State Breach Statute Scoring

◈ Summary analysis of state laws
◈ Details on every state
◈ Our analysis + links to resources

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This study scores State Data Breach Statutes across four major metrics:

 Breach Notification  Personal Data Coverage  Harm Triggers  Fines & Enforcement

Each metric is based on several scoring elements within the statute. The goal was to get a broad picture of how statutes differ and which states have relatively “better” and “worse” statutes in terms of overall protection for their constituents.

This is a consumer-focused score. If the model works as intended, statutes with the highest scores should generate the most notifications/fines/actions across a range of data breaches.

We expect that this model will generate some discussion. Some states with ‘stronger’ data breach laws haven’t scored as highly. Is that because we are scoring more objectively or because we are missing nuance or indicators? We contend that when you look closely at individual elements of each law, even strong Breach Notification Laws often have flaws in one of the four areas we examine, undermining its effectiveness.

State Data Breach Law: Statute Scoring


Our Statute Scoring Model:

Breach Notification:

    • Reporting Deadline: 0 to 10 points
    • Reporting Deadline for 3rd Parties: 0-4 points
    • AG Reporting + Threshold: 0-5 points
    • CRA Reporting + Threshold: 0-4 points 
    • Consumer Notice Requirements: 0 to 6 points
    • Max points: 29 

Personal Data Coverage:

    • Data Combos That Trigger Breach: 1 to 3 points (multiplier)
    • Data Elements Covered: 0-8 points
    • Exceptions: 0-9 points subtracted
    • Max points: 24

Harm Triggers:

    • Access to Data Triggers: 8 points
    • Substantial Risk Clause: -5 points
    • Specific Harm Trigger: 1-7 points
    • Harm Analysis Not Required: 0-5 points 
    • Paper Records Covered: +2 points
    • Max points: 22

Fines & Enforcement:

    • Size of Potential Fine Estimate: 0 to 10 points
    • Max Fine Limitations: 0-5 points subtracted
    • Criminal Penalty in Statute: +5 points
    • Private Right of Action: +10 points
    • It would be good to enhance this indicator with data on AG prosecutions
    • Max points: 25

What’s not in our model? We haven’t taken an exhaustive look at each individual piece of legislation as a whole. For instance, we didn’t look at data security, data retention, or data destruction requirements embedded into breach statutes. We also don’t consider Privacy Policy requirements, which are quite valuable.

In our breach notification metric, we didn’t delve into cost containment provisions that can give companies an out or exactly what must be included in those notifications, which can be a boon to consumers. Note: we do not believe that free credit monitoring is one of those boons, but rather a flawed panacea.

We also didn’t look at the actual enforcement priorities of State AG‘s or the effectiveness of the Private Right of Action language. If there was a way to look at it, it might have been good to scrutinize actual fines collected by each state. We might also have added points for Breach reporting portals and Breach Walls of Shame.

We discriminate a bit against states that do not list explicit timeframes in their breach reporting laws. “Without delay” allows lawyers too much wiggle room for us.

Have suggestions or complaints about our scoring model? Email