 unless there are 10,000 or more affected consumers in Utah and 10,000 or more affected consumers outside of Utah. Additionally, the parties can settle for a greater amount of their own volition.
  2. Disposal of Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.

Vermont

  1. Data Breach Notification
    1. If a business engages in whole or in part in the business of collecting, assembling, evaluating, compiling, reporting, transmitting, transferring or communicating personal information for the primary purpose of furnishing personal information to nonaffiliated 3rd Parties, that business is a “data broker.” If an information broker suffers a security breach, the information broker must notify consumers if, after a good faith and prompt investigation, the information broker determines that personal information has been, or is reasonably believed to have been, acquired by an unauthorized person. The broker must also
    2. Businesses are required to notify affected Vermont residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 45 days after a determination that a breach has occurred. The Attorney General must be notified within 14 business days of discovery of the breach. The business is not required to notify residents if, after conducting a brief good faith investigation, the business determines that Vermont residents are not reasonably likely to be affected. If the breach only involves encrypted data, a business is only required to provide notice if the encryption key or some other means to decipher the secured information was also reasonably believed to have been acquired.
    3. If a breach affects greater than 1,000 consumers the business must notify all nationally operating credit reporting agencies. The Attorney General has sole authority to investigate potential violations of this statute, and the Attorney General and State’s Attorney have authority to enforce these provisions. The penalty is up to $10,000 per violation.
  2. SSN Restriction
    1. A business cannot communicate a SSN to the public or print an SSN on a card required to access or receive services. It is prohibited to require a consumer to use an SSN to access a website unless there are other forms of unique personal identification and authentication. Additionally, an SSN cannot be sent by mail.
  3. Disposal of Personal Records
    1. Businesses must take reasonable measures to protect against unauthorized access to, or use of, personal information when disposing of records. Businesses must implement compliance and monitoring policies that require the destruction of personal information. Businesses can contract for a third party to handle disposal of personal information, and this relinquishes all liability from the contracting business.

Virginia

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers and Attorney General without unreasonable delay. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      1. If the breach involves an employer or payroll service provider, the business must provide the Attorney General with the taxpayer ID and income tax withheld for all affected employees. The business must also supply the business’s name and federal employer identification number.
    2. A violation of this statute is regulated by the State Corporation Commission. Additionally, the Attorney General may impose a civil penalty of up to $150,000 per breach. This does not prohibit any affected individuals from recovering.
  2. SSN Restriction
    1. A business cannot communicate a SSN to the public or print an SSN on a card required to access or receive services. It is prohibited to require a consumer to use an SSN to access a website unless there are other forms of unique personal identification and authentication. Additionally, an SSN cannot be sent by mail.

Washington

  1. Data Breach Notification

    1. Businesses are required to notify affected Washington residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 45 days after a determination that a breach has occurred. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.

      1. “Encrypted” in this case means that the security of the information must meet or exceed the National Institute of Standards and Technology (NIST).

    2. For a breach affecting greater than 500 consumers, the business is required to notify the Attorney General within 30 days of notice of the breach. The notice to the Attorney General must include the number of consumers affected by the breach. If the number is not known, then an estimate will suffice.

West Virginia

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers without unreasonable delay. A business that maintains its own notification procedures will be deemed to be compliant in its timeliness of notification if it adheres to its own written policy. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach. Notification is not required if after an appropriate investigation or consultation the business determines that there is no reasonable likelihood of harm to the affected consumers.
    2. A violation of this statute is considered an unfair or deceptive act and may be enforced by the Attorney General.

Wisconsin

  1. Data Breach Notification
    1. Businesses are required to notify affected Wisconsin residents when the business reasonably believes that an unauthorized person has acquired unencrypted personal information. Notice should take place without unreasonable delay, but not later than 45 days after a determination that a breach has occurred. The business is not required to notify residents if, after conducting a brief good faith investigation, the business determines that Wisconsin residents are not reasonably likely to be affected. If the breach only involves encrypted data, a business is only required to provide notice if the encryption key or some other means to decipher the secured information was also reasonably believed to have been acquired.
    2. If a third party service provider discovers a security breach it must notify the contracting business without unreasonable delay and cooperate with the business. This includes sharing information relevant to the breach, and this excludes the disclosure of confidential business information or trade secrets.
    3. A knowing violation of this statute is subject to prosecution by the Attorney General.

Wyoming

  1. Data Breach Notification
    1. If there is a security breach that affects the personal information of consumers, the business responsible for the personal information must notify the affected consumers. Unauthorized access does not constitute a breach if the information accessed was encrypted, and the business reasonably believes that the encryption key was not acquired. Third party data collectors must give notice and cooperate with the business responsible for the personal information
      1. If the personal data was acquired in good faith by an employee or agent of the business and not used for an unauthorized purpose or subject to further unauthorized disclosure it does not constitute a breach.
      2. Personal information in this statute means the first or last name or initial combined with a SSN, driver’s license, passport number or other similar information.
    2. The Attorney General may seek legal action to address any violations of the statute.