Forensic, General & Medical
Expert Witnesses

Data Breach Laws Across the United States & its Territories


     By Evidence Solutions, Inc. Computer Technology and Digital Forensic Firm

PhoneCall Scott Greene of Evidence Solutions, Inc. at (866) 795-7166


Shortly after Target’s massive data breach in December of 2013, Attorney General Eric Holder released a statement encouraging the United States Congress to pass a federal law which would become the standard for data breach notification. "This would empower the American people to protect themselves if they are at risk of identity theft," Holder said in the statement.
Holder went on to say: "It would enable law enforcement to better investigate these crimes - and hold compromised entities accountable when they fail to keep sensitive information safe."

There is currently no federal law which addresses the actual breaches. A federal law governing data breach notification would be welcome if it were to pre-empt related state laws.

All but three states: Alabama, New Mexico, and South Dakota have data breach laws which specify when and how individual victims of security breaches, that include Personally Identifiable Information (PII), are notified. Included in most of these laws are provisions regarding what type of agencies are covered by the law, the states’ own definition of what constitutes PII and a definition of what constitutes a data breach. Each state also defines their own requirements for notice which usually includes: the timing, the acceptable methods, and who must be notified.

PII usually includes: name, SSN, drivers license or state ID numbers, account numbers, medical or health care information, etc.

Many states have exceptions for encrypted information loss.
State - Data Breach Statute or Code:

Alaska - Stat. § 45.48.010

Arizona - Rev. Stat. § 44-7501

Arkansas - Code § 4-110-101

California - Civ. Code §§ 1798.29, 1798.80

Colorado - Rev. Stat. § 6-1-716

Connecticut - Gen Stat. § 36a-701b

Delaware - Code tit. 6, § 12B-101

District of Columbia - Code § 28- 3851

Florida - Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526)

Georgia - Code §§ 10-1-910, -911, -912; § 46-5-214

Hawaii - Rev. Stat. § 487N-1

Idaho - Stat. §§ 28-51-104 to -107

Illinois - ILCS §§ 530/1 to 530/25

Indiana - Code §§ 4-1-11 & 24-4.9

Iowa - Code §§ 715C.1, 715C.2

Kansas - Stat. § 50-7a01

Kentucky - § 365.732, §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232)

Louisiana - Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)

Maine - Rev. Stat. tit. 10 § 1347

Maryland - Code Com. Law §§ 14-3501 & Md. State Govt. Code §§ 10-1301 to -1308

Massachusetts - Gen. Laws § 93H-1

Michigan - Comp. Laws §§ 445.63, 445.72

Minnesota - Stat. §§ 325E.61, 325E.64

Mississippi - Code § 75-24-29

Missouri - Rev. Stat. § 407.1500

Montana - Code § 2-6-504, 30-14-1701

Nebraska - Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807

Nevada - Rev. Stat. §§ 603A.010 & 242.183

New Hampshire - Rev. Stat. §§ 359-C:19, -C:20, -C:21

New Jersey - Stat. § 56:8-163

New York - New York Gen. Bus. Law § 899-aa & State Tech. Law 208

North Carolina - Gen. Stat §§ 75-61, 75-65

North Dakota - Cent. Code § 51-30-01

Ohio - Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192

Oklahoma - Stat. §§ 74-3113.1, 24-161 to -166

Oregon - Rev. Stat. § 646A.600

Pennsylvania - Stat. § 2301

Rhode Island - Gen. Laws § 11-49.2-1

South Carolina - Code § 39-1-90, 2013 H.B. 3248

Tennessee - Code § 47-18-2107

Texas - Bus. & Com. Code §§ 521.002, 521.053 & Ed. Code § 37.007(b)(5)

Utah - Code §§ 13-44-101

Vermont - Stat. tit. 9 § 2430, 2435

Virginia - Code § 18.2-186.6, § 32.1-127.1:05

Washington - Rev. Code § 19.255.010, 42.56.590

West Virginia - Code §§ 46A-2A-101

Wisconsin - Stat. § 134.98

Wyoming - Stat. § 40-12-501

In addition, the following United States territories also have data breach laws:
Territory - Data Breach Statute or Code:

Guam - GCA § 48-10

Puerto Rico - Laws of Puerto Rico § 4051

Virgin Islands - Code tit. 14, § 2208

Please note: This list is not updated on a regular basis. It is meant as a reference only. Please check each individual state’s Statutes or Codes for the most current information. Links to each state’s laws are provided only as a convenience.

ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.

Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.

The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.

Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.

Copyright Evidence Solutions, Inc.

More information about Evidence Solutions, Inc.


While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.
For specific technical or legal advice on the information provided and related topics, please contact the author.

Find an Expert Witness