Potential Facebook Breach Fine by State

◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

Unique data. Hand-curated.

In early April of 2021, it was reported that Facebook had a major breach of the data belonging to 533 million users. Facebook argues that this wasn’t a breach but rather a scrape from a previously patched API in 2019. This dataset analyzes State Data Breach Laws and the fine components thereof, looking for potential fines. Based on the way States define PII and public data, it’s unlikely Facebook will even be fined for this breach.

But what if it did meet those criteria? What how big of a fine would current laws allow?

We calculated potential fines to Facebook IF their latest breach fit under current data state breach regulations. This is our analysis.

⚫ We found 35 states with specific fines specified in legislation.

⚫ If we add up the max fines of those states, Facebook might be fined as much as $24B.

California alone might fine FB $20B based on fines listed in AB-375. It specifies $750 in fines per resident. We estimate 27.5M California FB users implicated in the breach.

Other states have the ability to fine FB based on AG action. If we add in specified fines from AG action, that number rises to $89.7B. This number still omits 18 states that would be fining FB zero (and 20 States fining under $1M) who could still bring AG action, we simply don’t have a way to quantify it.

⚫ Note: There is always a lot of nuance in law and I’m not a lawyer. I am however a certified privacy expert. I’ve been studying data breach statutes with Thomas Besore for another project. We are speculating that States might apply max fines to Facebook. Obviously, this isn’t going to happen. While we believe FB is in the wrong for not reporting the breach, that the incident is certainly a breach in any real-world sense of the word, and that the data breached is personal, it does not actually meet the letter of the law requirements under the information we reviewed without some imagination. As well, this particular set of information is much less damaging to consumers than say the Equifax breach, which coalesced State AGs to action.

State Data Breach Fine Info and Potential Facebook Liability

StateEst FB UsersFB Statutory FineFinePerCapState Law CitationPerkinsCSRPSDWTLewis BrisboisNote
Alabama3,176,756$3,000,000$5,000Day2018 S.B. 318, Act No. 396http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.htmlhttps://csrcyberprivacy.com/privacy-regulations/alabamahttps://www.dwt.com/gcp/states/alabama/https://lewisbrisbois.com/privacy/US/Alabama/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AL
Alaska565,486$50,000$500Resident$50,000Alaska Statutes 45.48.010: Personal Information Protection Acthttp://law.alaska.gov/department/civil/consumer/4548.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.htmlhttps://csrcyberprivacy.com/privacy-regulations/alaskahttps://www.dwt.com/gcp/states/alaska/https://lewisbrisbois.com/privacy/US/Alaska/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AK
Arizona4,143,428$500,000$10,000Individual$500,000Arizona Revised Statutes 18-545https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.htmlhttps://csrcyberprivacy.com/privacy-regulations/arizonahttps://www.dwt.com/gcp/states/arizona/https://lewisbrisbois.com/privacy/US/Arizona/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AZ
Arkansas2,086,492Arkansas Code 4-110-101: Personal Information Protection Acthttps://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.htmlhttps://csrcyberprivacy.com/privacy-regulations/arkansashttps://www.dwt.com/gcp/states/arkansas/https://lewisbrisbois.com/privacy/US/Arkansas/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AR
California27,511,839$20,633,879,138$750Consumer/ IncidentCalifornia Civil Code 1798:29 and 1798:80http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.htmlhttps://csrcyberprivacy.com/privacy-regulations/californiahttps://www.dwt.com/gcp/states/california/https://lewisbrisbois.com/privacy/US/California/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=CACal AB-375
Colorado3,849,722Colorado Revised Statutes 6-1-716https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.htmlhttps://csrcyberprivacy.com/privacy-regulations/coloradohttps://www.dwt.com/gcp/states/colorado/https://lewisbrisbois.com/privacy/US/Colorado/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=COCivil fines. Action for compliance and/or economic damages
Connecticut2,451,400Connecticut General Statutes 36a-701bhttps://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701bhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.htmlhttps://csrcyberprivacy.com/privacy-regulations/connecticuthttps://www.dwt.com/gcp/states/connecticut/https://lewisbrisbois.com/privacy/US/Connecticut/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=COCivil fines. Civil penalties of up to $5,000
Delaware534,728Delaware Code Title 6, Chapter 12Bhttp://delcode.delaware.gov/title6/c012b/index.shtmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.htmlhttps://csrcyberprivacy.com/privacy-regulations/delawarehttps://www.dwt.com/gcp/states/delaware/https://lewisbrisbois.com/privacy/US/Delaware/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DECivil fines. Penalties and/or civil relief may apply
District of Columbia2,217,686$221,768,600$100ViolationDC Consumer Security Breach Informationhttps://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.htmlhttps://csrcyberprivacy.com/privacy-regulations/washington-d-c/https://www.dwt.com/gcp/states/district-of-columbia/https://lewisbrisbois.com/privacy/US/District%20of%20Columbia/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DC
Florida13,751,385$500,000$1,000Day$500,000Fla. Stat. § 501.171http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.htmlhttps://csrcyberprivacy.com/privacy-regulations/floridahttps://www.dwt.com/gcp/states/florida/https://lewisbrisbois.com/privacy/US/Florida/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=FLUp to $1K per day for each day, up to the first 30 days, following a violation and $50K for each subsequent 30-day period or a portion thereof for up to 180 days. If the vio exceeds 180 days, penalties not to exceed $500K
Georgia7,902,957Georgia Code 10-1-912https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.htmlhttps://csrcyberprivacy.com/privacy-regulations/georgiahttps://www.dwt.com/gcp/states/georgia/https://lewisbrisbois.com/privacy/US/Georgia/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GA
Guam$150,000$150,000BreachGuam Law Linkhttp://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdfhttps://www.dwt.com/gcp/states/guam/https://lewisbrisbois.com/privacy/US/Guam/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GU
Hawaii1,004,298$2,510,745,750$2,500ViolationHawaii Revised Statutes 487N-1https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.htmlhttps://csrcyberprivacy.com/privacy-regulations/hawaiihttps://www.dwt.com/gcp/states/hawaii/https://lewisbrisbois.com/privacy/US/Hawaii/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=HICivil fines. The Attorney General may seek injunctive relief, a $5,000 penalty for each violation, and reasonable costs and attorneys’ fees.
Idaho944,219$25,000$25,000BreachIdaho Code 28-51-104https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.htmlhttps://csrcyberprivacy.com/privacy-regulations/idahohttps://www.dwt.com/gcp/states/idaho/https://lewisbrisbois.com/privacy/US/Idaho/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ID
Illinois10,186,974$50,000$100Person$50,000815 ILCS 530: Personal Information Protection Acthttp://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.htmlhttps://csrcyberprivacy.com/privacy-regulations/illinoishttps://www.dwt.com/gcp/states/illinois/https://lewisbrisbois.com/privacy/US/Illinois/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=IL
Indiana4,403,263$150,000$150,000Deceptive ActInd. Code §§ 4-1-11 et seq., 24-4.9 et seq.http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.htmlhttps://csrcyberprivacy.com/privacy-regulations/indianahttps://www.dwt.com/gcp/states/indiana/https://lewisbrisbois.com/privacy/US/Indiana/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=IN
Iowa2,204,919$150,000$150,000ViolationIowa Code 715C.1https://www.legis.iowa.gov/docs/code/715c.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.htmlhttps://csrcyberprivacy.com/privacy-regulations/iowahttps://www.dwt.com/gcp/states/iowa/https://lewisbrisbois.com/privacy/US/Iowa/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=INCivil fines. A civil penalty of not more than $150,000 per deceptive act.
Kansas2,565,425Kansas Statutes 50-7a01http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.htmlhttps://csrcyberprivacy.com/privacy-regulations/kansashttps://www.dwt.com/gcp/states/kansas/https://lewisbrisbois.com/privacy/US/Kansas/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KSCivil fines. Attorney general may bring an action
Kentucky2,918,065$2,000$2,000KY Rev. Stat. §365.732https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.htmlhttps://csrcyberprivacy.com/privacy-regulations/kentuckyhttps://www.dwt.com/gcp/states/kentucky/https://lewisbrisbois.com/privacy/US/Kentucky/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KY
Louisiana7,902,957$3,000,000$5,000DayLa. Rev. Stat. §§ 51:3071 et seq.https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.htmlhttps://csrcyberprivacy.com/privacy-regulations/louisianahttps://www.dwt.com/gcp/states/louisiana/https://lewisbrisbois.com/privacy/US/Louisiana/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=LAAfter the first 10 days (lang in bill is Violations, but violations are days)
Maine988,361$1,500,000$2,500Day10 Me. Rev. Stat. § 1346 et seq.http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.htmlhttps://csrcyberprivacy.com/privacy-regulations/mainehttps://www.dwt.com/gcp/states/maine/https://lewisbrisbois.com/privacy/US/Maine/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ME
Maryland3,776,054Maryland Commercial Code 14-3501https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.htmlhttps://csrcyberprivacy.com/privacy-regulations/marylandhttps://www.dwt.com/gcp/states/maryland/https://lewisbrisbois.com/privacy/US/Maryland/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MDCivil fines. Constitutes an unfair trade practice
Massachusetts5,418,861$27,094,305,750$5,000ViolationMassachusetts General Laws 93H, Section 1https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.htmlhttps://csrcyberprivacy.com/privacy-regulations/massachusettshttps://www.dwt.com/gcp/states/massachusetts/https://lewisbrisbois.com/privacy/US/Massachusetts/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MACivil fines. The Attorney General may seek injunctive relief, a $5,000 penalty for each violation, and reasonable costs and attorneys’ fees.
Michigan6,791,972$750,000$250Failed Notice$750,000Mich. Comp. Laws §§ 445.63, 445.72https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.htmlhttps://csrcyberprivacy.com/privacy-regulations/michiganhttps://www.dwt.com/gcp/states/michigan/https://lewisbrisbois.com/privacy/US/Michigan/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MI
Minnesota3,795,219$25,000$25,000Minnesota Statutes 325E.61https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.htmlhttps://csrcyberprivacy.com/privacy-regulations/minnesotahttps://www.dwt.com/gcp/states/minnesota/https://lewisbrisbois.com/privacy/US/Minnesota/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MNAttorney General shall enforce this section by seeking injunctive relief and/or a civil penalty for the state not to exceed $25,000.
Mississippi1,895,981Mississippi Code 75-24-29https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47dhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.htmlhttps://csrcyberprivacy.com/privacy-regulations/mississippihttps://www.dwt.com/gcp/states/mississippi/https://lewisbrisbois.com/privacy/US/Mississippi/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MSCivil fines. Constitutes an unfair trade practice
Missouri4,860,712$150,000$150,000BreachMissouri Revised Statutes 407.1500https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl=https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.htmlhttps://csrcyberprivacy.com/privacy-regulations/missourihttps://www.dwt.com/gcp/states/missouri/https://lewisbrisbois.com/privacy/US/Missouri/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MO
Montana621,428$10,000$10,000Montana Code 30-14-1704https://leg.mt.gov/bills/mca_toc/30_14_17.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.htmlhttps://csrcyberprivacy.com/privacy-regulations/montanahttps://www.dwt.com/gcp/states/montana/https://lewisbrisbois.com/privacy/US/Montana/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MT
Nebraska1,392,892Nebraska Revised Statutes 87-801https://nebraskalegislature.gov/laws/statutes.php?statute=87-802https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.htmlhttps://csrcyberprivacy.com/privacy-regulations/nebraskahttps://www.dwt.com/gcp/states/nebraska/https://lewisbrisbois.com/privacy/US/Nebraska/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NECivil fines. Award of direct economic damages
Nevada1,934,077Nevada Revised Statutes 603A.010https://www.leg.state.nv.us/nrs/nrs-603a.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.htmlhttps://csrcyberprivacy.com/privacy-regulations/nevadahttps://www.dwt.com/gcp/states/nevada/https://lewisbrisbois.com/privacy/US/Nevada/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NVCivil fines. Attorney general may bring an action
New Hampshire1,002,860$10,000New Hampshire Revised Statutes 359-C:20https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.htmlhttps://csrcyberprivacy.com/privacy-regulations/new-hampshirehttps://www.dwt.com/gcp/states/new-hampshire/https://lewisbrisbois.com/privacy/US/New%20Hampshire/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NHCivil fines. Up to $10,000 in civil penalties for each violation. Up to triple damages
New Jersey6,788,479New Jersey Statutes 56:8-163: Identity Theft Prevention Acthttps://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.htmlhttps://csrcyberprivacy.com/privacy-regulations/new-jerseyhttps://www.dwt.com/gcp/states/new-jersey/https://lewisbrisbois.com/privacy/US/New%20Jersey/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NJCivil fines. Unlawful practice, violation of N.J. STAT. ANN. §§ 56:8-1, et seq. to willfully, knowingly or recklessly violate this data breach notification law. Remedies apply to violations of data breach notification law. Up to triple damages
New Mexico1,054,340$150,000$10Failed Notify$150,000New Mexico Data Breach Act - HB 15https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.htmlhttps://csrcyberprivacy.com/privacy-regulations/new-mexicohttps://www.dwt.com/gcp/states/new-mexico/https://lewisbrisbois.com/privacy/US/New%20Mexico/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NMThe court may levy a civil penalty of the greater of $25,000. In the event of failed notification, fines in the amount of $10.00 (ten dollars) per violation to a maximum of $150,000
New York15,580,741$150,000$10Resident$150,000New York General Business Law 899-aa and State Technology Law 208https://www.nysenate.gov/legislation/laws/GBS/899-AAhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.htmlhttps://csrcyberprivacy.com/privacy-regulations/new-yorkhttps://www.dwt.com/gcp/states/new-york/https://lewisbrisbois.com/privacy/US/New%20York/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NY
North Carolina6,669,934$33,349,671,250$5,000Incident (Injured Party)North Carolina General Statutes 75-61 and 75-65https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.htmlhttps://csrcyberprivacy.com/privacy-regulations/north-carolinahttps://www.dwt.com/gcp/states/north-carolina/https://lewisbrisbois.com/privacy/US/North%20Carolina/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NCCivil fines. An individual injured as a result of a violation of this section may institute a civil action. Damages are set at $5,000 per incident, and provide for treble damages within this range. Injunctive relief is also available.
North Dakota550,048$2,750,241,750$5,000ViolationNorth Dakota Century Codehttps://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.htmlhttps://csrcyberprivacy.com/privacy-regulations/north-dakotahttps://www.dwt.com/gcp/states/north-dakota/https://lewisbrisbois.com/privacy/US/North%20Dakota/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NDCivil fines. AG may impose a civil penalty of not more than $5K for each vio. Remedies, duties, prohibitions and penalties under this particular law are not exclusive.
Ohio8,368,800$5,430,000$1,000Day10K/DayOhio Revised Code 1349.19https://codes.ohio.gov/ohio-revised-code/section-1349.19https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.htmlhttps://csrcyberprivacy.com/privacy-regulations/ohiohttps://www.dwt.com/gcp/states/ohio/https://lewisbrisbois.com/privacy/US/Ohio/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OHA fine of up to $1,000 per day for the first 60 days of noncompliance o The fine raises to $5,000 per day after 60 days of noncompliance o The fine then raises to $10,000 per day after 90 days of noncompliance
Oklahoma2,471,622$150,000$150,000Breach24 Okla. Stat. § 161 et seq.https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.htmlhttps://csrcyberprivacy.com/privacy-regulations/oklahomahttps://www.dwt.com/gcp/states/oklahoma/https://lewisbrisbois.com/privacy/US/Oklahoma/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OKlimited to $150,000 per breach of a system or a series of breaches of the same nature discovered in the course of a single investigation
Oregon2,713,760$500,000$1,000Violation$500,000Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Acthttps://www.oregonlaws.org/ors/646A.604https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.htmlhttps://csrcyberprivacy.com/privacy-regulations/oregonhttps://www.dwt.com/gcp/states/oregon/https://lewisbrisbois.com/privacy/US/Oregon/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OR
Pennsylvania9,085,410Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Acthttps://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.htmlhttps://csrcyberprivacy.com/privacy-regulations/pennsylvaniahttps://www.dwt.com/gcp/states/pennsylvania/https://lewisbrisbois.com/privacy/US/Pennsylvania/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=PACivil fines. Constitutes an unfair trade practice
Puerto Rico$5,000$500$5,00010 P.R. Laws Ann. §§ 4051–4055https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.htmlhttps://www.dwt.com/gcp/states/puerto-rico/https://lewisbrisbois.com/privacy/US/Puerto%20Rico/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RI
Rhode Island911,640$182,328,070$200RecordRhode Island General Laws 11-49.3http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTMhttps://www.perkinscoie.com/en/news-insights/rhode-island.htmlhttps://csrcyberprivacy.com/privacy-regulations/rhode-islandhttps://www.dwt.com/gcp/states/rhode-island/https://lewisbrisbois.com/privacy/US/Rhode%20Island/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RI
South Carolina2,944,216$2,944,215,900$1,000ResidentSouth Carolina Code 39-1-90https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.htmlhttps://csrcyberprivacy.com/privacy-regulations/south-carolinahttps://www.dwt.com/gcp/states/south-carolina/https://lewisbrisbois.com/privacy/US/South%20Carolina/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SC
South Dakota614,589$6,000,000$10,000Day/VioSouth Dakota’s Senate Bill 62https://sdlegislature.gov/Statutes/Codified_Laws/2047702https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.htmlhttps://csrcyberprivacy.com/privacy-regulations/south-dakotahttps://www.dwt.com/gcp/states/south-dakota/https://lewisbrisbois.com/privacy/US/South%20Dakota/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SD
Tennessee4,454,039$10,000Tennessee Code 47-18-2107https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.htmlhttps://csrcyberprivacy.com/privacy-regulations/tennesseehttps://www.dwt.com/gcp/states/tennessee/https://lewisbrisbois.com/privacy/US/Tennessee/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TNCivil fines. A violation can subject the violator to a civil penalty of $10,000; $5,000 per day that a person’s identity has been assumed; or 10X amount obtained or attempted to be obtained through the ID theft, whichever greater.
Texas17,506,189$250,000$100Person/Day$250,000Texas Business and Commerce Code 521.002 and 521.053https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.htmlhttps://csrcyberprivacy.com/privacy-regulations/texashttps://www.dwt.com/gcp/states/texas/https://lewisbrisbois.com/privacy/US/Texas/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TX$100 for each individual to whom notification is due for each consecutive day the person fails to take reasonable action to notify. Max penalty: $250,000 for a single breach. AG may bring a civil suit. Max $50,000 for each vio.
Utah1,995,242$100,000$2,500Consumer$100,000Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Acthttps://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.htmlhttps://csrcyberprivacy.com/privacy-regulations/utahhttps://www.dwt.com/gcp/states/utah/https://lewisbrisbois.com/privacy/US/Utah/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=UT
Vermont490,145$10,000$10,000Vermont Statutes Annotated 9-2430 and 2435https://legislature.vermont.gov/statutes/section/09/062/02435https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.htmlhttps://csrcyberprivacy.com/privacy-regulations/vermonthttps://www.dwt.com/gcp/states/vermont/https://lewisbrisbois.com/privacy/US/Vermont/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VTcivil penalties of up to $10,000 for each violation committed
Virgin IslandsV.I. Code tit. 14, §§ 2208, 2209https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634https://www.dwt.com/gcp/states/virgin-islands/https://lewisbrisbois.com/privacy/US/US%20Virgin%20Islands/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VI
Virginia5,244,933$150,000$150,000Virginia Code 18.2-186.6 and 32.1-127.1:05http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.htmlhttps://csrcyberprivacy.com/privacy-regulations/virginiahttps://www.dwt.com/gcp/states/virginia/https://lewisbrisbois.com/privacy/US/Virginia/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VImay not exceed $150,000 for every breach of security in the system, or for a set of similar breaches that were all discovered at the same time during the investigation process
Washington5,711,217Washington Revised Code 19.255.010https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.htmlhttps://csrcyberprivacy.com/privacy-regulations/washingtonhttps://www.dwt.com/gcp/states/washington/https://lewisbrisbois.com/privacy/US/Washington/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WACivil fines. Consumer & attorney general may bring an action
West Virginia1,132,528$150,000$150,000West Virginia Code 46A-2A-101http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2Ahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.htmlhttps://csrcyberprivacy.com/privacy-regulations/west-virginiahttps://www.dwt.com/gcp/states/west-virginia/https://lewisbrisbois.com/privacy/US/West%20Virginia/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WVmax penalty of $150,000 per breach of security for civil action cases
Wisconsin3,965,361Wisconsin Statutes 134.98https://docs.legis.wisconsin.gov/statutes/statutes/134/98https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.htmlhttps://csrcyberprivacy.com/privacy-regulations/wisconsinhttps://www.dwt.com/gcp/states/wisconsin/https://lewisbrisbois.com/privacy/US/Wisconsin/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WICivil fines. May be evidence of negligence/breach of legal duty
Wyoming369,839Wyoming Statutes 40-12-501https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.htmlhttps://csrcyberprivacy.com/privacy-regulations/wyominghttps://www.dwt.com/gcp/states/wyoming/https://lewisbrisbois.com/privacy/US/Wyoming/data-breachhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WYCivil fines. Attorney general may bring an action