State Breach Statute Scoring

◈ Summary analysis of state laws
◈ Details on every state
◈ Our analysis + links to resources

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This study scores State Data Breach Statutes across four major metrics:

 Breach Notification  Personal Data Coverage  Harm Triggers  Fines & Enforcement

Each metric is based on several scoring elements within the statute. The goal was to get a broad picture of how statutes differ and which states have relatively “better” and “worse” statutes in terms of overall protection for their constituents.

This is a consumer-focused score. If the model works as intended, statutes with the highest scores should generate the most notifications/fines/actions across a range of data breaches.

We expect that this model will generate some discussion. Some states with ‘stronger’ data breach laws haven’t scored as highly. Is that because we are scoring more objectively or because we are missing nuance or indicators? We contend that when you look closely at individual elements of each law, even strong Breach Notification Laws often have flaws in one of the four areas we examine, undermining its effectiveness.

State Data Breach Law: Statute Scoring

CaliforniaCA Civil Code 1798:29 and 1798:80§ionNum=1798.29
District of ColumbiaDC Consumer Security Breach Information
WashingtonWA Revised Code 19.255.010
MarylandMD Commercial Code 14-3501
ColoradoCO Revised Statutes 6-1-716
North CarolinaNC Carolina General Statutes 75-61 and 75-65
IllinoisIL ILCS 530: Personal Information Protection Act
MassachusettsMA General Laws 93H, Section 1
FloridaFL Stat. § 501.171
North DakotaND Dakota Century Code
HawaiiHI Revised Statutes 487N-1
LouisianaLA Rev. Stat. §§ 51:3071 et seq.
OregonOR Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act
TexasTX Business and Commerce Code 521.002 and 521.053
Puerto RicoPR P.R. Laws Ann. §§ 4051–4055
MinnesotaMN Statutes 325E.61
NevadaNV Revised Statutes 603A.010
South CarolinaSC Carolina Code 39-1-90
ConnecticutCT General Statutes 36a-701b
Rhode IslandRI Island General Laws 11-49.3
New HampshireNH Hampshire Revised Statutes 359-C:20
New JerseyNJ Jersey Statutes 56:8-163: Identity Theft Prevention Act
AlabamaAL S.B. 318, Act No. 396
South DakotaSD Dakota’s Senate Bill 62
Virgin IslandsVI Code tit. 14, §§ 2208, 2209
ArkansasAR Code 4-110-101: Personal Information Protection Act
DelawareDE Code Title 6, Chapter 12B
VirginiaVI Code 18.2-186.6 and 32.1-127.1:05
TennesseeTN Code 47-18-2107
MontanaMT Code 30-14-1704
New YorkNY York General Business Law 899-aa and State Technology Law 208
VermontVT Statutes Annotated 9-2430 and 2435
AlaskaAK Statutes 45.48.010: Personal Information Protection Act
GeorgiaGA Code 10-1-912
NebraskaNE Revised Statutes 87-801
MaineME Me. Rev. Stat. § 1346 et seq.
WisconsinWI Statutes 134.98
IowaIA Code 715C.1
ArizonaAZ Revised Statutes 18-545
KentuckyKY Rev. Stat. §365.732
IndianaIN Code §§ 4-1-11 et seq., 24-4.9 et seq.
MichiganMI Comp. Laws §§ 445.63, 445.72
New MexicoNM Mexico Data Breach Act - HB 15
WyomingWY Statutes 40-12-501
MissouriMO Revised Statutes 407.1500
PennsylvaniaPA Statutes 73-2301: Breach of Personal Information Notification Act
OhioOH Revised Code 1349.19
West VirginiaWV Virginia Code 46A-2A-101
KansasKS Statutes 50-7a01
MississippiMS Code 75-24-29
IdahoID Code 28-51-104
GuamGU Law Link
OklahomaOK Okla. Stat. § 161 et seq.
UtahUT Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act

Our Statute Scoring Model:

Breach Notification:

    • Reporting Deadline: 0 to 10 points
    • Reporting Deadline for 3rd Parties: 0-4 points
    • AG Reporting + Threshold: 0-5 points
    • CRA Reporting + Threshold: 0-4 points 
    • Consumer Notice Requirements: 0 to 6 points
    • Max points: 29 

Personal Data Coverage:

    • Data Combos That Trigger Breach: 1 to 3 points (multiplier)
    • Data Elements Covered: 0-8 points
    • Exceptions: 0-9 points subtracted
    • Max points: 24

Harm Triggers:

    • Access to Data Triggers: 8 points
    • Substantial Risk Clause: -5 points
    • Specific Harm Trigger: 1-7 points
    • Harm Analysis Not Required: 0-5 points 
    • Paper Records Covered: +2 points
    • Max points: 22

Fines & Enforcement:

    • Size of Potential Fine Estimate: 0 to 10 points
    • Max Fine Limitations: 0-5 points subtracted
    • Criminal Penalty in Statute: +5 points
    • Private Right of Action: +10 points
    • It would be good to enhance this indicator with data on AG prosecutions
    • Max points: 25

What’s not in our model? We haven’t taken an exhaustive look at each individual piece of legislation as a whole. For instance, we didn’t look at data security, data retention, or data destruction requirements embedded into breach statutes. We also don’t consider Privacy Policy requirements, which are quite valuable.

In our breach notification metric, we didn’t delve into cost containment provisions that can give companies an out or exactly what must be included in those notifications, which can be a boon to consumers. Note: we do not believe that free credit monitoring is one of those boons, but rather a flawed panacea.

We also didn’t look at the actual enforcement priorities of State AG‘s or the effectiveness of the Private Right of Action language. If there was a way to look at it, it might have been good to scrutinize actual fines collected by each state. We might also have added points for Breach reporting portals and Breach Walls of Shame.

We discriminate a bit against states that do not list explicit timeframes in their breach reporting laws. “Without delay” allows lawyers too much wiggle room for us.

Have suggestions or complaints about our scoring model? Email