Potential Facebook Breach Fine by State
◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

Unique data. Hand-curated.
In early April of 2021, it was reported that Facebook had a major breach of the data belonging to 533 million users. Facebook argues that this wasn’t a breach but rather a scrape from a previously patched API in 2019. This dataset analyzes State Data Breach Laws and the fine components thereof, looking for potential fines. Based on the way States define PII and public data, it’s unlikely Facebook will even be fined for this breach.
But what if it did meet those criteria? What how big of a fine would current laws allow?
We calculated potential fines to Facebook IF their latest breach fit under current data state breach regulations. This is our analysis.
⚫ We found 35 states with specific fines specified in legislation.
⚫ If we add up the max fines of those states, Facebook might be fined as much as $24B.
⚫ California alone might fine FB $20B based on fines listed in AB-375. It specifies $750 in fines per resident. We estimate 27.5M California FB users implicated in the breach.
⚫ Other states have the ability to fine FB based on AG action. If we add in specified fines from AG action, that number rises to $89.7B. This number still omits 18 states that would be fining FB zero (and 20 States fining under $1M) who could still bring AG action, we simply don’t have a way to quantify it.
⚫ Note: There is always a lot of nuance in law and I’m not a lawyer. I am however a certified privacy expert. I’ve been studying data breach statutes with Thomas Besore for another project. We are speculating that States might apply max fines to Facebook. Obviously, this isn’t going to happen. While we believe FB is in the wrong for not reporting the breach, that the incident is certainly a breach in any real-world sense of the word, and that the data breached is personal, it does not actually meet the letter of the law requirements under the information we reviewed without some imagination. As well, this particular set of information is much less damaging to consumers than say the Equifax breach, which coalesced State AGs to action.
State Data Breach Fine Info and Potential Facebook Liability
State | Est FB Users | FB Statutory Fine | Fine | Per | Cap | State Law Citation | Perkins | CSRPS | DWT | Lewis Brisbois | Note | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Alabama | 3,176,756 | $3,000,000 | $5,000 | Day | 2018 S.B. 318, Act No. 396 | http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.html | https://csrcyberprivacy.com/privacy-regulations/alabama | https://www.dwt.com/gcp/states/alabama/ | https://lewisbrisbois.com/privacy/US/Alabama/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AL | ||
Alaska | 565,486 | $50,000 | $500 | Resident | $50,000 | Alaska Statutes 45.48.010: Personal Information Protection Act | http://law.alaska.gov/department/civil/consumer/4548.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.html | https://csrcyberprivacy.com/privacy-regulations/alaska | https://www.dwt.com/gcp/states/alaska/ | https://lewisbrisbois.com/privacy/US/Alaska/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AK | |
Arizona | 4,143,428 | $500,000 | $10,000 | Individual | $500,000 | Arizona Revised Statutes 18-545 | https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.html | https://csrcyberprivacy.com/privacy-regulations/arizona | https://www.dwt.com/gcp/states/arizona/ | https://lewisbrisbois.com/privacy/US/Arizona/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AZ | |
Arkansas | 2,086,492 | Arkansas Code 4-110-101: Personal Information Protection Act | https://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.html | https://csrcyberprivacy.com/privacy-regulations/arkansas | https://www.dwt.com/gcp/states/arkansas/ | https://lewisbrisbois.com/privacy/US/Arkansas/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AR | |||||
California | 27,511,839 | $20,633,879,138 | $750 | Consumer/ Incident | California Civil Code 1798:29 and 1798:80 | http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.html | https://csrcyberprivacy.com/privacy-regulations/california | https://www.dwt.com/gcp/states/california/ | https://lewisbrisbois.com/privacy/US/California/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CA | Cal AB-375 | |
Colorado | 3,849,722 | Colorado Revised Statutes 6-1-716 | https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.html | https://csrcyberprivacy.com/privacy-regulations/colorado | https://www.dwt.com/gcp/states/colorado/ | https://lewisbrisbois.com/privacy/US/Colorado/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CO | Civil fines. Action for compliance and/or economic damages | ||||
Connecticut | 2,451,400 | Connecticut General Statutes 36a-701b | https://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.html | https://csrcyberprivacy.com/privacy-regulations/connecticut | https://www.dwt.com/gcp/states/connecticut/ | https://lewisbrisbois.com/privacy/US/Connecticut/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CO | Civil fines. Civil penalties of up to $5,000 | ||||
Delaware | 534,728 | Delaware Code Title 6, Chapter 12B | http://delcode.delaware.gov/title6/c012b/index.shtml | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.html | https://csrcyberprivacy.com/privacy-regulations/delaware | https://www.dwt.com/gcp/states/delaware/ | https://lewisbrisbois.com/privacy/US/Delaware/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DE | Civil fines. Penalties and/or civil relief may apply | ||||
District of Columbia | 2,217,686 | $221,768,600 | $100 | Violation | DC Consumer Security Breach Information | https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.html | https://csrcyberprivacy.com/privacy-regulations/washington-d-c/ | https://www.dwt.com/gcp/states/district-of-columbia/ | https://lewisbrisbois.com/privacy/US/District%20of%20Columbia/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DC | ||
Florida | 13,751,385 | $500,000 | $1,000 | Day | $500,000 | Fla. Stat. § 501.171 | http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.html | https://csrcyberprivacy.com/privacy-regulations/florida | https://www.dwt.com/gcp/states/florida/ | https://lewisbrisbois.com/privacy/US/Florida/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=FL | Up to $1K per day for each day, up to the first 30 days, following a violation and $50K for each subsequent 30-day period or a portion thereof for up to 180 days. If the vio exceeds 180 days, penalties not to exceed $500K |
Georgia | 7,902,957 | Georgia Code 10-1-912 | https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.html | https://csrcyberprivacy.com/privacy-regulations/georgia | https://www.dwt.com/gcp/states/georgia/ | https://lewisbrisbois.com/privacy/US/Georgia/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GA | |||||
Guam | $150,000 | $150,000 | Breach | Guam Law Link | http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf | https://www.dwt.com/gcp/states/guam/ | https://lewisbrisbois.com/privacy/US/Guam/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GU | |||||
Hawaii | 1,004,298 | $2,510,745,750 | $2,500 | Violation | Hawaii Revised Statutes 487N-1 | https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.html | https://csrcyberprivacy.com/privacy-regulations/hawaii | https://www.dwt.com/gcp/states/hawaii/ | https://lewisbrisbois.com/privacy/US/Hawaii/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=HI | Civil fines. The Attorney General may seek injunctive relief, a $5,000 penalty for each violation, and reasonable costs and attorneys’ fees. | |
Idaho | 944,219 | $25,000 | $25,000 | Breach | Idaho Code 28-51-104 | https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.html | https://csrcyberprivacy.com/privacy-regulations/idaho | https://www.dwt.com/gcp/states/idaho/ | https://lewisbrisbois.com/privacy/US/Idaho/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ID | ||
Illinois | 10,186,974 | $50,000 | $100 | Person | $50,000 | 815 ILCS 530: Personal Information Protection Act | http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.html | https://csrcyberprivacy.com/privacy-regulations/illinois | https://www.dwt.com/gcp/states/illinois/ | https://lewisbrisbois.com/privacy/US/Illinois/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IL | |
Indiana | 4,403,263 | $150,000 | $150,000 | Deceptive Act | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. | http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.html | https://csrcyberprivacy.com/privacy-regulations/indiana | https://www.dwt.com/gcp/states/indiana/ | https://lewisbrisbois.com/privacy/US/Indiana/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | ||
Iowa | 2,204,919 | $150,000 | $150,000 | Violation | Iowa Code 715C.1 | https://www.legis.iowa.gov/docs/code/715c.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.html | https://csrcyberprivacy.com/privacy-regulations/iowa | https://www.dwt.com/gcp/states/iowa/ | https://lewisbrisbois.com/privacy/US/Iowa/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | Civil fines. A civil penalty of not more than $150,000 per deceptive act. | |
Kansas | 2,565,425 | Kansas Statutes 50-7a01 | http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.html | https://csrcyberprivacy.com/privacy-regulations/kansas | https://www.dwt.com/gcp/states/kansas/ | https://lewisbrisbois.com/privacy/US/Kansas/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KS | Civil fines. Attorney general may bring an action | ||||
Kentucky | 2,918,065 | $2,000 | $2,000 | KY Rev. Stat. §365.732 | https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.html | https://csrcyberprivacy.com/privacy-regulations/kentucky | https://www.dwt.com/gcp/states/kentucky/ | https://lewisbrisbois.com/privacy/US/Kentucky/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KY | |||
Louisiana | 7,902,957 | $3,000,000 | $5,000 | Day | La. Rev. Stat. §§ 51:3071 et seq. | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.html | https://csrcyberprivacy.com/privacy-regulations/louisiana | https://www.dwt.com/gcp/states/louisiana/ | https://lewisbrisbois.com/privacy/US/Louisiana/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=LA | After the first 10 days (lang in bill is Violations, but violations are days) | ||
Maine | 988,361 | $1,500,000 | $2,500 | Day | 10 Me. Rev. Stat. § 1346 et seq. | http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.html | https://csrcyberprivacy.com/privacy-regulations/maine | https://www.dwt.com/gcp/states/maine/ | https://lewisbrisbois.com/privacy/US/Maine/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ME | ||
Maryland | 3,776,054 | Maryland Commercial Code 14-3501 | https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.html | https://csrcyberprivacy.com/privacy-regulations/maryland | https://www.dwt.com/gcp/states/maryland/ | https://lewisbrisbois.com/privacy/US/Maryland/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MD | Civil fines. Constitutes an unfair trade practice | ||||
Massachusetts | 5,418,861 | $27,094,305,750 | $5,000 | Violation | Massachusetts General Laws 93H, Section 1 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.html | https://csrcyberprivacy.com/privacy-regulations/massachusetts | https://www.dwt.com/gcp/states/massachusetts/ | https://lewisbrisbois.com/privacy/US/Massachusetts/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MA | Civil fines. The Attorney General may seek injunctive relief, a $5,000 penalty for each violation, and reasonable costs and attorneys’ fees. | |
Michigan | 6,791,972 | $750,000 | $250 | Failed Notice | $750,000 | Mich. Comp. Laws §§ 445.63, 445.72 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.html | https://csrcyberprivacy.com/privacy-regulations/michigan | https://www.dwt.com/gcp/states/michigan/ | https://lewisbrisbois.com/privacy/US/Michigan/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MI | |
Minnesota | 3,795,219 | $25,000 | $25,000 | Minnesota Statutes 325E.61 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.html | https://csrcyberprivacy.com/privacy-regulations/minnesota | https://www.dwt.com/gcp/states/minnesota/ | https://lewisbrisbois.com/privacy/US/Minnesota/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MN | Attorney General shall enforce this section by seeking injunctive relief and/or a civil penalty for the state not to exceed $25,000. | |||
Mississippi | 1,895,981 | Mississippi Code 75-24-29 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47d | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.html | https://csrcyberprivacy.com/privacy-regulations/mississippi | https://www.dwt.com/gcp/states/mississippi/ | https://lewisbrisbois.com/privacy/US/Mississippi/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MS | Civil fines. Constitutes an unfair trade practice | ||||
Missouri | 4,860,712 | $150,000 | $150,000 | Breach | Missouri Revised Statutes 407.1500 | https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl= | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.html | https://csrcyberprivacy.com/privacy-regulations/missouri | https://www.dwt.com/gcp/states/missouri/ | https://lewisbrisbois.com/privacy/US/Missouri/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MO | ||
Montana | 621,428 | $10,000 | $10,000 | Montana Code 30-14-1704 | https://leg.mt.gov/bills/mca_toc/30_14_17.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.html | https://csrcyberprivacy.com/privacy-regulations/montana | https://www.dwt.com/gcp/states/montana/ | https://lewisbrisbois.com/privacy/US/Montana/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MT | |||
Nebraska | 1,392,892 | Nebraska Revised Statutes 87-801 | https://nebraskalegislature.gov/laws/statutes.php?statute=87-802 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.html | https://csrcyberprivacy.com/privacy-regulations/nebraska | https://www.dwt.com/gcp/states/nebraska/ | https://lewisbrisbois.com/privacy/US/Nebraska/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NE | Civil fines. Award of direct economic damages | ||||
Nevada | 1,934,077 | Nevada Revised Statutes 603A.010 | https://www.leg.state.nv.us/nrs/nrs-603a.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.html | https://csrcyberprivacy.com/privacy-regulations/nevada | https://www.dwt.com/gcp/states/nevada/ | https://lewisbrisbois.com/privacy/US/Nevada/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NV | Civil fines. Attorney general may bring an action | ||||
New Hampshire | 1,002,860 | $10,000 | New Hampshire Revised Statutes 359-C:20 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.html | https://csrcyberprivacy.com/privacy-regulations/new-hampshire | https://www.dwt.com/gcp/states/new-hampshire/ | https://lewisbrisbois.com/privacy/US/New%20Hampshire/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NH | Civil fines. Up to $10,000 in civil penalties for each violation. Up to triple damages | ||||
New Jersey | 6,788,479 | New Jersey Statutes 56:8-163: Identity Theft Prevention Act | https://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.html | https://csrcyberprivacy.com/privacy-regulations/new-jersey | https://www.dwt.com/gcp/states/new-jersey/ | https://lewisbrisbois.com/privacy/US/New%20Jersey/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NJ | Civil fines. Unlawful practice, violation of N.J. STAT. ANN. §§ 56:8-1, et seq. to willfully, knowingly or recklessly violate this data breach notification law. Remedies apply to violations of data breach notification law. Up to triple damages | ||||
New Mexico | 1,054,340 | $150,000 | $10 | Failed Notify | $150,000 | New Mexico Data Breach Act - HB 15 | https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.html | https://csrcyberprivacy.com/privacy-regulations/new-mexico | https://www.dwt.com/gcp/states/new-mexico/ | https://lewisbrisbois.com/privacy/US/New%20Mexico/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NM | The court may levy a civil penalty of the greater of $25,000. In the event of failed notification, fines in the amount of $10.00 (ten dollars) per violation to a maximum of $150,000 |
New York | 15,580,741 | $150,000 | $10 | Resident | $150,000 | New York General Business Law 899-aa and State Technology Law 208 | https://www.nysenate.gov/legislation/laws/GBS/899-AA | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html | https://csrcyberprivacy.com/privacy-regulations/new-york | https://www.dwt.com/gcp/states/new-york/ | https://lewisbrisbois.com/privacy/US/New%20York/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NY | |
North Carolina | 6,669,934 | $33,349,671,250 | $5,000 | Incident (Injured Party) | North Carolina General Statutes 75-61 and 75-65 | https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.html | https://csrcyberprivacy.com/privacy-regulations/north-carolina | https://www.dwt.com/gcp/states/north-carolina/ | https://lewisbrisbois.com/privacy/US/North%20Carolina/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NC | Civil fines. An individual injured as a result of a violation of this section may institute a civil action. Damages are set at $5,000 per incident, and provide for treble damages within this range. Injunctive relief is also available. | |
North Dakota | 550,048 | $2,750,241,750 | $5,000 | Violation | North Dakota Century Code | https://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.html | https://csrcyberprivacy.com/privacy-regulations/north-dakota | https://www.dwt.com/gcp/states/north-dakota/ | https://lewisbrisbois.com/privacy/US/North%20Dakota/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ND | Civil fines. AG may impose a civil penalty of not more than $5K for each vio. Remedies, duties, prohibitions and penalties under this particular law are not exclusive. | |
Ohio | 8,368,800 | $5,430,000 | $1,000 | Day | 10K/Day | Ohio Revised Code 1349.19 | https://codes.ohio.gov/ohio-revised-code/section-1349.19 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.html | https://csrcyberprivacy.com/privacy-regulations/ohio | https://www.dwt.com/gcp/states/ohio/ | https://lewisbrisbois.com/privacy/US/Ohio/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OH | A fine of up to $1,000 per day for the first 60 days of noncompliance o The fine raises to $5,000 per day after 60 days of noncompliance o The fine then raises to $10,000 per day after 90 days of noncompliance |
Oklahoma | 2,471,622 | $150,000 | $150,000 | Breach | 24 Okla. Stat. § 161 et seq. | https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.html | https://csrcyberprivacy.com/privacy-regulations/oklahoma | https://www.dwt.com/gcp/states/oklahoma/ | https://lewisbrisbois.com/privacy/US/Oklahoma/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OK | limited to $150,000 per breach of a system or a series of breaches of the same nature discovered in the course of a single investigation | |
Oregon | 2,713,760 | $500,000 | $1,000 | Violation | $500,000 | Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act | https://www.oregonlaws.org/ors/646A.604 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.html | https://csrcyberprivacy.com/privacy-regulations/oregon | https://www.dwt.com/gcp/states/oregon/ | https://lewisbrisbois.com/privacy/US/Oregon/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OR | |
Pennsylvania | 9,085,410 | Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act | https://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.html | https://csrcyberprivacy.com/privacy-regulations/pennsylvania | https://www.dwt.com/gcp/states/pennsylvania/ | https://lewisbrisbois.com/privacy/US/Pennsylvania/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=PA | Civil fines. Constitutes an unfair trade practice | ||||
Puerto Rico | $5,000 | $500 | $5,000 | 10 P.R. Laws Ann. §§ 4051–4055 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.html | https://www.dwt.com/gcp/states/puerto-rico/ | https://lewisbrisbois.com/privacy/US/Puerto%20Rico/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | ||||
Rhode Island | 911,640 | $182,328,070 | $200 | Record | Rhode Island General Laws 11-49.3 | http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM | https://www.perkinscoie.com/en/news-insights/rhode-island.html | https://csrcyberprivacy.com/privacy-regulations/rhode-island | https://www.dwt.com/gcp/states/rhode-island/ | https://lewisbrisbois.com/privacy/US/Rhode%20Island/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | ||
South Carolina | 2,944,216 | $2,944,215,900 | $1,000 | Resident | South Carolina Code 39-1-90 | https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.html | https://csrcyberprivacy.com/privacy-regulations/south-carolina | https://www.dwt.com/gcp/states/south-carolina/ | https://lewisbrisbois.com/privacy/US/South%20Carolina/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SC | ||
South Dakota | 614,589 | $6,000,000 | $10,000 | Day/Vio | South Dakota’s Senate Bill 62 | https://sdlegislature.gov/Statutes/Codified_Laws/2047702 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.html | https://csrcyberprivacy.com/privacy-regulations/south-dakota | https://www.dwt.com/gcp/states/south-dakota/ | https://lewisbrisbois.com/privacy/US/South%20Dakota/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SD | ||
Tennessee | 4,454,039 | $10,000 | Tennessee Code 47-18-2107 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffa | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.html | https://csrcyberprivacy.com/privacy-regulations/tennessee | https://www.dwt.com/gcp/states/tennessee/ | https://lewisbrisbois.com/privacy/US/Tennessee/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TN | Civil fines. A violation can subject the violator to a civil penalty of $10,000; $5,000 per day that a person’s identity has been assumed; or 10X amount obtained or attempted to be obtained through the ID theft, whichever greater. | |||
Texas | 17,506,189 | $250,000 | $100 | Person/Day | $250,000 | Texas Business and Commerce Code 521.002 and 521.053 | https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.html | https://csrcyberprivacy.com/privacy-regulations/texas | https://www.dwt.com/gcp/states/texas/ | https://lewisbrisbois.com/privacy/US/Texas/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TX | $100 for each individual to whom notification is due for each consecutive day the person fails to take reasonable action to notify. Max penalty: $250,000 for a single breach. AG may bring a civil suit. Max $50,000 for each vio. |
Utah | 1,995,242 | $100,000 | $2,500 | Consumer | $100,000 | Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act | https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.html | https://csrcyberprivacy.com/privacy-regulations/utah | https://www.dwt.com/gcp/states/utah/ | https://lewisbrisbois.com/privacy/US/Utah/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=UT | |
Vermont | 490,145 | $10,000 | $10,000 | Vermont Statutes Annotated 9-2430 and 2435 | https://legislature.vermont.gov/statutes/section/09/062/02435 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.html | https://csrcyberprivacy.com/privacy-regulations/vermont | https://www.dwt.com/gcp/states/vermont/ | https://lewisbrisbois.com/privacy/US/Vermont/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VT | civil penalties of up to $10,000 for each violation committed | ||
Virgin Islands | V.I. Code tit. 14, §§ 2208, 2209 | https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634 | https://www.dwt.com/gcp/states/virgin-islands/ | https://lewisbrisbois.com/privacy/US/US%20Virgin%20Islands/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | ||||||||
Virginia | 5,244,933 | $150,000 | $150,000 | Virginia Code 18.2-186.6 and 32.1-127.1:05 | http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.html | https://csrcyberprivacy.com/privacy-regulations/virginia | https://www.dwt.com/gcp/states/virginia/ | https://lewisbrisbois.com/privacy/US/Virginia/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | may not exceed $150,000 for every breach of security in the system, or for a set of similar breaches that were all discovered at the same time during the investigation process | ||
Washington | 5,711,217 | Washington Revised Code 19.255.010 | https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.html | https://csrcyberprivacy.com/privacy-regulations/washington | https://www.dwt.com/gcp/states/washington/ | https://lewisbrisbois.com/privacy/US/Washington/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WA | Civil fines. Consumer & attorney general may bring an action | ||||
West Virginia | 1,132,528 | $150,000 | $150,000 | West Virginia Code 46A-2A-101 | http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2A | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html | https://csrcyberprivacy.com/privacy-regulations/west-virginia | https://www.dwt.com/gcp/states/west-virginia/ | https://lewisbrisbois.com/privacy/US/West%20Virginia/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WV | max penalty of $150,000 per breach of security for civil action cases | ||
Wisconsin | 3,965,361 | Wisconsin Statutes 134.98 | https://docs.legis.wisconsin.gov/statutes/statutes/134/98 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.html | https://csrcyberprivacy.com/privacy-regulations/wisconsin | https://www.dwt.com/gcp/states/wisconsin/ | https://lewisbrisbois.com/privacy/US/Wisconsin/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WI | Civil fines. May be evidence of negligence/breach of legal duty | ||||
Wyoming | 369,839 | Wyoming Statutes 40-12-501 | https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.html | https://csrcyberprivacy.com/privacy-regulations/wyoming | https://www.dwt.com/gcp/states/wyoming/ | https://lewisbrisbois.com/privacy/US/Wyoming/data-breach | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WY | Civil fines. Attorney general may bring an action |