Breach Trigger Analysis
◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed
Unique data. Hand-curated.
This is an analysis of Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Thanks to Privacy Lawyer Thomas Besore for his assistance.
It focuses all attention on the triggers for breach notification around 1) the breach incident and 2) the harm determination. It does not explore the similarly intricate requirements of which pieces of personal data or PII are required to trigger a breach notification. Look for a future analysis from PrivacyPlan of State PII thresholds.
This dataset breaks out each law into three components; what we call the Data Trigger, the Harm Trigger, and the Significant Risk Trigger. We also document which law laws have an Encryption Safe Harbor and which completely skip the Harm Analysis.
Our chart below also links you to the primary State Statute as well as analyses of those regulations by Baker Hostetler and Perkins Coie.
Data Breach Trigger Analysis
| StateName | Full Trigger | DataTrig | HarmTrig | RiskTrig | Harm* | Encrypt* | State Law Citation | Perkins | Partial Breach Def |
|---|
Legend
Harm* indicates that a Harm analysis is or is not required.
Encrypt* indicates that an encryption safe harbor provision is or is not present.
Partial Breach Def* grabs small chunks of language from the state breach law or an analysis thereof.
| Data Triggers | States take 1 of 3 approaches: | ||
| Data | ACCESS | Access | “unauthorized access” |
| Data | ACQUIRE | Acquisition | “unauthorized acquisition” |
| Data | BOTH | Access & Acquisition | “unauthorized acquisition of and access” |
| Data | EITHER | Access or Acquisition | “unauthorized access to or acquisition of” |
| Harm Triggers | Some States require specif harms before customer notification is required | ||
| Harm | $$ | Risk of Economic Loss | “reasonably likely to result in substantial economic loss to affected individuals” |
| Harm | $$/RH | Risk of Loss, Risk of Harm | “reasonably believed to cause loss or injury to a resident” |
| Harm | $$/RID | Risk of Identity Theft, Risk of Loss | “likely result in identity theft or any other financial harm to the individuals” |
| Harm | RH | Risk of Harm | “reasonable likelihood of harm” |
| Harm | RID | Risk of Identity Theft | “has caused or will cause, identity theft to any consumer” |
| Harm | RID/RF | Risk of Identity Theft, Risk of Fraud | “PI has been or will be misused for identity theft or fraud.” |
| Harm | RM | Risk of Misuse | “misuse of PI about a CO resident has not occurred and is not likely to occur” |
| Substantial Risk | States that include more restrictive language, e.g.: | ||
| Risk | SR | Substantial Risk | “significant risk of identity theft” |
| “a material risk of harm to a consumer” | |||
| “a material risk of identity theft” | |||
| “substantial economic loss” | |||
| “reasonably likely to cause substantial harm” |
Charts
