Data Breach Laws Across the United States & its Territories
Shortly after Target’s massive data breach in December of 2013, Attorney General Eric Holder released a statement encouraging the United States Congress to pass a federal law which would become the standard for data breach notification. "This would empower the American people to protect themselves if they are at risk of identity theft," Holder said in the statement.
Holder went on to say: "It would enable law enforcement to better investigate these crimes - and hold compromised entities accountable when they fail to keep sensitive information safe."
There is currently no federal law which addresses the actual breaches. A federal law governing data breach notification would be welcome if it were to pre-empt related state laws.
All but three states: Alabama, New Mexico, and South Dakota have data breach laws which specify when and how individual victims of security breaches, that include Personally Identifiable Information (PII), are notified. Included in most of these laws are provisions regarding what type of agencies are covered by the law, the states’ own definition of what constitutes PII and a definition of what constitutes a data breach. Each state also defines their own requirements for notice which usually includes: the timing, the acceptable methods, and who must be notified.
PII usually includes: name, SSN, drivers license or state ID numbers, account numbers, medical or health care information, etc.
Many states have exceptions for encrypted information loss.
State - Data Breach Statute or Code:
Alaska - Stat. § 45.48.010
Arizona - Rev. Stat. § 44-7501
Arkansas - Code § 4-110-101
California - Civ. Code §§ 1798.29, 1798.80
Colorado - Rev. Stat. § 6-1-716
Connecticut - Gen Stat. § 36a-701b
Delaware - Code tit. 6, § 12B-101
District of Columbia - Code § 28- 3851
Florida - Stat. §§ 501.171, 282.0041, 282.318(2)(i) (2014 S.B. 1524, S.B. 1526)
Georgia - Code §§ 10-1-910, -911, -912; § 46-5-214
Hawaii - Rev. Stat. § 487N-1
Idaho - Stat. §§ 28-51-104 to -107
Illinois - ILCS §§ 530/1 to 530/25
Indiana - Code §§ 4-1-11 & 24-4.9
Iowa - Code §§ 715C.1, 715C.2
Kansas - Stat. § 50-7a01
Kentucky - § 365.732, §§ 61.931 to 61.934 (2014 H.B. 5, H.B. 232)
Louisiana - Rev. Stat. § 51:3071 et seq., 40:1300.111 to .116 (2014 H.B. 350)
Maine - Rev. Stat. tit. 10 § 1347
Maryland - Code Com. Law §§ 14-3501 & Md. State Govt. Code §§ 10-1301 to -1308
Massachusetts - Gen. Laws § 93H-1
Michigan - Comp. Laws §§ 445.63, 445.72
Minnesota - Stat. §§ 325E.61, 325E.64
Mississippi - Code § 75-24-29
Missouri - Rev. Stat. § 407.1500
Montana - Code § 2-6-504, 30-14-1701
Nebraska - Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nevada - Rev. Stat. §§ 603A.010 & 242.183
New Hampshire - Rev. Stat. §§ 359-C:19, -C:20, -C:21
New Jersey - Stat. § 56:8-163
New York - New York Gen. Bus. Law § 899-aa & State Tech. Law 208
North Carolina - Gen. Stat §§ 75-61, 75-65
North Dakota - Cent. Code § 51-30-01
Ohio - Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Oklahoma - Stat. §§ 74-3113.1, 24-161 to -166
Oregon - Rev. Stat. § 646A.600
Pennsylvania - Stat. § 2301
Rhode Island - Gen. Laws § 11-49.2-1
South Carolina - Code § 39-1-90, 2013 H.B. 3248
Tennessee - Code § 47-18-2107
Texas - Bus. & Com. Code §§ 521.002, 521.053 & Ed. Code § 37.007(b)(5)
Utah - Code §§ 13-44-101
Vermont - Stat. tit. 9 § 2430, 2435
Virginia - Code § 18.2-186.6, § 32.1-127.1:05
Washington - Rev. Code § 19.255.010, 42.56.590
West Virginia - Code §§ 46A-2A-101
Wisconsin - Stat. § 134.98
Wyoming - Stat. § 40-12-501
In addition, the following United States territories also have data breach laws:
Territory - Data Breach Statute or Code:
Guam - GCA § 48-10
Puerto Rico - Laws of Puerto Rico § 4051
Virgin Islands - Code tit. 14, § 2208
Please note: This list is not updated on a regular basis. It is meant as a reference only. Please check each individual state’s Statutes or Codes for the most current information. Links to each state’s laws are provided only as a convenience.
ABOUT THE AUTHOR: Scott Greene of Evidence Solutions, Inc.
For over 30 years, Scott Greene has been helping companies meet the challenges of the swiftly evolving computer technology industry.
Directly from high school, Scott went to work for IBM. Scott studied Systems Engineering at the University of Arizona. He has since earned certifications in many products and programming languages.
The Evidence Solutions team analyzes data from Computers, Cell Phones, Black Boxes, Dispatch Systems, Medical Records, Email systems and more. Scott then explains the digital evidence in plain English.
Scott’s extensive knowledge draws clients to him from all over the United States as well as Internationally for consulting, Forensics and expert witness services. His extensive and diverse experience allows him to be an expert in many facets of digital and electronic evidence. Scott, a sought after speaker and educator, travels throughout the country sharing his knowledge and presenting to local, regional, national and International organizations.
Copyright Evidence Solutions, Inc.
Disclaimer: While every effort has been made to ensure the accuracy of this publication, it is not intended to provide legal advice as individual situations will differ and should be discussed with an expert and/or lawyer.For specific technical or legal advice on the information provided and related topics, please contact the author.