State Data Breach Law PII Analysis
โ Last edit: April, 2021
โ 50 State, 3 Territories
โ Breach Laws Analyzed
Unique data. Hand-curated.
This is an analysis of Personal Data thresholds for Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.
We focus on PII triggers for breach notification in three areas: 1) the Combinations of data that trigger breaches, 2) the 
data elements that can trigger a breach, and 3) whether there is a Public Data exception for and how it is defined. In this analysis we do not explore harm thresholds – see our State Data Breach Harm Trigger Analysis for information on that aspect of regulations.
Our dataset breaks out each law into Data Combos, the Data Elements, and Data Exceptions.
We score each state based on how expansive their data breach state protects constituents. Recent data breaches at Facebook, LinkedIn, and Clubhouse have highlighted the deficiencies in these laws to cover what are obvious breaches of the public trust. While each State has a data breach law, not all of them really protect citizens from every breach.
We found that the District of Columbia, Oregon, Washington, California, and Colorado had the strongest Data breach Laws in terms of personal data actually triggering a breach. This is because they cover more combinations of data, more data elements, and while they exempt Public records, that exemption does not extend past items “lawfully made available to the general public from federal, state, or local government records.”
Ohio scored worst, with Connecticut, Idaho, and Utah not far behind. Each of these states (and many others) require First and Last Name to be a part of the breached data, along with another element from a list. In these cases of these States, the list of Data Elements is short as well, encompassing primarily SSN, DL, and Financial data. Finally, they all exempt Public data including data “widely distributed in the media,” without regard to the sensitivity of that data.
There are problems with most state data breach laws. Based on the loopholes in almost all of these regulations, a catastrophic breach of a major entity might technically not even be a “breach.” Let’s look at a hypothetical: If FB lost facial recognition patterns, biometric info, Like data, location and derived psychometric data on millions of Americans – but the breached info did NOT include first and last name – it wouldn’t be legally considered a breach in nearly every US State. With that data, most Americans would be reidentified and profiled in the worst ways by bad actors.
The chart below shows you the details, sortable in many ways, and links you to the primary State Statute. You can also view detailed analyses of those regulations to check our work by jumping to State pages from Perkins Coie and Baker Hostetler.
We would love your feedback and commentary. Have we got it right? Are we missing something? Submit feedback to info@privacyplan.net or find Jeff on LinkedIn or on Twitter as @Privacy_Stan.
Data Breach PII Analysis
| States | Strength Score | CombinationsOfPersonalData | #1 | SSN DL IDs | Pass port | CC# Fin$ | MedData HealthIns | Online Accts | Tax IDs | Bio metrics | Other | #2 | Public Data | Gov Recs | Wide Distrib Media | Special | #3 | BH Analysis | StateDataBreachLawFullCitationAndLink | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| District of Columbia | 28.5 | First+Last+[List] [User/Email]+[Authentication] [any combo that allows ID theft] | 3 | Y | Y | Y | BOTH | Y | Y | DNA | 7 | Y | Y | 3 | https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DC | DC Consumer Security Breach Information | |||
| Oregon | 19.5 | First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft] | 3 | Y | Y | Y | BOTH | Y | 5 | Y | Y | 3 | https://www.oregonlaws.org/ors/646A.604 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OR | Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act | |||||
| Washington | 19.5 | First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft] | 3 | Y | Y | BOTH | Y | eSig Full DOB | 5 | Y | Y | 3 | https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WA | Washington Revised Code 19.255.010 | |||||
| California | 18 | First+Last+[List] [User/Email]+[Authentication] | 2 | Y | Y | Y | BOTH | Y | Y | ALPR | 7 | Y | Y | 3 | http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CA | California Civil Code 1798:29 and 1798:80 | |||
| Colorado | 16.5 | First+Last+[List] [User/Email]+[Authentication] [Accnt/CC]+[Authentication] | 3 | Y | Y | Y | BOTH | Y | 5 | Y | Y | Y | 6 | https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CO | Colorado Revised Statutes 6-1-716 | ||||
| Maryland | 12 | First+Last+[List] [User/Email]+[Authentication] | 2 | Y | Y | Y | BOTH | Y | Y | 6 | Y | Y | Y | 6 | https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MD | Maryland Commercial Code 14-3501 | |||
| Nebraska | 9 | First+Last+[List] [User OR Email]+[pass OR SecureQ&A] | 2 | Y | Y | Y | Y | 4 | Y | Y | 3 | https://nebraskalegislature.gov/laws/statutes.php?statute=87-802 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NE | Nebraska Revised Statutes 87-801 | ||||||
| Illinois | 9 | First+Last+[List] [User/Email]+[Authentication] | 2 | Y | Y | BOTH | Y | 4 | Y | Y | 3 | http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act. | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IL | 815 ILCS 530: Personal Information Protection Act | ||||||
| Florida | 9 | First+Last+[List] [User/Email]+[Authentication] | 2 | Y | Y | Y | BOTH | 4 | Y | Y | 3 | http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=FL | Fla. Stat. ยง 501.171 | ||||||
| Vermont | 7.5 | First+Last+[List] | 1 | Y | Y | Y | BOTH | Y | Y | DNA | 7 | Y | Y | 3 | https://legislature.vermont.gov/statutes/section/09/062/02435 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VT | Vermont Statutes Annotated 9-2430 and 2435 | |||
| Delaware | 6 | First+Last+[List] | 1 | Y | Y | Y | BOTH | Y | Y | Y | DNA | 8 | Y | Y | Y | 6 | http://delcode.delaware.gov/title6/c012b/index.shtml | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=DE | Delaware Code Title 6, Chapter 12B | |
| New York | 6 | Info+[List] [User/Email]+[Authentication] | 2 | Y | Y | Y | 3 | Y | Y | 3 | https://www.nysenate.gov/legislation/laws/GBS/899-AA | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NY | New York General Business Law 899-aa and State Technology Law 208 | |||||||
| Arkansas | 6 | First+Last+[List] | 1 | Y | Y | MED | Y | 4 | 0 | https://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AR | Arkansas Code 4-110-101: Personal Information Protection Act | ||||||||
| Maine | 4.5 | First+Last+[List] [any combo that allows ID theft] | 3 | Y | Y | Y | 3 | Y | Y | Y | Y | 9 | http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ME | 10 Me. Rev. Stat. ยง 1346 et seq. | |||||
| Wyoming | 4.5 | First+Last+[List] | 1 | Y | Y | BOTH | Y | Y | Y | Marriage/Birth Cert Tribal ID | 7 | Y | Y | Y | 6 | https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WY | Wyoming Statutes 40-12-501 | ||
| Arizona | 4.5 | First+Last+[List] | 1 | Y | Y | Y | BOTH | Y | Y | eSig | 7 | Y | Y | Y | 6 | https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AZ | Arizona Revised Statutes 18-545 | ||
| South Dakota | 4.5 | First+Last+[List] | 1 | Y | Y | BOTH | Y | Emploter IDs | 5 | Y | Y | 3 | https://sdlegislature.gov/Statutes/Codified_Laws/2047702 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SD | South Dakotaโs Senate Bill 62 | |||||
| Texas | 4.5 | First+Last+[List] | 1 | Y | Y | BOTH | Y | Maiden Name Full DOB | 5 | Y | Y | 3 | https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TX | Texas Business and Commerce Code 521.002 and 521.053 | |||||
| North Dakota | 4.5 | First+Last+[List] | 1 | Y | Y | BOTH | Y | Maiden Name Full DOB Employer ID eSig | 5 | Y | Y | 3 | https://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ND | North Dakota Century Code | |||||
| North Carolina | 3 | First+Last+[List] | 1 | Y | Y | Y | Y | Y | eSig | 6 | Y | Y | Y | 6 | https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NC | North Carolina General Statutes 75-61 and 75-65 | |||
| Louisiana | 3 | First+Last+[List] | 1 | Y | Y | Y | Y | 4 | Y | Y | 3 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=LA | La. Rev. Stat. ยงยง 51:3071 et seq. | |||||||
| Montana | 3 | First+Last+[List] | 1 | Y | Y | BOTH | Y | 4 | Y | Y | 3 | https://leg.mt.gov/bills/mca_toc/30_14_17.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MT | Montana Code 30-14-1704 | ||||||
| Nevada | 3 | First+Last+[List] | 1 | Y | Y | HISN | Y | 4 | Y | Y | 3 | https://www.leg.state.nv.us/nrs/nrs-603a.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NV | Nevada Revised Statutes 603A.010 | ||||||
| Virginia | 3 | First+Last+[List] | 1 | Y | Y | Y | Military IDs | 4 | Y | Y | 3 | http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | Virginia Code 18.2-186.6 and 32.1-127.1:05 | ||||||
| Indiana | 3 | First+Last+[List] SSN | 2 | Y | Y | 2 | Y | Y | 3 | http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | Ind. Code ยงยง 4-1-11 et seq., 24-4.9 et seq. | ||||||||
| Alaska | 3 | First+Last+[List] | 1 | Y | Y | 2 | 0 | http://law.alaska.gov/department/civil/consumer/4548.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AK | Alaska Statutes 45.48.010: Personal Information Protection Act | ||||||||||
| Kentucky | 3 | First+Last+[List] | 1 | Y | Y | 2 | 0 | https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KY | KY Rev. Stat. ยง365.732 | ||||||||||
| Michigan | 3 | First+Last+[List] | 1 | Y | Y | 2 | 0 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MI | Mich. Comp. Laws ยงยง 445.63, 445.72 | ||||||||||
| Alabama | 1.5 | First+Last+[List] | 1 | Y | Y | Y | BOTH | Y | 5 | Y | Y | Y | 6 | http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=AL | 2018 S.B. 318, Act No. 396 | ||||
| Iowa | 1.5 | First+Last+[List] | 1 | Y | Y | Y | 3 | Y | Y | 3 | https://www.legis.iowa.gov/docs/code/715c.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=IN | Iowa Code 715C.1 | |||||||
| New Mexico | 1.5 | First+Last+[List] | 1 | Y | Y | Y | 3 | Y | Y | 3 | https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NM | New Mexico Data Breach Act - HB 15 | |||||||
| Georgia | 1.5 | First+Last+[List] | 1 | Y | Y | Y | 3 | Y | Y | 3 | https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GA | Georgia Code 10-1-912 | |||||||
| Missouri | 1.5 | First+Last+[List] | 1 | Y | Y | BOTH | 3 | Y | Y | 3 | https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl= | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MO | Missouri Revised Statutes 407.1500 | |||||||
| Rhode Island | 1.5 | First+Last+[List] | 1 | Y | Y | BOTH | 3 | Y | Y | 3 | http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTM | https://www.perkinscoie.com/en/news-insights/rhode-island.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | Rhode Island General Laws 11-49.3 | |||||||
| Puerto Rico | 0 | First+Last+[List] | 1 | Y | Y | MED | Y | Y | Tax Info Work Evals | 6 | Y | Y | Y | Y | 9 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=RI | 10 P.R. Laws Ann. ยงยง 4051โ4055 | ||
| Wisconsin | 0 | First+Last+[List] | 1 | Y | Y | Y | DNA | 4 | Y | Y | Y | 6 | https://docs.legis.wisconsin.gov/statutes/statutes/134/98 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WI | Wisconsin Statutes 134.98 | |||||
| Guam | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdf | https://www.bakerlaw.com/datamap_ajax.aspx?statename=GU | Guam Law Link | |||||||||
| Hawaii | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htm | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=HI | Hawaii Revised Statutes 487N-1 | ||||||||
| Kansas | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=KS | Kansas Statutes 50-7a01 | ||||||||
| Massachusetts | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MA | Massachusetts General Laws 93H, Section 1 | ||||||||
| Minnesota | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://www.revisor.mn.gov/statutes/?id=325E.61 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MN | Minnesota Statutes 325E.61 | ||||||||
| Mississippi | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47d | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=MS | Mississippi Code 75-24-29 | ||||||||
| New Hampshire | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NH | New Hampshire Revised Statutes 359-C:20 | |||||||||
| Oklahoma | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OK | 24 Okla. Stat. ยง 161 et seq. | ||||||||
| Pennsylvania | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=PA | Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act | ||||||||
| South Carolina | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=SC | South Carolina Code 39-1-90 | ||||||||
| Tennessee | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffa | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=TN | Tennessee Code 47-18-2107 | ||||||||
| Virgin Islands | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | https://law.justia.com/codes/virgin-islands/2019/title-14/chapter-110/subchapter-i/2208/ | https://www.bakerlaw.com/datamap_ajax.aspx?statename=VI | V.I. Code tit. 14, ยงยง 2208, 2209 | |||||||||
| West Virginia | 0 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | 3 | http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2A | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=WV | West Virginia Code 46A-2A-101 | ||||||||
| New Jersey | -1.5 | First+Last+[List] | 1 | Y | Y | Y | 3 | Y | Y | Y | 6 | https://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.html | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=NJ | New Jersey Statutes 56:8-163: Identity Theft Prevention Act | ||||||
| Connecticut | -3 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | Y | 6 | https://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701b | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=CT | Connecticut General Statutes 36a-701b | |||||||
| Idaho | -3 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | Y | 6 | https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/ | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=ID | Idaho Code 28-51-104 | |||||||
| Utah | -3 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | Y | 6 | https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdf | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=UT | Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act | |||||||
| Ohio | -6 | First+Last+[List] | 1 | Y | Y | 2 | Y | Y | Y | Y | 9 | https://codes.ohio.gov/ohio-revised-code/section-1349.19 | https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.html | https://www.bakerlaw.com/datamap_ajax.aspx?statename=OH | Ohio Revised Code 1349.19 |
Legend
PII Strength Score* Calculated as (ComboScore*(ElementScore*1.5))-ExceptionScore
An indication of the broadness of the coverage of information that might be breached and would trigger a breach notification.
| Data Combos | There are 5 methodologies used: | ||
| Combo | First+Last+[List] | FirstName plus LastName plus something from list of Elements | |
| Combo | [Username, Other]+[Authentication] | Username (or Other) plus and Authentication mechanism | |
| Combo | [User OR Email]+[pass OR SecureQ&A] | Username or Email plus and Authentication mechanism | |
| Combo | [Accnt/CC]+[Authentication] | Account or Credit Card plus and Authentication mechanism | |
| Combo | [any combo that allows ID theft] | Any data Elements in combination if leads to Identity Theft | |
| Data Elements | States list Data Elements that can Trigger a Breach notification | ||
| Element | SSN / DL / IDs | Social Security Number, Drivers License, Government Identification | |
| Element | Passport | Passport Number | |
| Element | CC# / Fin$ | Credit Card or Financial Account data | |
| Element | MedInfo / HealthIns | Medical data and/or Health Insurance Identification Number | |
| Element | Online Accts | Information used to access an online account (Username/Password, etc) | |
| Element | Tax IDs | Tax IDs | |
| Element | Biometrics | Biometric Identifiers | |
| Element | Other | Anything else interesting | |
| Exceptions | States often exclude some forms of Publicly Available Data | ||
| Exception | Public Data | Base Exclusion – some form is excluded | |
| Exception | Gov Recs | Information available from government records is excluded | |
| Exception | Wide Distrib Media | Information widely distributed in the media is excluded | |
| Exception | Special | Other specific exclusions are noted | |
