State Breach Statute Scoring

◈ Summary analysis of state laws
◈ Details on every state
◈ Our analysis + links to resources

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This study scores State Data Breach Statutes across four major metrics:

 Breach Notification  Personal Data Coverage  Harm Triggers  Fines & Enforcement

Each metric is based on several scoring elements within the statute. The goal was to get a broad picture of how statutes differ and which states have relatively “better” and “worse” statutes in terms of overall protection for their constituents.

This is a consumer-focused score. If the model works as intended, statutes with the highest scores should generate the most notifications/fines/actions across a range of data breaches.

We expect that this model will generate some discussion. Some states with ‘stronger’ data breach laws haven’t scored as highly. Is that because we are scoring more objectively or because we are missing nuance or indicators? We contend that when you look closely at individual elements of each law, even strong Breach Notification Laws often have flaws in one of the four areas we examine, undermining its effectiveness.

State Data Breach Law: Statute Scoring

StateNameStAbbrRankScoreNotify#PII#Harm#Enforce#StateLawCitation
CaliforniaCAhttps://privacyplan.net/state-data-breach-law/california.htm157161112182002California Civil Code 1798:29 and 1798:80http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29
District of ColumbiaDChttps://privacyplan.net/state-data-breach-law/district-of-columbia.htm25591810182007DC Consumer Security Breach Informationhttps://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/
WashingtonWAhttps://privacyplan.net/state-data-breach-law/washington.htm34517126102005Washington Revised Code 19.255.010https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010
MarylandMDhttps://privacyplan.net/state-data-breach-law/maryland.htm4442365102007Maryland Commercial Code 14-3501https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.html
ColoradoCOhttps://privacyplan.net/state-data-breach-law/colorado.htm542289502006Colorado Revised Statutes 6-1-716https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html
North CarolinaNChttps://privacyplan.net/state-data-breach-law/north-carolina.htm6422101202005North Carolina General Statutes 75-61 and 75-65https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.html
IllinoisILhttps://privacyplan.net/state-data-breach-law/illinois.htm7381651252005815 ILCS 530: Personal Information Protection Acthttp://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.
MassachusettsMAhttps://privacyplan.net/state-data-breach-law/massachusetts.htm834123-1202007Massachusetts General Laws 93H, Section 1https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1
FloridaFLhttps://privacyplan.net/state-data-breach-law/florida.htm93319511-22014Fla. Stat. § 501.171http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.html
North DakotaNDhttps://privacyplan.net/state-data-breach-law/north-dakota.htm10339212102005North Dakota Century Codehttps://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.html
HawaiiHIhttps://privacyplan.net/state-data-breach-law/hawaii.htm113217-16102006Hawaii Revised Statutes 487N-1https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm
LouisianaLAhttps://privacyplan.net/state-data-breach-law/louisiana.htm12311014162005La. Rev. Stat. §§ 51:3071 et seq.
OregonORhttps://privacyplan.net/state-data-breach-law/oregon.htm133117124-22007Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Acthttps://www.oregonlaws.org/ors/646A.604
TexasTXhttps://privacyplan.net/state-data-breach-law/texas.htm14311321062007Texas Business and Commerce Code 521.002 and 521.053https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002
Puerto RicoPRhttps://privacyplan.net/state-data-breach-law/puerto-rico.htm153010-3185200510 P.R. Laws Ann. §§ 4051–4055https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440
MinnesotaMNhttps://privacyplan.net/state-data-breach-law/minnesota.htm16298-112102005Minnesota Statutes 325E.61
NevadaNVhttps://privacyplan.net/state-data-breach-law/nevada.htm17298110102005Nevada Revised Statutes 603A.010https://www.leg.state.nv.us/nrs/nrs-603a.html
South CarolinaSChttps://privacyplan.net/state-data-breach-law/south-carolina.htm182913-1-1182008South Carolina Code 39-1-90https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10
ConnecticutCThttps://privacyplan.net/state-data-breach-law/connecticut.htm192719-41202005Connecticut General Statutes 36a-701bhttps://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b
Rhode IslandRIhttps://privacyplan.net/state-data-breach-law/rhode-island.htm2027150482006Rhode Island General Laws 11-49.3http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM
New HampshireNHhttps://privacyplan.net/state-data-breach-law/new-hampshire.htm212511-15102006New Hampshire Revised Statutes 359-C:20
New JerseyNJhttps://privacyplan.net/state-data-breach-law/new-jersey.htm222515-31302005New Jersey Statutes 56:8-163: Identity Theft Prevention Acthttps://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.html
AlabamaALhttps://privacyplan.net/state-data-breach-law/alabama.htm232420-1-1620182018 S.B. 318, Act No. 396http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htm
South DakotaSDhttps://privacyplan.net/state-data-breach-law/south-dakota.htm2424122462018South Dakota’s Senate Bill 62https://sdlegislature.gov/Statutes/Codified_Laws/2047702
Virgin IslandsVI https://privacyplan.net/state-data-breach-law/virgin-islands.htm25234-11010V.I. Code tit. 14, §§ 2208, 2209https://advance.lexis.com/container?config=024453JABiMWFjOTk0OS1hNTVlLTQ1MDctYmZkOS1mNGRkY2I0ZTg2YzQKAFBvZENhdGFsb2fNaUTUAugmXPqNctTcuqLy&crid=64f20113-6ffc-44f5-b260-1e5fdea78634
ArkansasARhttps://privacyplan.net/state-data-breach-law/arkansas.htm262294452005Arkansas Code 4-110-101: Personal Information Protection Acthttps://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/
DelawareDEhttps://privacyplan.net/state-data-breach-law/delaware.htm2721152402005Delaware Code Title 6, Chapter 12Bhttp://delcode.delaware.gov/title6/c012b/index.shtml
VirginiaVIhttps://privacyplan.net/state-data-breach-law/virginia.htm2821131252008Virginia Code 18.2-186.6 and 32.1-127.1:05http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/
TennesseeTNhttps://privacyplan.net/state-data-breach-law/tennessee.htm29209-12102005Tennessee Code 47-18-2107https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffa
MontanaMThttps://privacyplan.net/state-data-breach-law/montana.htm3019151302006Montana Code 30-14-1704https://leg.mt.gov/bills/mca_toc/30_14_17.htm
New YorkNYhttps://privacyplan.net/state-data-breach-law/new-york.htm31191635-52005New York General Business Law 899-aa and State Technology Law 208https://www.nysenate.gov/legislation/laws/GBS/899-AA
VermontVThttps://privacyplan.net/state-data-breach-law/vermont.htm3219134202006Vermont Statutes Annotated 9-2430 and 2435https://legislature.vermont.gov/statutes/section/09/062/02435
AlaskaAKhttps://privacyplan.net/state-data-breach-law/alaska.htm331742652008Alaska Statutes 45.48.010: Personal Information Protection Acthttp://law.alaska.gov/department/civil/consumer/4548.html
GeorgiaGAhttps://privacyplan.net/state-data-breach-law/georgia.htm3417501202005Georgia Code 10-1-912https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.html
NebraskaNEhttps://privacyplan.net/state-data-breach-law/nebraska.htm351775502006Nebraska Revised Statutes 87-801https://nebraskalegislature.gov/laws/statutes.php?statute=87-802
MaineMEhttps://privacyplan.net/state-data-breach-law/maine.htm36154056200510 Me. Rev. Stat. § 1346 et seq.http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html
WisconsinWIhttps://privacyplan.net/state-data-breach-law/wisconsin.htm371412-2402006Wisconsin Statutes 134.98https://docs.legis.wisconsin.gov/statutes/statutes/134/98
IowaIAhttps://privacyplan.net/state-data-breach-law/iowa.htm381380502008Iowa Code 715C.1https://www.legis.iowa.gov/docs/code/715c.pdf
ArizonaAZhttps://privacyplan.net/state-data-breach-law/arizona.htm3912151-2-22006Arizona Revised Statutes 18-545https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htm
KentuckyKYhttps://privacyplan.net/state-data-breach-law/kentucky.htm401282202014KY Rev. Stat. §365.732https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.html
IndianaINhttps://privacyplan.net/state-data-breach-law/indiana.htm41111114-52005Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq.http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11
MichiganMIhttps://privacyplan.net/state-data-breach-law/michigan.htm421082-222006Mich. Comp. Laws §§ 445.63, 445.72https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1
New MexicoNMhttps://privacyplan.net/state-data-breach-law/new-mexico.htm4310180-3-52017New Mexico Data Breach Act - HB 15https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf
WyomingWYhttps://privacyplan.net/state-data-breach-law/wyoming.htm441061302007Wyoming Statutes 40-12-501https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.html
MissouriMOhttps://privacyplan.net/state-data-breach-law/missouri.htm4591202-52009Missouri Revised Statutes 407.1500https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl=
PennsylvaniaPAhttps://privacyplan.net/state-data-breach-law/pennsylvania.htm4674-1402006Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Acthttps://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1
OhioOHhttps://privacyplan.net/state-data-breach-law/ohio.htm4759-7-362005Ohio Revised Code 1349.19https://codes.ohio.gov/ohio-revised-code/section-1349.19
West VirginiaWVhttps://privacyplan.net/state-data-breach-law/west-virginia.htm4859-12-52008West Virginia Code 46A-2A-101http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2A
KansasKShttps://privacyplan.net/state-data-breach-law/kansas.htm4944-1102006Kansas Statutes 50-7a01http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/
MississippiMShttps://privacyplan.net/state-data-breach-law/mississippi.htm5030-1402010Mississippi Code 75-24-29https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47d
IdahoIDhttps://privacyplan.net/state-data-breach-law/idaho.htm5104-45-52006Idaho Code 28-51-104https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/
GuamGUhttps://privacyplan.net/state-data-breach-law/guam.htm52-40-12-52009Guam Law Linkhttp://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf
OklahomaOKhttps://privacyplan.net/state-data-breach-law/oklahoma.htm53-40-12-5200824 Okla. Stat. § 161 et seq.https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdf
UtahUThttps://privacyplan.net/state-data-breach-law/utah.htm54-70-42-52006Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Acthttps://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf

Our Statute Scoring Model:

Breach Notification:

    • Reporting Deadline: 0 to 10 points
    • Reporting Deadline for 3rd Parties: 0-4 points
    • AG Reporting + Threshold: 0-5 points
    • CRA Reporting + Threshold: 0-4 points 
    • Consumer Notice Requirements: 0 to 6 points
    • Max points: 29 

Personal Data Coverage:

    • Data Combos That Trigger Breach: 1 to 3 points (multiplier)
    • Data Elements Covered: 0-8 points
    • Exceptions: 0-9 points subtracted
    • Max points: 24

Harm Triggers:

    • Access to Data Triggers: 8 points
    • Substantial Risk Clause: -5 points
    • Specific Harm Trigger: 1-7 points
    • Harm Analysis Not Required: 0-5 points 
    • Paper Records Covered: +2 points
    • Max points: 22

Fines & Enforcement:

    • Size of Potential Fine Estimate: 0 to 10 points
    • Max Fine Limitations: 0-5 points subtracted
    • Criminal Penalty in Statute: +5 points
    • Private Right of Action: +10 points
    • It would be good to enhance this indicator with data on AG prosecutions
    • Max points: 25

What’s not in our model? We haven’t taken an exhaustive look at each individual piece of legislation as a whole. For instance, we didn’t look at data security, data retention, or data destruction requirements embedded into breach statutes. We also don’t consider Privacy Policy requirements, which are quite valuable.

In our breach notification metric, we didn’t delve into cost containment provisions that can give companies an out or exactly what must be included in those notifications, which can be a boon to consumers. Note: we do not believe that free credit monitoring is one of those boons, but rather a flawed panacea.

We also didn’t look at the actual enforcement priorities of State AG‘s or the effectiveness of the Private Right of Action language. If there was a way to look at it, it might have been good to scrutinize actual fines collected by each state. We might also have added points for Breach reporting portals and Breach Walls of Shame.

We discriminate a bit against states that do not list explicit timeframes in their breach reporting laws. “Without delay” allows lawyers too much wiggle room for us.

Have suggestions or complaints about our scoring model? Email info@privacyplan.net.