Breach Trigger Analysis

◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

Unique data. Hand-curated.

This is an analysis of Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Thanks to Privacy Lawyer Thomas Besore for his assistance.

It focuses all attention on the triggers for breach notification around 1) the breach incident and 2) the harm determination. It does not explore the similarly intricate requirements of which pieces of personal data or PII are required to trigger a breach notification. Look for a future analysis from PrivacyPlan of State PII thresholds.

This dataset breaks out each law into three components; what we call the Data Trigger, the Harm Trigger, and the Significant Risk Trigger. We also document which law laws have an Encryption Safe Harbor and which completely skip the Harm Analysis.

Our chart below also links you to the primary State Statute as well as analyses of those regulations by Baker Hostetler and Perkins Coie.

Data Breach Trigger Analysis

StateNameFull TriggerDataTrigHarmTrigRiskTrigHarm*Encrypt*State Law CitationPerkinsPartial Breach Def
AlabamaAL4.9127AQ + RH ACQUIRERHSRYY2018 S.B. 318, Act No. 396http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ALacquired by an unauthorized person, and is reasonably likely to cause substantial harm
AlaskaAK0.7342AQ + RHACQUIRERHYYAlaska Statutes 45.48.010: Personal Information Protection Acthttp://law.alaska.gov/department/civil/consumer/4548.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AKunauthorized acquisition or reasonable belief of unauthorized acquisition ... [and] reasonable likelihood that harm
ArizonaAZ7.28181ACQ + $$ BOTH$$SRYYArizona Revised Statutes 18-545https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AZunauthorized acquisition of and access ... [unless] not reasonably likely to result in substantial economic loss to affected individuals.
ArkansasAR3.0274AQ + RHACQUIRERHYYArkansas Code 4-110-101: Personal Information Protection Acthttps://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ARunauthorized acquisition ... [unless] no reasonable likelihood of harm
CaliforniaCA39.511777AQACQUIRENYCalifornia Civil Code 1798:29 and 1798:80http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=CAunauthorized acquisition
ColoradoCO5.76244AQ + RMACQUIRERMYYColorado Revised Statutes 6-1-716https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=COunauthorized acquisition ... [unless] misuse of PI about a CO resident has not occurred and is not likely to occur.
ConnecticutCT3.57191ACQ + RHEITHERRHYYConnecticut General Statutes 36a-701bhttps://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701bhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=COunauthorized access to or acquisition of... [unless] the breach will not likely result in harm to the individuals whose PI has been acquired and accessed.
DelawareDE0.9750AQ + RHACQUIRERHYYDelaware Code Title 6, Chapter 12Bhttp://delcode.delaware.gov/title6/c012b/index.shtmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DEunauthorized acquisition .. [unless] unlikely to result in harm to affected individuals.
District of ColumbiaDC0.71189AQACQUIREN"rendered secure"DC Consumer Security Breach Informationhttps://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DCunauthorized acquisition
FloridaFL21.48638AC + RID/RHACCESS$$/RIDYYFla. Stat. § 501.171http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=FLunauthorized access... [unless] will not likely result in identity theft or any other financial harm to the individuals
GeorgiaGA10.62365AQACQUIRENYGeorgia Code 10-1-912https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GAunauthorized acquisition
GuamGU0.16ACQ + RID/RFBOTHRID/RFYYGuam Law Linkhttp://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdfhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GUaccessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam
HawaiiHI1.4233ACQ + RHBOTHRHYYHawaii Revised Statutes 487N-1https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=HIunauthorized access to and acquisition ... where such unauthorized access and acquisition creates a risk of harm to a person
IdahoID1.7950AQ + RMACQUIRERMYYIdaho Code 28-51-104https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=IDan illegal acquisition ... [unless] has not been and will not be misused.
IllinoisIL12.67533AQACQUIRENY815 ILCS 530: Personal Information Protection Acthttp://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ILunauthorized acquisition
IndianaIN6.73269AQ + RID/RFACQUIRERID/RFYYInd. Code §§ 4-1-11 et seq., 24-4.9 et seq.http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=INunauthorized acquisition ... notification not required if the breach has not resulted in and could not result in identity deception, identity theft or fraud.
IowaIA3.16114AQ + RHACQUIRE$$YYIowa Code 715C.1https://www.legis.iowa.gov/docs/code/715c.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=INunauthorized acquisition ... [unless] no reasonable likelihood of financial harm
KansasKS2.9181ACQ + RIDBOTHRIDYYKansas Statutes 50-7a01http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KSunauthorized access to and acquisition .... [and] reasonably believes has caused or will cause, identity theft to any consumer
KentuckyKY4.47136AQ + RID/RFACQUIRERID/RFYYKY Rev. Stat. §365.732https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KYunauthorized acquisition ... [and] has caused or will cause, identity theft or fraud against any Kentucky resident.
LouisianaLA4.6583ACQ + RHBOTHRHYYLa. Rev. Stat. §§ 51:3071 et seq.https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=LAunauthorized acquisition of and access ... [unless] there is no reasonable likelihood of harm to LA residents
MaineME1.3469AQ + RMACQUIRERMYY10 Me. Rev. Stat. § 1346 et seq.http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MEunauthorized acquisition, release or use... [unless] there is not a reasonable likelihood that the PI has been or will be misused
MarylandMD6.05285AQ + RMACQUIRERMYYMaryland Commercial Code 14-3501https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MDunauthorized acquisition ... [unless] was not and will not be misused as a result of the breach
MassachusettsMA6.89431AQ + RID/RF ACQUIRERID/RFSRYYMassachusetts General Laws 93H, Section 1https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MAunauthorized acquisition or unauthorized use... [where] a substantial risk of identity theft or fraud against a MA resident
MichiganMI9.99226ACQ + RID/$$ BOTH$$/RIDSRYYMich. Comp. Laws §§ 445.63, 445.72https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MIunauthorized access and acquisition ... [unless] has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of MI
MinnesotaMN5.64246AQACQUIRENYMinnesota Statutes 325E.61https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MNunauthorized acquisition
MississippiMS2.9841AQ + RHACQUIRERHYYMississippi Code 75-24-29https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47dhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MSunauthorized acquisition ... [unless] will not likely result in harm to the affected individuals
MissouriMO6.14202ACQ + RIDBOTHRID/RFYYMissouri Revised Statutes 407.1500https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl=https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MOunauthorized access to and unauthorized acquisition ... [unless] a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach
MontanaMT1.0772AQ + RHACQUIRE$$/RHYYMontana Code 30-14-1704https://leg.mt.gov/bills/mca_toc/30_14_17.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MTunauthorized acquisition ... [and] s reasonably believed to cause loss or injury to a MT resident
NebraskaNE1.9365AQ + RMACQUIRERMYYNebraska Revised Statutes 87-801https://nebraskalegislature.gov/laws/statutes.php?statute=87-802https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NEunauthorized acquisition ... [unless] unlikely that PI has been or will be used for an unauthorized purpose
NevadaNV3.0892AQACQUIRENYNevada Revised Statutes 603A.010https://www.leg.state.nv.us/nrs/nrs-603a.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NVunauthorized acquisition
New HampshireNH1.36104AQ + RMACQUIRERMYYNew Hampshire Revised Statutes 359-C:20https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NHunauthorized acquisition ... [unless] misuse of the information has not occurred and is not reasonably likely to occur
New JerseyNJ8.88269AC + RMACCESSRMYYNew Jersey Statutes 56:8-163: Identity Theft Prevention Acthttps://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NJunauthorized access... [unless] misuse of the information is not reasonably possible
New MexicoNM2.168AQ + RID/RF ACQUIRERID/RFSRYYNew Mexico Data Breach Act - HB 15https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NMunauthorized acquisition ... [unless] the security breach does not give rise to a significant risk of identity theft or fraud
New YorkNY19.45863AQ + RMACQUIRERMYYNew York General Business Law 899-aa and State Technology Law 208https://www.nysenate.gov/legislation/laws/GBS/899-AAhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NYunauthorized acquisition or acquisition without valid authorization ... not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the Entity reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials
North CarolinaNC10.49290ACQ + RH BOTHRHSRYYNorth Carolina General Statutes 75-61 and 75-65https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NCunauthorized access to and acquisition .... where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer
North DakotaND0.7619AQACQUIRENYNorth Dakota Century Codehttps://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NDunauthorized acquisition
OhioOH11.69361ACQ + RID/RF BOTHRID/RFSRYYOhio Revised Code 1349.19https://codes.ohio.gov/ohio-revised-code/section-1349.19https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OHunauthorized access to and acquisition ... that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of OH
OklahomaOK3.9675ACQ + RID/RFBOTHRID/RFYY24 Okla. Stat. § 161 et seq.https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OKunauthorized access and acquisition... [unless] reasonably believes has caused or will cause, identity theft or other fraud to any resident of OK
OregonOR4.22182AQ + RHACQUIRERHYYOregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Acthttps://www.oregonlaws.org/ors/646A.604https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ORunauthorized acquisition ... [unless] reasonably determines that the breach has not and will not likely result in harm to the individuals whose PI has been acquired and accessed
PennsylvaniaPA12.8438ACQ + RHBOTHRHYYPennsylvania Statutes 73-2301: Breach of Personal Information Notification Acthttps://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=PAunauthorized access and acquisition ... reasonably believes has caused or will cause loss or injury to any resident of PA
Puerto RicoPR3.233ACACCESSNY10 P.R. Laws Ann. §§ 4051–4055https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RIaccess has been permitted to unauthorized persons or entities... or when normally authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information
Rhode IslandRI1.0667ACQ + RID EITHERRIDSRYYRhode Island General Laws 11-49.3http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTMhttps://www.perkinscoie.com/en/news-insights/rhode-island.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RIUnauthorized access or acquisition ... which poses a significant risk of identity theft to any resident of RI
South CarolinaSC5.15102ACQ + RH BOTHRHSRYYSouth Carolina Code 39-1-90https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SCunauthorized access to and acquisition ... when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident
South DakotaSD0.8821AQ + RHACQUIRERHYYSouth Dakota’s Senate Bill 62https://sdlegislature.gov/Statutes/Codified_Laws/2047702https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SDunauthorized acquisition ... [unless] reasonably believes the incident will not result in harm to affected individuals.
TennesseeTN6.83223AQACQUIRESRMixedYTennessee Code 47-18-2107https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TNacquisition of by an unauthorized person ... that materially compromises the security, confidentiality, or integrity of PI
TexasTX29819AQACQUIRENYTexas Business and Commerce Code 521.002 and 521.053https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TXunauthorized acquisition
UtahUT3.21117AQ + RID/RFACQUIRERID/RFYYUtah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Acthttps://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=UTunauthorized acquisition ... [unless] unlikely that PI has been or will be misused for identity theft or fraud.
VermontVT0.6282AQ + RID/RFACQUIRERID/RFYYVermont Statutes Annotated 9-2430 and 2435https://legislature.vermont.gov/statutes/section/09/062/02435https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VTunauthorized acquisition ... [if] misuse of PI for identity theft or fraud has occurred, or is reasonably likely to occur
Virgin IslandsVI 0.11AQACQUIRENYV.I. Code tit. 14, §§ 2208, 2209https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634https://www.bakerlaw.com/datamap_ajax.aspx?statename=VIunauthorized acquisition
VirginiaVI8.54359ACQ + RID/RFBOTHRID/RFYYVirginia Code 18.2-186.6 and 32.1-127.1:05http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VIunauthorized access and acquisition ...reasonably believes has caused, or will cause, identity theft or other fraud to any resident of VA.
WashingtonWA7.61299AQ + RHACQUIRERHYYWashington Revised Code 19.255.010https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WAunauthorized acquisition ... [unless] not reasonably likely to subject consumers to a risk of harm
West VirginiaWV1.7930ACQ + RID/RFBOTHRID/RFYYWest Virginia Code 46A-2A-101http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2Ahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WVunauthorized access and acquisition ... reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of WV
WisconsinWI5.82163AQ + RID/RFACQUIRERID/RFYYWisconsin Statutes 134.98https://docs.legis.wisconsin.gov/statutes/statutes/134/98https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WIacquired by a person whom the Entity has not authorized... [unless] the acquisition of PI does not create a material risk of identity theft or fraud to the subject of the PI
WyomingWY0.5822AQ + $$/RHACQUIRE$$/RHYNWyoming Statutes 40-12-501https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WYunauthorized acquisition ... and causes or is reasonably believed to cause loss or injury to a resident of WY.

Legend

Harm* indicates that a Harm analysis is or is not required.
Encrypt* indicates that an encryption safe harbor provision is or is not present.
Partial Breach Def* grabs small chunks of language from the state breach law or an analysis thereof.

Data Triggers States take 1 of 3 approaches:
Data ACCESS Access “unauthorized access”
Data ACQUIRE Acquisition “unauthorized acquisition”
Data BOTH Access & Acquisition “unauthorized acquisition of and access”
Data EITHER Access or Acquisition “unauthorized access to or acquisition of”
Harm Triggers Some States require specif harms before customer notification is required
Harm $$ Risk of Economic Loss “reasonably likely to result in substantial economic loss to affected individuals”
Harm $$/RH Risk of Loss, Risk of Harm “reasonably believed to cause loss or injury to a resident”
Harm $$/RID Risk of Identity Theft, Risk of Loss “likely result in identity theft or any other financial harm to the individuals”
Harm RH Risk of Harm “reasonable likelihood of harm”
Harm RID Risk of Identity Theft “has caused or will cause, identity theft to any consumer”
Harm RID/RF Risk of Identity Theft, Risk of Fraud “PI has been or will be misused for identity theft or fraud.”
Harm RM Risk of Misuse “misuse of PI about a CO resident has not occurred and is not likely to occur”
Substantial Risk States that include more restrictive language, e.g.:
Risk SR Substantial Risk “significant risk of identity theft”
“a material risk of harm to a consumer”
“a material risk of identity theft”
“substantial economic loss”
“reasonably likely to cause substantial harm”

Charts

Data Breach Notification Triggers: Data Access
Data Breach Notification Triggers: Harm
Data Breach Notification Triggers: Significant Risk