State Breach Statute Scoring
◈ Summary analysis of state laws
◈ Details on every state
◈ Our analysis + links to resources
Unique data. Hand-curated.
This study scores State Data Breach Statutes across four major metrics:
| Breach Notification | Personal Data Coverage | Harm Triggers | Fines & Enforcement |
Each metric is based on several scoring elements within the statute. The goal was to get a broad picture of how statutes differ and which states have relatively “better” and “worse” statutes in terms of overall protection for their constituents.
This is a consumer-focused score. If the model works as intended, statutes with the highest scores should generate the most notifications/fines/actions across a range of data breaches.
We expect that this model will generate some discussion. Some states with ‘stronger’ data breach laws haven’t scored as highly. Is that because we are scoring more objectively or because we are missing nuance or indicators? We contend that when you look closely at individual elements of each law, even strong Breach Notification Laws often have flaws in one of the four areas we examine, undermining its effectiveness.
State Data Breach Law: Statute Scoring
| StateName | StAbbr | Rank | Score | Notify# | PII# | Harm# | Enforce# | StateLawCitation | |||
|---|---|---|---|---|---|---|---|---|---|---|---|
| California | CA | https://privacyplan.net/state-data-breach-law/california.htm | 1 | 57 | 16 | 11 | 12 | 18 | 2002 | California Civil Code 1798:29 and 1798:80 | http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29 |
| District of Columbia | DC | https://privacyplan.net/state-data-breach-law/district-of-columbia.htm | 2 | 55 | 9 | 18 | 10 | 18 | 2007 | DC Consumer Security Breach Information | https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/ |
| Washington | WA | https://privacyplan.net/state-data-breach-law/washington.htm | 3 | 45 | 17 | 12 | 6 | 10 | 2005 | Washington Revised Code 19.255.010 | https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 |
| Maryland | MD | https://privacyplan.net/state-data-breach-law/maryland.htm | 4 | 44 | 23 | 6 | 5 | 10 | 2007 | Maryland Commercial Code 14-3501 | https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.html |
| Colorado | CO | https://privacyplan.net/state-data-breach-law/colorado.htm | 5 | 42 | 28 | 9 | 5 | 0 | 2006 | Colorado Revised Statutes 6-1-716 | https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html |
| North Carolina | NC | https://privacyplan.net/state-data-breach-law/north-carolina.htm | 6 | 42 | 21 | 0 | 1 | 20 | 2005 | North Carolina General Statutes 75-61 and 75-65 | https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.html |
| Illinois | IL | https://privacyplan.net/state-data-breach-law/illinois.htm | 7 | 38 | 16 | 5 | 12 | 5 | 2005 | 815 ILCS 530: Personal Information Protection Act | http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. |
| Massachusetts | MA | https://privacyplan.net/state-data-breach-law/massachusetts.htm | 8 | 34 | 12 | 3 | -1 | 20 | 2007 | Massachusetts General Laws 93H, Section 1 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 |
| Florida | FL | https://privacyplan.net/state-data-breach-law/florida.htm | 9 | 33 | 19 | 5 | 11 | -2 | 2014 | Fla. Stat. § 501.171 | http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.html |
| North Dakota | ND | https://privacyplan.net/state-data-breach-law/north-dakota.htm | 10 | 33 | 9 | 2 | 12 | 10 | 2005 | North Dakota Century Code | https://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.html |
| Hawaii | HI | https://privacyplan.net/state-data-breach-law/hawaii.htm | 11 | 32 | 17 | -1 | 6 | 10 | 2006 | Hawaii Revised Statutes 487N-1 | https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm |
| Louisiana | LA | https://privacyplan.net/state-data-breach-law/louisiana.htm | 12 | 31 | 10 | 1 | 4 | 16 | 2005 | La. Rev. Stat. §§ 51:3071 et seq. | |
| Oregon | OR | https://privacyplan.net/state-data-breach-law/oregon.htm | 13 | 31 | 17 | 12 | 4 | -2 | 2007 | Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act | https://www.oregonlaws.org/ors/646A.604 |
| Texas | TX | https://privacyplan.net/state-data-breach-law/texas.htm | 14 | 31 | 13 | 2 | 10 | 6 | 2007 | Texas Business and Commerce Code 521.002 and 521.053 | https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002 |
| Puerto Rico | PR | https://privacyplan.net/state-data-breach-law/puerto-rico.htm | 15 | 30 | 10 | -3 | 18 | 5 | 2005 | 10 P.R. Laws Ann. §§ 4051–4055 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440 |
| Minnesota | MN | https://privacyplan.net/state-data-breach-law/minnesota.htm | 16 | 29 | 8 | -1 | 12 | 10 | 2005 | Minnesota Statutes 325E.61 | |
| Nevada | NV | https://privacyplan.net/state-data-breach-law/nevada.htm | 17 | 29 | 8 | 1 | 10 | 10 | 2005 | Nevada Revised Statutes 603A.010 | https://www.leg.state.nv.us/nrs/nrs-603a.html |
| South Carolina | SC | https://privacyplan.net/state-data-breach-law/south-carolina.htm | 18 | 29 | 13 | -1 | -1 | 18 | 2008 | South Carolina Code 39-1-90 | https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10 |
| Connecticut | CT | https://privacyplan.net/state-data-breach-law/connecticut.htm | 19 | 27 | 19 | -4 | 12 | 0 | 2005 | Connecticut General Statutes 36a-701b | https://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b |
| Rhode Island | RI | https://privacyplan.net/state-data-breach-law/rhode-island.htm | 20 | 27 | 15 | 0 | 4 | 8 | 2006 | Rhode Island General Laws 11-49.3 | http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM |
| New Hampshire | NH | https://privacyplan.net/state-data-breach-law/new-hampshire.htm | 21 | 25 | 11 | -1 | 5 | 10 | 2006 | New Hampshire Revised Statutes 359-C:20 | |
| New Jersey | NJ | https://privacyplan.net/state-data-breach-law/new-jersey.htm | 22 | 25 | 15 | -3 | 13 | 0 | 2005 | New Jersey Statutes 56:8-163: Identity Theft Prevention Act | https://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.html |
| Alabama | AL | https://privacyplan.net/state-data-breach-law/alabama.htm | 23 | 24 | 20 | -1 | -1 | 6 | 2018 | 2018 S.B. 318, Act No. 396 | http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htm |
| South Dakota | SD | https://privacyplan.net/state-data-breach-law/south-dakota.htm | 24 | 24 | 12 | 2 | 4 | 6 | 2018 | South Dakota’s Senate Bill 62 | https://sdlegislature.gov/Statutes/Codified_Laws/2047702 |
| Virgin Islands | VI | https://privacyplan.net/state-data-breach-law/virgin-islands.htm | 25 | 23 | 4 | -1 | 10 | 10 | V.I. Code tit. 14, §§ 2208, 2209 | https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634 | |
| Arkansas | AR | https://privacyplan.net/state-data-breach-law/arkansas.htm | 26 | 22 | 9 | 4 | 4 | 5 | 2005 | Arkansas Code 4-110-101: Personal Information Protection Act | https://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/ |
| Delaware | DE | https://privacyplan.net/state-data-breach-law/delaware.htm | 27 | 21 | 15 | 2 | 4 | 0 | 2005 | Delaware Code Title 6, Chapter 12B | http://delcode.delaware.gov/title6/c012b/index.shtml |
| Virginia | VI | https://privacyplan.net/state-data-breach-law/virginia.htm | 28 | 21 | 13 | 1 | 2 | 5 | 2008 | Virginia Code 18.2-186.6 and 32.1-127.1:05 | http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/ |
| Tennessee | TN | https://privacyplan.net/state-data-breach-law/tennessee.htm | 29 | 20 | 9 | -1 | 2 | 10 | 2005 | Tennessee Code 47-18-2107 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffa |
| Montana | MT | https://privacyplan.net/state-data-breach-law/montana.htm | 30 | 19 | 15 | 1 | 3 | 0 | 2006 | Montana Code 30-14-1704 | https://leg.mt.gov/bills/mca_toc/30_14_17.htm |
| New York | NY | https://privacyplan.net/state-data-breach-law/new-york.htm | 31 | 19 | 16 | 3 | 5 | -5 | 2005 | New York General Business Law 899-aa and State Technology Law 208 | https://www.nysenate.gov/legislation/laws/GBS/899-AA |
| Vermont | VT | https://privacyplan.net/state-data-breach-law/vermont.htm | 32 | 19 | 13 | 4 | 2 | 0 | 2006 | Vermont Statutes Annotated 9-2430 and 2435 | https://legislature.vermont.gov/statutes/section/09/062/02435 |
| Alaska | AK | https://privacyplan.net/state-data-breach-law/alaska.htm | 33 | 17 | 4 | 2 | 6 | 5 | 2008 | Alaska Statutes 45.48.010: Personal Information Protection Act | http://law.alaska.gov/department/civil/consumer/4548.html |
| Georgia | GA | https://privacyplan.net/state-data-breach-law/georgia.htm | 34 | 17 | 5 | 0 | 12 | 0 | 2005 | Georgia Code 10-1-912 | https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.html |
| Nebraska | NE | https://privacyplan.net/state-data-breach-law/nebraska.htm | 35 | 17 | 7 | 5 | 5 | 0 | 2006 | Nebraska Revised Statutes 87-801 | https://nebraskalegislature.gov/laws/statutes.php?statute=87-802 |
| Maine | ME | https://privacyplan.net/state-data-breach-law/maine.htm | 36 | 15 | 4 | 0 | 5 | 6 | 2005 | 10 Me. Rev. Stat. § 1346 et seq. | http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html |
| Wisconsin | WI | https://privacyplan.net/state-data-breach-law/wisconsin.htm | 37 | 14 | 12 | -2 | 4 | 0 | 2006 | Wisconsin Statutes 134.98 | https://docs.legis.wisconsin.gov/statutes/statutes/134/98 |
| Iowa | IA | https://privacyplan.net/state-data-breach-law/iowa.htm | 38 | 13 | 8 | 0 | 5 | 0 | 2008 | Iowa Code 715C.1 | https://www.legis.iowa.gov/docs/code/715c.pdf |
| Arizona | AZ | https://privacyplan.net/state-data-breach-law/arizona.htm | 39 | 12 | 15 | 1 | -2 | -2 | 2006 | Arizona Revised Statutes 18-545 | https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htm |
| Kentucky | KY | https://privacyplan.net/state-data-breach-law/kentucky.htm | 40 | 12 | 8 | 2 | 2 | 0 | 2014 | KY Rev. Stat. §365.732 | https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.html |
| Indiana | IN | https://privacyplan.net/state-data-breach-law/indiana.htm | 41 | 11 | 11 | 1 | 4 | -5 | 2005 | Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. | http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11 |
| Michigan | MI | https://privacyplan.net/state-data-breach-law/michigan.htm | 42 | 10 | 8 | 2 | -2 | 2 | 2006 | Mich. Comp. Laws §§ 445.63, 445.72 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 |
| New Mexico | NM | https://privacyplan.net/state-data-breach-law/new-mexico.htm | 43 | 10 | 18 | 0 | -3 | -5 | 2017 | New Mexico Data Breach Act - HB 15 | https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf |
| Wyoming | WY | https://privacyplan.net/state-data-breach-law/wyoming.htm | 44 | 10 | 6 | 1 | 3 | 0 | 2007 | Wyoming Statutes 40-12-501 | https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.html |
| Missouri | MO | https://privacyplan.net/state-data-breach-law/missouri.htm | 45 | 9 | 12 | 0 | 2 | -5 | 2009 | Missouri Revised Statutes 407.1500 | https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl= |
| Pennsylvania | PA | https://privacyplan.net/state-data-breach-law/pennsylvania.htm | 46 | 7 | 4 | -1 | 4 | 0 | 2006 | Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act | https://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1 |
| Ohio | OH | https://privacyplan.net/state-data-breach-law/ohio.htm | 47 | 5 | 9 | -7 | -3 | 6 | 2005 | Ohio Revised Code 1349.19 | https://codes.ohio.gov/ohio-revised-code/section-1349.19 |
| West Virginia | WV | https://privacyplan.net/state-data-breach-law/west-virginia.htm | 48 | 5 | 9 | -1 | 2 | -5 | 2008 | West Virginia Code 46A-2A-101 | http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2A |
| Kansas | KS | https://privacyplan.net/state-data-breach-law/kansas.htm | 49 | 4 | 4 | -1 | 1 | 0 | 2006 | Kansas Statutes 50-7a01 | http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/ |
| Mississippi | MS | https://privacyplan.net/state-data-breach-law/mississippi.htm | 50 | 3 | 0 | -1 | 4 | 0 | 2010 | Mississippi Code 75-24-29 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47d |
| Idaho | ID | https://privacyplan.net/state-data-breach-law/idaho.htm | 51 | 0 | 4 | -4 | 5 | -5 | 2006 | Idaho Code 28-51-104 | https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/ |
| Guam | GU | https://privacyplan.net/state-data-breach-law/guam.htm | 52 | -4 | 0 | -1 | 2 | -5 | 2009 | Guam Law Link | http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf |
| Oklahoma | OK | https://privacyplan.net/state-data-breach-law/oklahoma.htm | 53 | -4 | 0 | -1 | 2 | -5 | 2008 | 24 Okla. Stat. § 161 et seq. | https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdf |
| Utah | UT | https://privacyplan.net/state-data-breach-law/utah.htm | 54 | -7 | 0 | -4 | 2 | -5 | 2006 | Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act | https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf |
Our Statute Scoring Model:
Breach Notification:
-
- Reporting Deadline: 0 to 10 points
- Reporting Deadline for 3rd Parties: 0-4 points
- AG Reporting + Threshold: 0-5 points
- CRA Reporting + Threshold: 0-4 points
- Consumer Notice Requirements: 0 to 6 points
- Max points: 29
Personal Data Coverage:
-
- Data Combos That Trigger Breach: 1 to 3 points (multiplier)
- Data Elements Covered: 0-8 points
- Exceptions: 0-9 points subtracted
- Max points: 24
Harm Triggers:
-
- Access to Data Triggers: 8 points
- Substantial Risk Clause: -5 points
- Specific Harm Trigger: 1-7 points
- Harm Analysis Not Required: 0-5 points
- Paper Records Covered: +2 points
- Max points: 22
Fines & Enforcement:
-
- Size of Potential Fine Estimate: 0 to 10 points
- Max Fine Limitations: 0-5 points subtracted
- Criminal Penalty in Statute: +5 points
- Private Right of Action: +10 points
- It would be good to enhance this indicator with data on AG prosecutions
- Max points: 25
What’s not in our model? We haven’t taken an exhaustive look at each individual piece of legislation as a whole. For instance, we didn’t look at data security, data retention, or data destruction requirements embedded into breach statutes. We also don’t consider Privacy Policy requirements, which are quite valuable.
In our breach notification metric, we didn’t delve into cost containment provisions that can give companies an out or exactly what must be included in those notifications, which can be a boon to consumers. Note: we do not believe that free credit monitoring is one of those boons, but rather a flawed panacea.
We also didn’t look at the actual enforcement priorities of State AG‘s or the effectiveness of the Private Right of Action language. If there was a way to look at it, it might have been good to scrutinize actual fines collected by each state. We might also have added points for Breach reporting portals and Breach Walls of Shame.
We discriminate a bit against states that do not list explicit timeframes in their breach reporting laws. “Without delay” allows lawyers too much wiggle room for us.
Have suggestions or complaints about our scoring model? Email info@privacyplan.net.
