State Data Breach Law PII Analysis

◈ Last edit: April, 2021
◈ 50 State, 3 Territories
◈ Breach Laws Analyzed

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This is an analysis of Personal Data thresholds for Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.

We focus on PII triggers for breach notification in three areas: 1) the Combinations of data that trigger breaches, 2) the State Data Breach PII Analysisdata elements that can trigger a breach, and 3) whether there is a Public Data exception for and how it is defined. In this analysis we do not explore harm thresholds – see our State Data Breach Harm Trigger Analysis for information on that aspect of regulations.

Our dataset breaks out each law into Data Combos, the Data Elements, and Data Exceptions.

We score each state based on how expansive their data breach state protects constituents. Recent data breaches at Facebook, LinkedIn, and Clubhouse have highlighted the deficiencies in these laws to cover what are obvious breaches of the public trust. While each State has a data breach law, not all of them really protect citizens from every breach.

We found that the District of Columbia, Oregon, Washington, California, and Colorado had the strongest Data breach Laws in terms of personal data actually triggering a breach. This is because they cover more combinations of data, more data elements, and while they exempt Public records, that exemption does not extend past items “lawfully made available to the general public from federal, state, or local government records.”

Ohio scored worst, with Connecticut, Idaho, and Utah not far behind. Each of these states (and many others) require First and Last Name to be a part of the breached data, along with another element from a list. In these cases of these States, the list of Data Elements is short as well, encompassing primarily SSN, DL, and Financial data. Finally, they all exempt Public data including data “widely distributed in the media,” without regard to the sensitivity of that data.

There are problems with most state data breach laws. Based on the loopholes in almost all of these regulations, a catastrophic breach of a major entity might technically not even be a “breach.” Let’s look at a hypothetical: If FB lost facial recognition patterns, biometric info, Like data, location and derived psychometric data on millions of Americans – but the breached info did NOT include first and last name – it wouldn’t be legally considered a breach in nearly every US State. With that data, most Americans would be reidentified and profiled in the worst ways by bad actors.

The chart below shows you the details, sortable in many ways, and links you to the primary State Statute. You can also view detailed analyses of those regulations to check our work by jumping to State pages from Perkins Coie and Baker Hostetler.

We would love your feedback and commentary. Have we got it right? Are we missing something? Submit feedback to or find Jeff on LinkedIn or on Twitter as @Privacy_Stan.

Data Breach PII Analysis

StatesStrength ScoreCombinationsOfPersonalData#1SSN DL IDsPass portCC# Fin$MedData HealthInsOnline AcctsTax IDsBio metricsOther#2Public DataGov RecsWide Distrib MediaSpecial#3BH AnalysisStateDataBreachLawFullCitationAndLink
District of Columbia28.5First+Last+[List] [User/Email]+[Authentication] [any combo that allows ID theft]3YYYBOTHYYDNA7YY3 Consumer Security Breach Information
Oregon19.5First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft] 3YYYBOTHY5YY3 Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act
Washington19.5First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft]3YYBOTHYeSig Full DOB5YY3 Revised Code 19.255.010
California18First+Last+[List] [User/Email]+[Authentication]2YYYBOTHYYALPR7YY3§ionNum=1798.29 Civil Code 1798:29 and 1798:80
Colorado16.5First+Last+[List] [User/Email]+[Authentication] [Accnt/CC]+[Authentication]3YYYBOTHY5YYY6 Revised Statutes 6-1-716
Maryland12First+Last+[List] [User/Email]+[Authentication]2YYYBOTHYY6YYY6 Commercial Code 14-3501
Nebraska9First+Last+[List] [User OR Email]+[pass OR SecureQ&A]2YYYY4YY3 Revised Statutes 87-801
Illinois9First+Last+[List] [User/Email]+[Authentication]2YYBOTHY4YY3 ILCS 530: Personal Information Protection Act
Florida9First+Last+[List] [User/Email]+[Authentication]2YYYBOTH4YY3 Stat. § 501.171
Vermont7.5First+Last+[List]1YYYBOTHYYDNA7YY3 Statutes Annotated 9-2430 and 2435
Delaware6First+Last+[List]1YYYBOTHYYYDNA8YYY6 Code Title 6, Chapter 12B
New York6Info+[List] [User/Email]+[Authentication]2YYY3YY3 York General Business Law 899-aa and State Technology Law 208
Arkansas6First+Last+[List]1YYMEDY40 Code 4-110-101: Personal Information Protection Act
Maine4.5First+Last+[List] [any combo that allows ID theft]3YYY3YYYY9 Me. Rev. Stat. § 1346 et seq.
Wyoming4.5First+Last+[List]1YYBOTHYYYMarriage/Birth Cert Tribal ID7YYY6 Statutes 40-12-501
Arizona4.5First+Last+[List]1YYYBOTHYYeSig7YYY6 Revised Statutes 18-545
South Dakota4.5First+Last+[List]1YYBOTHYEmploter IDs5YY3 Dakota’s Senate Bill 62
Texas4.5First+Last+[List]1YYBOTHYMaiden Name Full DOB5YY3 Business and Commerce Code 521.002 and 521.053
North Dakota4.5First+Last+[List]1YYBOTHYMaiden Name Full DOB Employer ID eSig5YY3 Dakota Century Code
North Carolina3First+Last+[List]1YYYYYeSig6YYY6 Carolina General Statutes 75-61 and 75-65
Louisiana3First+Last+[List]1YYYY4YY3 Rev. Stat. §§ 51:3071 et seq.
Montana3First+Last+[List]1YYBOTHY4YY3 Code 30-14-1704
Nevada3First+Last+[List]1YYHISNY4YY3 Revised Statutes 603A.010
Virginia3First+Last+[List]1YYYMilitary IDs4YY3 Code 18.2-186.6 and 32.1-127.1:05
Indiana3First+Last+[List] SSN2YY2YY3 Code §§ 4-1-11 et seq., 24-4.9 et seq.
Alaska3First+Last+[List]1YY20 Statutes 45.48.010: Personal Information Protection Act
Kentucky3First+Last+[List]1YY20 Rev. Stat. §365.732
Michigan3First+Last+[List]1YY20 Comp. Laws §§ 445.63, 445.72
Alabama1.5First+Last+[List]1YYYBOTHY5YYY6 S.B. 318, Act No. 396
Iowa1.5First+Last+[List]1YYY3YY3 Code 715C.1
New Mexico1.5First+Last+[List]1YYY3YY3 Mexico Data Breach Act - HB 15
Georgia1.5First+Last+[List]1YYY3YY3 Code 10-1-912
Missouri1.5First+Last+[List]1YYBOTH3YY3 Revised Statutes 407.1500
Rhode Island1.5First+Last+[List]1YYBOTH3YY3 Island General Laws 11-49.3
Puerto Rico0First+Last+[List]1YYMEDYYTax Info Work Evals6YYYY9 P.R. Laws Ann. §§ 4051–4055
Wisconsin0First+Last+[List]1YYYDNA4YYY6 Statutes 134.98
Guam0First+Last+[List]1YY2YY3 Law Link
Hawaii0First+Last+[List]1YY2YY3 Revised Statutes 487N-1
Kansas0First+Last+[List]1YY2YY3 Statutes 50-7a01
Massachusetts0First+Last+[List]1YY2YY3 General Laws 93H, Section 1
Minnesota0First+Last+[List]1YY2YY3 Statutes 325E.61
Mississippi0First+Last+[List]1YY2YY3 Code 75-24-29
New Hampshire0First+Last+[List]1YY2YY3 Hampshire Revised Statutes 359-C:20
Oklahoma0First+Last+[List]1YY2YY3 Okla. Stat. § 161 et seq.
Pennsylvania0First+Last+[List]1YY2YY3 Statutes 73-2301: Breach of Personal Information Notification Act
South Carolina0First+Last+[List]1YY2YY3 Carolina Code 39-1-90
Tennessee0First+Last+[List]1YY2YY3 Code 47-18-2107
Virgin Islands0First+Last+[List]1YY2YY3 Code tit. 14, §§ 2208, 2209
West Virginia0First+Last+[List]1YY2YY3 Virginia Code 46A-2A-101
New Jersey-1.5First+Last+[List]1YYY3YYY6 Jersey Statutes 56:8-163: Identity Theft Prevention Act
Connecticut-3First+Last+[List]1YY2YYY6 General Statutes 36a-701b
Idaho-3First+Last+[List]1YY2YYY6 Code 28-51-104
Utah-3First+Last+[List]1YY2YYY6 Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act
Ohio-6First+Last+[List]1YY2YYYY9 Revised Code 1349.19


PII Strength Score* Calculated as (ComboScore*(ElementScore*1.5))-ExceptionScore
An indication of the broadness of the coverage of information that might be breached and would trigger a breach notification.

Data Combos There are 5 methodologies used:
Combo First+Last+[List] FirstName plus LastName plus something from list of Elements
Combo [Username, Other]+[Authentication] Username (or Other) plus and Authentication mechanism
Combo [User OR Email]+[pass OR SecureQ&A] Username or Email plus and Authentication mechanism
Combo [Accnt/CC]+[Authentication] Account or Credit Card plus and Authentication mechanism
Combo [any combo that allows ID theft] Any data Elements in combination if leads to Identity Theft
Data Elements States list Data Elements that can Trigger a Breach notification
Element SSN / DL / IDs Social Security Number, Drivers License, Government Identification
Element Passport Passport Number
Element CC# / Fin$ Credit Card or Financial Account data
Element MedInfo / HealthIns Medical data and/or Health Insurance Identification Number
Element Online Accts Information used to access an online account (Username/Password, etc)
Element Tax IDs Tax IDs
Element Biometrics Biometric Identifiers
Element Other Anything else interesting
Exceptions States often exclude some forms of Publicly Available Data
Exception Public Data Base Exclusion – some form is excluded
Exception Gov Recs Information available from government records is excluded
Exception Wide Distrib Media Information widely distributed in the media is excluded
Exception Special Other specific exclusions are noted