Breach Trigger Analysis
◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed
Unique data. Hand-curated.
This is an analysis of Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands. Thanks to Privacy Lawyer Thomas Besore for his assistance.
It focuses all attention on the triggers for breach notification around 1) the breach incident and 2) the harm determination. It does not explore the similarly intricate requirements of which pieces of personal data or PII are required to trigger a breach notification. Look for a future analysis from PrivacyPlan of State PII thresholds.
This dataset breaks out each law into three components; what we call the Data Trigger, the Harm Trigger, and the Significant Risk Trigger. We also document which law laws have an Encryption Safe Harbor and which completely skip the Harm Analysis.
Our chart below also links you to the primary State Statute as well as analyses of those regulations by Baker Hostetler and Perkins Coie.
Data Breach Trigger Analysis
| StateName | Full Trigger | DataTrig | HarmTrig | RiskTrig | Harm* | Encrypt* | State Law Citation | Perkins | Partial Breach Def | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Alabama | AL | 4.9 | 127 | AQ + RH | ACQUIRE | RH | SR | Y | Y | 2018 S.B. 318, Act No. 396 | http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AL | acquired by an unauthorized person, and is reasonably likely to cause substantial harm |
| Alaska | AK | 0.73 | 42 | AQ + RH | ACQUIRE | RH | Y | Y | Alaska Statutes 45.48.010: Personal Information Protection Act | http://law.alaska.gov/department/civil/consumer/4548.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AK | unauthorized acquisition or reasonable belief of unauthorized acquisition ... [and] reasonable likelihood that harm | |
| Arizona | AZ | 7.28 | 181 | ACQ + $$ | BOTH | $$ | SR | Y | Y | Arizona Revised Statutes 18-545 | https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AZ | unauthorized acquisition of and access ... [unless] not reasonably likely to result in substantial economic loss to affected individuals. |
| Arkansas | AR | 3.02 | 74 | AQ + RH | ACQUIRE | RH | Y | Y | Arkansas Code 4-110-101: Personal Information Protection Act | https://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AR | unauthorized acquisition ... [unless] no reasonable likelihood of harm | |
| California | CA | 39.51 | 1777 | AQ | ACQUIRE | N | Y | California Civil Code 1798:29 and 1798:80 | http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CA | unauthorized acquisition | ||
| Colorado | CO | 5.76 | 244 | AQ + RM | ACQUIRE | RM | Y | Y | Colorado Revised Statutes 6-1-716 | https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CO | unauthorized acquisition ... [unless] misuse of PI about a CO resident has not occurred and is not likely to occur. | |
| Connecticut | CT | 3.57 | 191 | ACQ + RH | EITHER | RH | Y | Y | Connecticut General Statutes 36a-701b | https://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CO | unauthorized access to or acquisition of... [unless] the breach will not likely result in harm to the individuals whose PI has been acquired and accessed. | |
| Delaware | DE | 0.97 | 50 | AQ + RH | ACQUIRE | RH | Y | Y | Delaware Code Title 6, Chapter 12B | http://delcode.delaware.gov/title6/c012b/index.shtml | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DE | unauthorized acquisition .. [unless] unlikely to result in harm to affected individuals. | |
| District of Columbia | DC | 0.71 | 189 | AQ | ACQUIRE | N | "rendered secure" | DC Consumer Security Breach Information | https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DC | unauthorized acquisition | ||
| Florida | FL | 21.48 | 638 | AC + RID/RH | ACCESS | $$/RID | Y | Y | Fla. Stat. § 501.171 | http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=FL | unauthorized access... [unless] will not likely result in identity theft or any other financial harm to the individuals | |
| Georgia | GA | 10.62 | 365 | AQ | ACQUIRE | N | Y | Georgia Code 10-1-912 | https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GA | unauthorized acquisition | ||
| Guam | GU | 0.16 | ACQ + RID/RF | BOTH | RID/RF | Y | Y | Guam Law Link | http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GU | accessed and acquired by an unauthorized person and that causes, or the individual or entity reasonably believes has caused or will cause, identity theft or other fraud to any resident of Guam | |||
| Hawaii | HI | 1.42 | 33 | ACQ + RH | BOTH | RH | Y | Y | Hawaii Revised Statutes 487N-1 | https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=HI | unauthorized access to and acquisition ... where such unauthorized access and acquisition creates a risk of harm to a person | |
| Idaho | ID | 1.79 | 50 | AQ + RM | ACQUIRE | RM | Y | Y | Idaho Code 28-51-104 | https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ID | an illegal acquisition ... [unless] has not been and will not be misused. | |
| Illinois | IL | 12.67 | 533 | AQ | ACQUIRE | N | Y | 815 ILCS 530: Personal Information Protection Act | http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IL | unauthorized acquisition | ||
| Indiana | IN | 6.73 | 269 | AQ + RID/RF | ACQUIRE | RID/RF | Y | Y | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. | http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | unauthorized acquisition ... notification not required if the breach has not resulted in and could not result in identity deception, identity theft or fraud. | |
| Iowa | IA | 3.16 | 114 | AQ + RH | ACQUIRE | $$ | Y | Y | Iowa Code 715C.1 | https://www.legis.iowa.gov/docs/code/715c.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | unauthorized acquisition ... [unless] no reasonable likelihood of financial harm | |
| Kansas | KS | 2.91 | 81 | ACQ + RID | BOTH | RID | Y | Y | Kansas Statutes 50-7a01 | http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KS | unauthorized access to and acquisition .... [and] reasonably believes has caused or will cause, identity theft to any consumer | |
| Kentucky | KY | 4.47 | 136 | AQ + RID/RF | ACQUIRE | RID/RF | Y | Y | KY Rev. Stat. §365.732 | https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KY | unauthorized acquisition ... [and] has caused or will cause, identity theft or fraud against any Kentucky resident. | |
| Louisiana | LA | 4.65 | 83 | ACQ + RH | BOTH | RH | Y | Y | La. Rev. Stat. §§ 51:3071 et seq. | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=LA | unauthorized acquisition of and access ... [unless] there is no reasonable likelihood of harm to LA residents | ||
| Maine | ME | 1.34 | 69 | AQ + RM | ACQUIRE | RM | Y | Y | 10 Me. Rev. Stat. § 1346 et seq. | http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ME | unauthorized acquisition, release or use... [unless] there is not a reasonable likelihood that the PI has been or will be misused | |
| Maryland | MD | 6.05 | 285 | AQ + RM | ACQUIRE | RM | Y | Y | Maryland Commercial Code 14-3501 | https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MD | unauthorized acquisition ... [unless] was not and will not be misused as a result of the breach | |
| Massachusetts | MA | 6.89 | 431 | AQ + RID/RF | ACQUIRE | RID/RF | SR | Y | Y | Massachusetts General Laws 93H, Section 1 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MA | unauthorized acquisition or unauthorized use... [where] a substantial risk of identity theft or fraud against a MA resident |
| Michigan | MI | 9.99 | 226 | ACQ + RID/$$ | BOTH | $$/RID | SR | Y | Y | Mich. Comp. Laws §§ 445.63, 445.72 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MI | unauthorized access and acquisition ... [unless] has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, one or more residents of MI |
| Minnesota | MN | 5.64 | 246 | AQ | ACQUIRE | N | Y | Minnesota Statutes 325E.61 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MN | unauthorized acquisition | |||
| Mississippi | MS | 2.98 | 41 | AQ + RH | ACQUIRE | RH | Y | Y | Mississippi Code 75-24-29 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47d | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MS | unauthorized acquisition ... [unless] will not likely result in harm to the affected individuals | |
| Missouri | MO | 6.14 | 202 | ACQ + RID | BOTH | RID/RF | Y | Y | Missouri Revised Statutes 407.1500 | https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl= | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MO | unauthorized access to and unauthorized acquisition ... [unless] a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach | |
| Montana | MT | 1.07 | 72 | AQ + RH | ACQUIRE | $$/RH | Y | Y | Montana Code 30-14-1704 | https://leg.mt.gov/bills/mca_toc/30_14_17.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MT | unauthorized acquisition ... [and] s reasonably believed to cause loss or injury to a MT resident | |
| Nebraska | NE | 1.93 | 65 | AQ + RM | ACQUIRE | RM | Y | Y | Nebraska Revised Statutes 87-801 | https://nebraskalegislature.gov/laws/statutes.php?statute=87-802 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NE | unauthorized acquisition ... [unless] unlikely that PI has been or will be used for an unauthorized purpose | |
| Nevada | NV | 3.08 | 92 | AQ | ACQUIRE | N | Y | Nevada Revised Statutes 603A.010 | https://www.leg.state.nv.us/nrs/nrs-603a.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NV | unauthorized acquisition | ||
| New Hampshire | NH | 1.36 | 104 | AQ + RM | ACQUIRE | RM | Y | Y | New Hampshire Revised Statutes 359-C:20 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NH | unauthorized acquisition ... [unless] misuse of the information has not occurred and is not reasonably likely to occur | ||
| New Jersey | NJ | 8.88 | 269 | AC + RM | ACCESS | RM | Y | Y | New Jersey Statutes 56:8-163: Identity Theft Prevention Act | https://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NJ | unauthorized access... [unless] misuse of the information is not reasonably possible | |
| New Mexico | NM | 2.1 | 68 | AQ + RID/RF | ACQUIRE | RID/RF | SR | Y | Y | New Mexico Data Breach Act - HB 15 | https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NM | unauthorized acquisition ... [unless] the security breach does not give rise to a significant risk of identity theft or fraud |
| New York | NY | 19.45 | 863 | AQ + RM | ACQUIRE | RM | Y | Y | New York General Business Law 899-aa and State Technology Law 208 | https://www.nysenate.gov/legislation/laws/GBS/899-AA | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NY | unauthorized acquisition or acquisition without valid authorization ... not required if the exposure of private information was an inadvertent disclosure by persons authorized to access private information, and the Entity reasonably determines such exposure will not likely result in misuse of such information, or financial harm to the affected persons or emotional harm in the case of unknown disclosure of online credentials | |
| North Carolina | NC | 10.49 | 290 | ACQ + RH | BOTH | RH | SR | Y | Y | North Carolina General Statutes 75-61 and 75-65 | https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NC | unauthorized access to and acquisition .... where illegal use of the PI has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer |
| North Dakota | ND | 0.76 | 19 | AQ | ACQUIRE | N | Y | North Dakota Century Code | https://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ND | unauthorized acquisition | ||
| Ohio | OH | 11.69 | 361 | ACQ + RID/RF | BOTH | RID/RF | SR | Y | Y | Ohio Revised Code 1349.19 | https://codes.ohio.gov/ohio-revised-code/section-1349.19 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OH | unauthorized access to and acquisition ... that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of OH |
| Oklahoma | OK | 3.96 | 75 | ACQ + RID/RF | BOTH | RID/RF | Y | Y | 24 Okla. Stat. § 161 et seq. | https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OK | unauthorized access and acquisition... [unless] reasonably believes has caused or will cause, identity theft or other fraud to any resident of OK | |
| Oregon | OR | 4.22 | 182 | AQ + RH | ACQUIRE | RH | Y | Y | Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act | https://www.oregonlaws.org/ors/646A.604 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OR | unauthorized acquisition ... [unless] reasonably determines that the breach has not and will not likely result in harm to the individuals whose PI has been acquired and accessed | |
| Pennsylvania | PA | 12.8 | 438 | ACQ + RH | BOTH | RH | Y | Y | Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act | https://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=PA | unauthorized access and acquisition ... reasonably believes has caused or will cause loss or injury to any resident of PA | |
| Puerto Rico | PR | 3.2 | 33 | AC | ACCESS | N | Y | 10 P.R. Laws Ann. §§ 4051–4055 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | access has been permitted to unauthorized persons or entities... or when normally authorized persons or entities have had access and it is known or there is reasonable suspicion that they have violated the professional confidentiality or obtained authorization under false representation with the intention of making illegal use of the information | ||
| Rhode Island | RI | 1.06 | 67 | ACQ + RID | EITHER | RID | SR | Y | Y | Rhode Island General Laws 11-49.3 | http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM | https://www.perkinscoie.com/en/news-insights/rhode-island.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | Unauthorized access or acquisition ... which poses a significant risk of identity theft to any resident of RI |
| South Carolina | SC | 5.15 | 102 | ACQ + RH | BOTH | RH | SR | Y | Y | South Carolina Code 39-1-90 | https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SC | unauthorized access to and acquisition ... when the illegal use of the information has occurred or is reasonably likely to occur or use of the information creates a material risk of harm to the resident |
| South Dakota | SD | 0.88 | 21 | AQ + RH | ACQUIRE | RH | Y | Y | South Dakota’s Senate Bill 62 | https://sdlegislature.gov/Statutes/Codified_Laws/2047702 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SD | unauthorized acquisition ... [unless] reasonably believes the incident will not result in harm to affected individuals. | |
| Tennessee | TN | 6.83 | 223 | AQ | ACQUIRE | SR | Mixed | Y | Tennessee Code 47-18-2107 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffa | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TN | acquisition of by an unauthorized person ... that materially compromises the security, confidentiality, or integrity of PI | |
| Texas | TX | 29 | 819 | AQ | ACQUIRE | N | Y | Texas Business and Commerce Code 521.002 and 521.053 | https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TX | unauthorized acquisition | ||
| Utah | UT | 3.21 | 117 | AQ + RID/RF | ACQUIRE | RID/RF | Y | Y | Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act | https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=UT | unauthorized acquisition ... [unless] unlikely that PI has been or will be misused for identity theft or fraud. | |
| Vermont | VT | 0.62 | 82 | AQ + RID/RF | ACQUIRE | RID/RF | Y | Y | Vermont Statutes Annotated 9-2430 and 2435 | https://legislature.vermont.gov/statutes/section/09/062/02435 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VT | unauthorized acquisition ... [if] misuse of PI for identity theft or fraud has occurred, or is reasonably likely to occur | |
| Virgin Islands | VI | 0.11 | AQ | ACQUIRE | N | Y | V.I. Code tit. 14, §§ 2208, 2209 | https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634 | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | unauthorized acquisition | ||||
| Virginia | VI | 8.54 | 359 | ACQ + RID/RF | BOTH | RID/RF | Y | Y | Virginia Code 18.2-186.6 and 32.1-127.1:05 | http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | unauthorized access and acquisition ...reasonably believes has caused, or will cause, identity theft or other fraud to any resident of VA. | |
| Washington | WA | 7.61 | 299 | AQ + RH | ACQUIRE | RH | Y | Y | Washington Revised Code 19.255.010 | https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WA | unauthorized acquisition ... [unless] not reasonably likely to subject consumers to a risk of harm | |
| West Virginia | WV | 1.79 | 30 | ACQ + RID/RF | BOTH | RID/RF | Y | Y | West Virginia Code 46A-2A-101 | http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2A | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WV | unauthorized access and acquisition ... reasonably believe that the breach of security has caused or will cause identity theft or other fraud to any resident of WV | |
| Wisconsin | WI | 5.82 | 163 | AQ + RID/RF | ACQUIRE | RID/RF | Y | Y | Wisconsin Statutes 134.98 | https://docs.legis.wisconsin.gov/statutes/statutes/134/98 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WI | acquired by a person whom the Entity has not authorized... [unless] the acquisition of PI does not create a material risk of identity theft or fraud to the subject of the PI | |
| Wyoming | WY | 0.58 | 22 | AQ + $$/RH | ACQUIRE | $$/RH | Y | N | Wyoming Statutes 40-12-501 | https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WY | unauthorized acquisition ... and causes or is reasonably believed to cause loss or injury to a resident of WY. |
Legend
Harm* indicates that a Harm analysis is or is not required.
Encrypt* indicates that an encryption safe harbor provision is or is not present.
Partial Breach Def* grabs small chunks of language from the state breach law or an analysis thereof.
| Data Triggers | States take 1 of 3 approaches: | ||
| Data | ACCESS | Access | “unauthorized access” |
| Data | ACQUIRE | Acquisition | “unauthorized acquisition” |
| Data | BOTH | Access & Acquisition | “unauthorized acquisition of and access” |
| Data | EITHER | Access or Acquisition | “unauthorized access to or acquisition of” |
| Harm Triggers | Some States require specif harms before customer notification is required | ||
| Harm | $$ | Risk of Economic Loss | “reasonably likely to result in substantial economic loss to affected individuals” |
| Harm | $$/RH | Risk of Loss, Risk of Harm | “reasonably believed to cause loss or injury to a resident” |
| Harm | $$/RID | Risk of Identity Theft, Risk of Loss | “likely result in identity theft or any other financial harm to the individuals” |
| Harm | RH | Risk of Harm | “reasonable likelihood of harm” |
| Harm | RID | Risk of Identity Theft | “has caused or will cause, identity theft to any consumer” |
| Harm | RID/RF | Risk of Identity Theft, Risk of Fraud | “PI has been or will be misused for identity theft or fraud.” |
| Harm | RM | Risk of Misuse | “misuse of PI about a CO resident has not occurred and is not likely to occur” |
| Substantial Risk | States that include more restrictive language, e.g.: | ||
| Risk | SR | Substantial Risk | “significant risk of identity theft” |
| “a material risk of harm to a consumer” | |||
| “a material risk of identity theft” | |||
| “substantial economic loss” | |||
| “reasonably likely to cause substantial harm” |
Charts
