About Us | Contact Us
View Cart

Data Breach Laws: A State-by-State Framework

By Matt Jolley | Sunday, September 26, 2021 - Leave a Comment

What you need to know for compliance coast-to-coast.


Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another look at this list and make sure it is still up to date.

During our review, we discovered that while many states have introduced pending legislation to amend their existing data breach laws so far in 2021, only Georgia, North Dakota and Utah have implemented changes.  Because the content of a piece of legislation can change dramatically during the legislative process we will not detail proposed laws, but we will note that new legislation is pending where applicable.

While compiling this list we found many similarities between each state’s legislation, including many who do not apply their specific laws to organizations who already must comply with federal legislation such as HIPPA or GLBA.  Despite these similarities, not every state is the same, which is why we’re providing the following list.

Please note: While we have made an effort to make sure this information is accurate, we are not a legal firm and this list is only intended to be a jumping-off point for your own research into the subject.  As always, any policy decisions you make regarding compliance with legal statutes should be made with the advice of a lawyer.

Alabama: SB 318 – Requires notification in writing no later than 45 days after discovery of a breach.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Alaska: Statute 45.48.010 – Requires notification “without reasonable delay” of any breach that may have resulted in unauthorized acquisition of personal information.

Arizona: Statute 18-545 – Requires notification within 45 days, unless the breach is not likely to result in “substantial economic loss” to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law. 2021 Update: New legislation is pending, however it appears to apply to educational institutions only.

Arkansas: Code 4-110-101 – Requires notification “without unreasonable delay” unless there is no reasonable likelihood of harm.  Notification may be delayed for law enforcement purposes.

California: Civil Code 1798:29 – Requires notification “without unreasonable delay,” and also requires notification of the state Attorney General if more than 500 customers are impacted.  Businesses in violation are subject to civil action by those impacted by the breach.  2021 Update: Multiple pieces of legislation are pending, which may impact reporting requirements.

Colorado: Statute 6-1-716 – Requires notification no later than 30 days after determination of a breach, along with notification of the state Attorney General if more than 500 customers are impacted.  Organizations in compliance with their own state’s regulations are deemed to be in compliance with this law.

Connecticut: Statute 36a-701b – Requires notification no later than 90 days after determination of a breach, including notification of the state Attorney General.  Organizations in compliance with their own state’s regulations are deemed to be in compliance with this law.  2021 Update: New legislation expanding current laws is pending.

Delaware: Code Title 6, Chapter 12B – Requires notification no later than 60 days after determination of a breach, unless the breach is unlikely to result in harm to those impacted.  Organizations with their own notification policy are deemed to be in compliance with this law, as long as notification is provided within 60 days.

Florida: Statute 501.171 – Requires notification no later than 30 days after determination of a breach, along with notification of the state Department of Legal Affairs if more than 500 customers are impacted.  Failure to notify can result in fines of $1,000 for each day the breach remains undisclosed.

Georgia: Code 10-1-912 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 10,000 customers are impacted.  2021 Update: HB 156 was passed, however it appears to only require government agencies and public utilities to report cybersecurity attacks to the Department of Homeland Security, along with allowing for reporting exemptions to protect national security.

Hawaii: Statute 487N-1 – Requires notification “without unreasonable delay,” along with notification of the state Office of Consumer Protection if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation aims to expand the state’s definition of “personal information.”

Idaho: Code 28-51-104 – Requires notification “in the most expedient time possible.”  Organizations with their own notification policies are deemed to be in compliance with this law, as long as that policy is followed.

Illinois: 815 ILCS 530 – Requires notification “without unreasonable delay.”  Organizations may develop their own notification policy so long as it complies with the state law.  2021 Update: Pending legislation would require notification of the Attorney General of any state that an impacted customer resides in, along with the customers themselves.

Indiana: Code 4-1-11, 24-4.9 – Requires notification “without unreasonable delay” if the breach could result in identity theft or fraud.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Iowa: Code 715C.1 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General if more than 500 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Kansas: Statute 50-7a01 – Requires notification “without unreasonable delay” unless personal information is unlikely to be abused.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.

Kentucky: Statute 365.732 – Requires notification “without unreasonable delay” unless personal information is unlikely to be abused.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Louisiana: Statute 51:3071 – Requires no later than 60 days after a breach has been discovered, unless there is no likelihood of harm to those impacted.  Notification of the state Attorney General is also required, if consumers must be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Maine: Statute 1346 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General, unless there is no reasonable likelihood the information will be abused.

Maryland: Commercial Code 14-3501 – Requires notification no later than 45 days after discovery of a breach.  The state Attorney General must be notified before customers.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation would extend protections to biometric data.

Massachusetts: General Law 93H – Requires notification “without unreasonable delay,” along with notification of the state Attorney General.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation aims to expand the definition of “personally identifying information.”

Michigan: Statute 445.63 – Requires notification “without unreasonable delay,” unless the breach is not likely to cause substantial loss or injury to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation would extend reporting requirements for state agency database breaches.

Minnesota: Statute 325E.61 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 500 customers are impacted.  2021 Update: Pending legislation would impose new data handling rules for government agencies.

Mississippi: Code 75-24-29 – Requires notification “without unreasonable delay,” unless the breach is not likely to cause substantial loss or injury to those impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Missouri: Statute 407.1500 – Requires notification “without unreasonable delay,” unless there is no likelihood of identity theft or fraud.  Notification of the state Attorney General and all nationwide consumer reporting agencies is required if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Legislation relating to the protection of personal information is pending.

Montana: Code 30-14-1704 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General and consumer reporting agencies.

Nebraska: Statute 87-801 – Requires notification “without unreasonable delay,” unless it is unlikely the disclosed information will be abused.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Nevada: Statute 603A.010 – Requires notification “without unreasonable delay,” along with notification of all consumer reporting agencies if more than 1,000 customers are impacted.  2021 Update: Pending legislation would expand what constitutes personal information, including user names, passwords and security questions.

New Hampshire: Statute 359-C:20 – Requires notification “as soon as possible,” along with notification of the state Attorney General and all consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are not bound by this law.

New Jersey: Statute 56:8-163 – Requires notification “without unreasonable delay,” unless misuse of the information is not reasonably possible.  Prior to notification of customers, the State Police department of Law and Public Safety must be notified.  2021 Update: Pending legislation would expand what constitutes personal information.

New Mexico: HB 15 – Requires notification no later than 45 days after discovery of a breach.  If more than 1,000 customers are impacted, notification of the state Attorney General and all nationwide consumer reporting agencies is also required.  Organizations in compliance with GLBA are exempt from this law.

New York: General Business Law 899-aa – Requires notification “without unreasonable delay” after a breach is discovered.  Additionally, the state Attorney General, Consumer Protection Board, State Police and Office of Information Technology Services must also be notified.  If more than 5,000 customers are impacted, consumer reporting agencies must also be notified.  2021 Update: Multiple pieces of legislation are pending, which could require identity theft protection be provided for impacted customers, impose a five day reporting deadline and expand protections of personal information.

North Carolina: Statute 75-61 – Requires notification “without unreasonable delay” after a breach is discovered.  The state Attorney General’s office must be notified, as well as all nationwide consumer reporting agencies if more than 1,000 customers have been impacted.

North Dakota: Code 51-30-01 – Requires notification “without unreasonable delay,” along with notification of the state Attorney General if more than 250 customers are impacted.  Organizations may maintain their own notification policies so long as they comply with state law.  2021 Update: HB1314 was passed, requiring organizations to notify the North Dakota Information Technology Department of breaches.

Ohio: Revised Code 1349.19 – Requires notification within 45 days after discovery of a breach.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Oklahoma: Statute 161 – Requires notification “without unreasonable delay” after discovery of a breach.  Organizations may maintain their own notification policies so long as they are in compliance with state law.

Oregon: Statute 646A.600 – Requires notification no later than 45 days after discovery of a breach.  The state Attorney General must also be notified if more than 250 customers are impacted.  If more than 1,000 customers are impacted, all nationwide consumer reporting agencies must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation would extend reporting requirements to tax preparers.

Pennsylvania: Statute 73-2301 – Requires notification “without unreasonable delay,” along with notification of all nationwide consumer reporting agencies if more than 1,000 customers are impacted.  2021 Update: Pending legislation would expand the definitions of breach and personal information, along with impose new restrictions on state government agencies.

Rhode Island: General Law 11-49.3 – Requires notification no later than 45 days after discovery of a breach.  If more than 500 customers are impacted, the state Attorney General and all major credit reporting agencies must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

South Carolina: Code 39-1-90 – Requires notification “without unreasonable delay” after discovery of a breach.  The state Department of Consumer Affairs must be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

South Dakota: SB 62 – Requires notification within 60 days of discovering a breach.  Consumer reporting agencies must also be notified of the breach.  If more than 250 customers are impacted, the state Attorney General must also be notified.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Tennessee: Code 47-48-2107 – Requires notification within 45 days of the discovery of a breach.  All consumer reporting agencies must be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.  2021 Update: Pending legislation would change reporting deadlines in the case of a pending criminal investigation.

Texas: Business and Commerce Code 521.002 – Requires notification “as quickly as possible” after discovery of a breach.  If more than 10,000 customers are impacted, all nationwide consumer reporting agencies must be notified as well.  2021 Update: Pending legislation would expand notification requirements.

Utah: Code 13-44-101 – Requires notification “without unreasonable delay” after discovery of a breach, unless misuse of data is unlikely.  2021 Update: HB80 was passed, providing for an affirmative defense which would protect organizations involved in a breach if they can show that they were in compliance with state cybersecurity guidelines at the time of the incident.

Vermont: Statute 9-2430 – Requires notification within 45 days of the discovery of a breach.  The state Attorney General or Department of Financial Regulation must also be notified within 14 days.  All consumer reporting agencies must also be informed if more than 1,000 customers are impacted.

Virginia: Code 18.2-186.6 – Requires notification “without unreasonable delay” after discovery of a breach.  The state Attorney General must also be notified, along with all nationwide consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Washington: Code 19.255.010 – Requires notification no later than 45 days after the discovery of a breach, unless the breach is unlikely to cause harm.  If more than 500 customers are impacted, the attorney general must also be notified.  2021 Update: Pending legislation would expand rules applying to state agencies.

West Virginia: Code 46A-2A-101 – Requires notification “without unreasonable delay,” along with notification of all consumer reporting agencies if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Wisconsin: Statute 134.98 – Requires notification within 45 days of the discovery of a breach.  All nationwide consumer reporting agencies must also be notified if more than 1,000 customers are impacted.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

Wyoming: Statute 40-12-501 – Requires notification “without unreasonable delay” after the discovery of a breach.  Organizations in compliance with GLBA are deemed to be in compliance with this law.

 


same_strip_012513


 

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]