State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach (Updated June 2016)
With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. This summary provides an overview of the similarities and differences in data breach laws adopted in 47 states and the District of Columbia. As reflected in this summary, laws may differ as to the information defined as “personal” or “sensitive” and the triggers for notification. Many states require that specific content be included in notices, and those requirements differ. In addition, several states impose obligations to notify certain state agencies in some or all cases.
Because privacy is a politically popular topic for legislators, laws continue to evolve and change. It is important to confirm that no changes have been made to relevant laws whenever you deal with a data breach. While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.
This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances.
For more information on privacy and data security matters, please contact us:
Sheila Millar (+1 202.434.4143, millar@khlaw.com)
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)
Definitions
CRA = Consumer Reporting Agency (Experian, Equifax, TransUnion)
AG = State Attorney General
FTC = Federal Trade Commission
1. What Type of Personal Information Triggers a Breach Notification Obligation to Individuals?
Type of Personal Information | States |
First name/initial and last name plus any of
| Used by all states (except D.C.) with data breach laws [1] (AK, AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY) |
Name, phone number, or address plus SSN, driver’s license #, ID card #, credit or debit card #, or any other #, code, or combo that allows access to/use of individual’s account [2] | D.C. |
Passwords, personal identification numbers, or other access codes for financial accounts when used with a first name/initial and last name | AK, VT |
Account #, credit card #, or debit card # (alone) – if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised | GA, ME |
Account passwords, PIN or other access codes (alone) – if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised | GA, ME, NC |
Driver’s license number, or state ID # (alone) – if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised | ME |
Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual’s financial account when used with a first name/initial and last name | IA, MO, NE |
Unique biometric data, such as a fingerprint, retina or iris image, or other unique representation of biometric data when used with a first name/initial and last name | IL[3], IA, NE, NC, WI , WY |
Data from automatic measurements of physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial or other transaction | OR |
An individual’s DNA profile when used with a first name/initial and last name | WI |
An Individual or Employer Taxpayer Identification Number when used with a first name/initial and last name | MD, MT, NC, WY |
User name or e-mail address plus a password or security question and answer that would permit access to an online account | CA, FL, IL[4], NV, WY RI (e-mail address plus a security code, access code, or password that would permit access to an individual’s personal, medical, insurance or financial account) |
Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names when used with a first name/initial and last name | NC |
ID # assigned by individual’s employer when used with a first name/initial and last name | ND |
Digital or electronic signature when used with a first name/initial and last name | NC, ND |
Date of birth when used with a first name/initial and last name | ND |
Mother’s maiden name when used with a first name/initial and last name | NC, ND |
Medical Information | AR, CA, FL, IL[5], MO, MT, ND, WY (if used in combination with first name/initial and last name) OR, RI (if used in combination with with the first name/initial and last name; specifically information about an individual’s medical history, mental or physical condition or medical diagnosis or treatment) |
Health Insurance Information | CA, FL, IL[6], MO, ND, WY, RI (if used in combination with first name/initial and last name) TX VA (If used in combination with the first name/initial and last name and maintained by a state government entity) |
Medical identification number or a health insurance identification number | NV (if used in combination with first name/initial and last name) |
Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify an individual | OR (if used in combination with first name/initial and last name) |
SSN (alone) | GA (if information compromised would alone be sufficient to perform or attempt to perform identity theft against the person whose information was compromised) IN (if SSN not encrypted or redacted) ME (if information compromised would alone be sufficient to permit a person to fraudulently assume or attempt to assume identity of the person whose information was compromised) |
Any other numbers or information that can be used to access a person’s financial resources when used with a first name/initial and last name | NC, SC |
Any elements that when not combined with a name would be sufficient to permit a person to commit identity theft | OR |
Dissociated data that, if linked, would constitute personal information, if the means to link the dissociated data is accessed in connection with access to the dissociated data. | NJ |
U.S. Passport number or other United States issued identification number | OR |
Numbers or information issued by a governmental or regulatory entity that uniquely identify an individual | SC |
Tribal identification card | WY |
Federal or state government issued identification card | WY |
2. What Form of Data Triggers a Breach Notification Obligation to Individuals?[7]
Form of Data | State(s) |
Encrypted or Unencrypted | TN |
Unencrypted | All states with data breach laws
(AK, AZ, AR, CA, CO, CT, D.C., DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY) |
Computerized | All states with data breach laws
(AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY) |
Any Form (electronic, paper, etc.) | AK, HI, IA (if transferred to other medium from computerized form), MA, NC, SC, WA, WI |
Timing to Notify Residents | States |
Most expedient time possible and without unreasonable delay | AK, AZ, AR, CA, CO, DE, D.C., GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OR, PA, RI, SC, TX, UT, VA, WA, WY NOTE: CA guidance document recommends notifying within 10 business days. |
Within 90 days after discovery of breach (unless delayed for a law enforcement investigation) | CT |
No later than 45 days after discovery of breach | FL, OH, TN, WA, WI, VT |
As soon as reasonably practicable after discovery of breach | MD, OK, WV |
Within 30 days of breach (plus additional 15 days for good cause shown) | FL |
4. What Form of Notice is Permitted?
Form of Notification | States | |
Written Notice | All states with data breach laws. (AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY) | |
Electronic Notice (consistent w/ 15 U.S.C. § 7001) | AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WY Same states that permit written notice, except that WI permits notification “by a method the entity has previously employed to communicate with the subject of the personal information.” | |
Telephone | AZ, CO, CT, DE, GA, ID, IN, MD, MS, MT, NE, OH, OK, SC, UT, VA, WV HI, MO, NC, OR, VT (if contact is made directly with the affected persons) MI (if notice is not given by use of a recorded message, and the recipient has expressly consented to receive notice by telephone; or if recipient has not expressly consented to receive notice by telephone, and notice by telephone does not result in a live conversation within 3 business days after initial attempt to provide telephone notice, then written or electronic notice is also provided) NH, NY (if a log of each such notification is kept by the person or business who notifies affected persons) PA (if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the customer to provide personal information and the customer is provided with a telephone number to call or Internet Website to visit for further information or assistance) | |
Fax | IN | |
Newspaper of general circulation | UT (but notice must be in accordance with Utah Code Section 45-1-101) | |
Substitute notice (consisting of email; conspicuous posting on website; AND notice to major statewide media) where cost > $250K, > 500,000 affected, or insufficient contact information | AR, CA, CT, FL, IL, IN, KY, LA, MA, MI, MN, MT, NV, NJ, NY, NC, ND, OH, SC, TN, TX, WA
| |
Substitute notice (consisting of email; conspicuous posting on website; AND notice to major statewide media) with other cost/affected individual thresholds | - AK (cost > $150K, >300,000 affected) - AZ, D.C., GA, OK, VA, WV (cost > $50K, >100,000 affected) - CO (cost > $250K, >250,000 affected) - DE and NE (cost >$75K, >100,000 affected) - HI (cost >$100K, >200,000 affected) - ID and RI (cost >$25K, >50,000 affected) - IA and OR (cost >$250K, >350,000 affected) - KS (cost >$100K, >5,000 affected) | - ME and NH (cost >$5K, >1,000 affected) - MD and PA (cost >$100K, >175,000 affected) - MS (cost > $5K, > 5,000 affected) - MO (cost >$100K, >150,000 affected) - RI (cost >$50K, >50,000 affected) - VT (cost > $5K, > 5,000 affected) - WY (cost > $10K for WY business or $250K for others, > 10,000 affected for WY businesses; 500,000 for others) |
5. What Must Be Included in Breach Notices to Individuals Under Statute?[8]
States | Content Required |
California | Notification must include:
Notification may include the following:
Effective January 1, 2015, companies that report a breach must provide free identity theft protection for 12 months. For a breach involving PI for an online account and no other PI, companies can comply with the notification requirement by providing notice in electronic or other form that directs affected person to change his/her password and security question or answer, or take other steps appropriate to protect the account and all other online accounts for which the person uses the same user name or email address and password or security question or answer. |
Connecticut | The statute does not list required content, but the state Attorney General website specifies that any breach notification should include:
|
Hawaii |
|
Illinois | Notification must include, but need not be limited to:
Notification shall not include information concerning the number of Illinois residents affected by the breach. |
Iowa |
|
Maryland |
|
Massachusetts |
Sample letter available at http://www.mass.gov/ago/docs/consumer/93h-sampleletter-residents.pdf |
Michigan |
|
Missouri |
|
Montana | If a business discloses a breach and gives notice to the individual that suggests, indicates, or implies that the individual may obtain a copy of the file on the individual from a CRA, then the business must coordinate with the CRA as to the timing, content, and distribution of the notice to the individual. |
New Hampshire |
|
New York |
|
North Carolina |
|
Oregon |
|
Rhode Island | 1. The incident in general terms, including how the breach occurred and number of affected individuals. 2. Type of PI subject to the security breach. 3. Actual or estimated date of breach or timeframe within which the breach occurred. 4. Date breach was discovered. 5. Description of remediation services being offered, including toll-free numbers and websites for CRAs, remediation service providers, and AG. 6. How to file or obtain a police report. 7. How to request a security freeze and notice that CRAs may charge fees. |
Vermont |
|
Virginia |
|
Washington |
|
West Virginia |
|
Wisconsin | Indicate that the entity knows of the unauthorized acquisition of PI pertaining to the individual. |
Wyoming |
|
State |
State Agency(ies) Requiring Notification & Agency Information
| Threshold, Timing, and Specific Content to be Included In Notice |
California | Attorney General
Submit electronic form: https://oag.ca.gov/ecrime/databreach/report-a-breach | Threshold: If notice is given to >500 residents at one time.
Timing: None specified.
Specific Content: Must electronically submit a sample copy of the notification to residents, excluding any PI. |
Connecticut | Attorney General
Notify by Email: ag.breach@ct.gov | Threshold: None specified.
Timing: Within 90 days after discovery of breach.
Specific Content:
|
Florida | Office of Attorney General Department of Legal Affairs
| Threshold: If notice is given to 500 or more residents
Timing: As expeditiously as possible, but no later than 30 days after determination of the breach or reason to believe a breach occurred. May receive an additional 15 days for good cause provided to the Dept. in writing.
Specific Content:
To be provided upon request:
|
Hawaii | Office of Consumer Protection
Notify by U.S. Mail: Office of Consumer Protection Department of Commerce and Consumer Affairs 235 South Beretania Street, Suite 801 Honolulu, Hawaii 96813-2419 | Threshold: If notice is given to >1,000 residents at one time
Timing: Without unreasonable delay.
Specific Content: None specified. |
Illinois | Attorney General | Threshold: Covered entities and business associates that are subject to HIPAA and HITECH Act and are required to notify Secretary of Health and Human Services of a breach.
Timing: Within 5 business days of notifying the Secretary.
Specific Content: None specified. |
Indiana | Attorney General
Notify by U.S. Mail: Consumer Protection Division Office of the Indiana Attorney General ATTN: Security Breach Notification 302 W. Washington St., 5th Floor Indianapolis, IN 46204 | Threshold: None specified.
Timing: Without unreasonable delay.
Specific Content: None specified. |
Iowa | Attorney General Consumer Protection Division
Notify by U.S. Mail: | Threshold: If > 500 residents affected.
Timing: Within 5 business days of notifying consumers.
Specific Content: None specified. |
Louisiana | Consumer Protection Section of the Attorney General’s Office
Notify by U.S. Mail: Office of the Attorney General 1885 North Third St. Baton Rouge, LA 70802 -or- P.O. Box 94005 Baton Rouge, LA 70804 | Threshold: None specified.
Timing: Within 10 days of notice to LA residents.
Specific Content: Notice must be written and include names of all individuals affected by the breach.
|
Maine | Department of Professional and Financial Regulation (if regulated by the Department)
Notify by U.S. Mail: Department of Professional & Financial Regulation
Attorney General (if not regulated by the Department)
Notify by U.S. Mail: Maine Attorney General Attn: Consumer Protection Division 6 State House Station Augusta, Maine 04333 | Threshold: None specified.
Timing: None specified.
Specific Content:
|
Maryland | Attorney General
Notify by U.S. Mail: Office of the Attorney General Attn: Security Breach Notification 200 St. Paul Place Baltimore, MD 21202 Notify by Fax: (410) 576-6566 Attn: Security Breach Notification Notify by E-mail: Idtheft@oag.state.md.us | Threshold: None specified.
Timing: Before notifying affected individuals.
Specific Content:
|
Massachusetts | Attorney General Director of Consumer Affairs and Business Regulation
Notify by U.S. Mail:
Massachusetts Office of the Attorney General Public Information and Assistance Center One Ashburton Pl. Boston, MA 02108-1518 E-mail: ago@state.ma.us
Office of Consumer Affairs and Business Regulation 10 Park Plaza, Suite 5170 Boston, MA 02116 | Threshold: None specified.
Timing: As soon as practicable and without unreasonable delay.
Specific Content · Detailed description of the incident. · Number of MA residents affected. · Steps taken relating to the incident. · Steps to be taken subsequent to notification. · Whether law enforcement is investigating. · Name and contact information for the person whom the Office of the Attorney General may contact.
Sample letter available on website |
Missouri | Attorney General
Notify by U.S. Mail: Attorney General’s Office Consumer Protection Unit 207 W. High St. attorney.general@ago.mo.gov | Threshold: If notice is given to > 1,000 residents at once
Timing: Without unreasonable delay.
Specific Content: Timing, distribution, and content of the notice to individuals. |
Montana | Attorney General
Notify by U.S. Mail: Office of Consumer Protection | Threshold: None specified.
Timing: Simultaneously with notice to individuals.
Specific Content:
|
New Hampshire | Attorney General
Notify by U.S. Mail: New Hampshire Department of Justice Office of the Attorney General
Other State Regulatory Agencies:
Entities subject to the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices shall notify the regulator with primary regulatory authority. | Threshold: None specified.
Timing: None specified.
Specific Content:
|
New Jersey | Department of Law and Public Safety, Division of State Police
A breach of security can be reported to the New Jersey State Police 24 hours a day at: 609-963-6900 | Threshold: None specified.
Timing: Before notifying affected individuals; quickly and without unreasonable delay.
Specific Content: None specified. |
New York | Must notify the following three (3) agencies by fax or email:
Attorney General’s Office: Security Breach Notification Consumer Frauds & Protection Bureau 120 Broadway - 3rd Floor New York, NY 10271 Fax: 212-416-6003 E-mail: breach.security@ag.ny.gov
New York State Division of State Police: Security Breach Notification New York State Intelligence Center 630 Columbia Street Ext Latham, NY 12110 fax: 518-786-9398 E-mail: risk@nysic.ny.gov
New York State Department of State Division of Consumer Protection: Attn: Director of the Division of Consumer Protection Security Breach Notification 99 Washington Avenue, Suite 650 Albany, NY 12231 Fax: 518-473-9055 | Threshold: None specified.
Timing: None specified.
Specific Content: Notice made using New York State Information Security Breach and Notification Act Reporting form, available at: http://www.dhses.ny.gov/ocs/breach-notification/documents/Business-Data-Breach-Form.pdf |
North Carolina | Consumer Protection Division of the Attorney General’s Office
Notify by U.S. Mail: Consumer Protection Division NC Attorney General’s Office 9001 Mail Service Center Raleigh, NC 27699-9001
| Threshold: None specified.
Timing: Without unreasonable delay.
Specific Content: Notice should be made using North Carolina Security Breach Reporting Form: http://www.ncdoj.gov/getdoc/50dc89a8-8b26-48b6-88f2-3e30cd19f09f/NC-Security-Breach-Reporting-Form-2009.aspx |
North Dakota | Attorney General
Notify by U.S. Mail: Office of the Attorney General | Threshold: If notice is given to >250 residents at once.
Timing: In the most expedient time possible and without unreasonable delay.
Specific Content: None specified. |
Oregon | Attorney General Office of the Attorney General | Threshold: If notice is given to >250 residents at once.
Timing: In the most expeditious time possible, without unreasonable delay, consistent with the needs of law enforcement.
Specific Content: None specified. |
Rhode Island | Attorney General
Notify by U.S. Mail or Electronically: Office of the Attorney General | Threshold: If notice is given to >500 residents at once.
Timing: In the most expedient time possible, but no later than 45 days.
Specific Content:
|
South Carolina | Consumer Protection Division of the Department of Consumer Affairs
Notify by U.S. Mail: Legal Division RE: Security Breach Notification South Carolina Department of Consumer Affairs P.O. Box 5757 Columbia, SC 29250 | Threshold: If notice is given to >1,000 residents at once
Timing: Without unreasonable delay.
Specific Content:
|
Vermont | Attorney General
Notify by telephone, fax, or email: Phone: 802-828-5479 Fax: 802-828-5479 Email: data.security@atg.state.vt.us
| Threshold: None specified.
Timing: Within 14 days of discovering the breach. However, 14 day preliminary notice need not be submitted if, prior to the date of the breach, owner has sworn in the form provided by the AG that it maintains written policies and procedures to maintain the security of PI and to respond to a breach in a manner consistent with VT law.
Specific Content:
|
Virginia | Attorney General
Notify by U.S. Mail: Computer Crime Section Virginia Attorney General’s Office 900 East Main Street Richmond, VA 23219
| Threshold: None specified.
Timing: Without unreasonable delay.
Specific Content:
|
Washington | Attorney General
Amendments to data breach notification law, which take effect July 24, 2015, require electronic notification. | Threshold: If notice is given to >500 residents at once
Timing: By the time notice is provided to consumers.
Specific Content:
|
7. Other Notification Requirements
State(s) | Notice Requirements |
Texas | Requires disclosure of a breach to all individuals (regardless of the state of residency) whose personal information is breached. If the individual is a resident of another state that requires breach notification, then the breach notification to that individual may be provided under that state’s law or under Texas’ law. |
8. When is Notification to CRAs Required?
State(s) | Timing of Notification | Notice of Breach |
MN | Within 48 hours of discovery. | If notification of breach provided to > 500 MN residents. |
AK, CO, D.C., FL, HI, IN, KS, KY, MD, ME, MI, MO, NC, NV, NJ, OH, OR, PA, SC, TN, VA, VT, WV, WI | Without unreasonable delay. | If notification of breach provided to > 1,000 state residents. |
RI | Without unreasonable delay and no later than 45 days after confirmation of breach. | If notification of breach provided to > 500 RI residents. |
ME, NH | Without unreasonable delay. | If notification of breach provided to > 1,000 persons. |
NY | Without unreasonable delay. | If notification of breach provided to > 5,000 NY residents. Must notify as to timing, content and distribution of notices and approximate number of affected persons. |
GA | Without unreasonable delay. | If notification of breach provided to > 10,000 GA residents. |
TX | Without unreasonable delay. | If notification of breach provided to > 10,000 persons. |
Contact Information for Three National CRAs:
EQUIFAX:
E-mail: psol@equifax.com
Contact Number: 866-510-4211
http://www.equifax.com/help/data-breach-solutions/
EXPERIAN:
E-mail: databreachinfo@experian.com
Contact Number: 866-751-1323
http://www.experian.com/business-services/data-breach-protection.html?INTCMP=INTFMTP52511DBP
TRANSUNION:
E-mail: databreach@transunion.com
Contact Number: 800-719-1636
TransUnion Data Breach Reporting Hotline: 800-971-4307
http://www.transunion.com/corporate/business/solutionsbyneed/fraud-response-services.page
_______________________________________
[1] Only Alabama, New Mexico and South Dakota do not have data breach notification laws. As described in Section 7, however, Texas law requires disclosure of a breach to all individuals whose personal information is affected, regardless of their place of residence.
[2] This definition of “personal information” and some of the other types of personal information described in this chart that trigger the breach notification requirement is similar to the definition of “sensitive customer information” under the Gramm-Leach-Bliley (GLB) Act. That term is defined in the GLB Act as a customer’s name, address, or telephone number, plus a SSN, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.
[3] Effective January 1, 2017.
[4] Effective January 1, 2017.
[5] Effective January 1, 2017.
[6] Effective January 1, 2017.
[7] Obligation to notify applies generally to businesses that own or license personal information of resident of the state except GA, where law applies to information brokers or a person or business who maintains such data on behalf of an information broker.
[8] AG or other approval prior to or simultaneously with notifying affected individuals is required in some states. See Section 6.
[9] Effective January 1, 2017.