Breach Trigger Analysis

◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This is an analysis of Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Thanks to Privacy Lawyer Thomas Besore for his assistance.

It focuses all attention on the triggers for breach notification around 1) the breach incident and 2) the harm determination. It does not explore the similarly intricate requirements of which pieces of personal data or PII are required to trigger a breach notification. Look for a future analysis from PrivacyPlan of State PII thresholds.

This dataset breaks out each law into three components; what we call the Data Trigger, the Harm Trigger, and the Significant Risk Trigger. We also document which law laws have an Encryption Safe Harbor and which completely skip the Harm Analysis.

Our chart below also links you to the primary State Statute as well as analyses of those regulations by Baker Hostetler and Perkins Coie.

Data Breach Trigger Analysis

StateNameFull TriggerDataTrigHarmTrigRiskTrigHarm*Encrypt*State Law CitationPerkinsPartial Breach Def


Harm* indicates that a Harm analysis is or is not required.
Encrypt* indicates that an encryption safe harbor provision is or is not present.
Partial Breach Def* grabs small chunks of language from the state breach law or an analysis thereof.

Data Triggers States take 1 of 3 approaches:
Data ACCESS Access “unauthorized access”
Data ACQUIRE Acquisition “unauthorized acquisition”
Data BOTH Access & Acquisition “unauthorized acquisition of and access”
Data EITHER Access or Acquisition “unauthorized access to or acquisition of”
Harm Triggers Some States require specif harms before customer notification is required
Harm $$ Risk of Economic Loss “reasonably likely to result in substantial economic loss to affected individuals”
Harm $$/RH Risk of Loss, Risk of Harm “reasonably believed to cause loss or injury to a resident”
Harm $$/RID Risk of Identity Theft, Risk of Loss “likely result in identity theft or any other financial harm to the individuals”
Harm RH Risk of Harm “reasonable likelihood of harm”
Harm RID Risk of Identity Theft “has caused or will cause, identity theft to any consumer”
Harm RID/RF Risk of Identity Theft, Risk of Fraud “PI has been or will be misused for identity theft or fraud.”
Harm RM Risk of Misuse “misuse of PI about a CO resident has not occurred and is not likely to occur”
Substantial Risk States that include more restrictive language, e.g.:
Risk SR Substantial Risk “significant risk of identity theft”
“a material risk of harm to a consumer”
“a material risk of identity theft”
“substantial economic loss”
“reasonably likely to cause substantial harm”


Data Breach Notification Triggers: Data Access
Data Breach Notification Triggers: Harm
Data Breach Notification Triggers: Significant Risk