State Data Breach Law PII Analysis

โ—ˆ Last edit: April, 2021
โ—ˆ 50 State, 3 Territories
โ—ˆ Breach Laws Analyzed

State Data Breach Laws: Analysis

Unique data. Hand-curated.

This is an analysis of Personal Data thresholds for Data Breach Laws in all 50 U.S. States and plus the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands.

We focus on PII triggers for breach notification in three areas: 1) the Combinations of data that trigger breaches, 2) the State Data Breach PII Analysisdata elements that can trigger a breach, and 3) whether there is a Public Data exception for and how it is defined. In this analysis we do not explore harm thresholds – see our State Data Breach Harm Trigger Analysis for information on that aspect of regulations.

Our dataset breaks out each law into Data Combos, the Data Elements, and Data Exceptions.

We score each state based on how expansive their data breach state protects constituents. Recent data breaches at Facebook, LinkedIn, and Clubhouse have highlighted the deficiencies in these laws to cover what are obvious breaches of the public trust. While each State has a data breach law, not all of them really protect citizens from every breach.

We found that the District of Columbia, Oregon, Washington, California, and Colorado had the strongest Data breach Laws in terms of personal data actually triggering a breach. This is because they cover more combinations of data, more data elements, and while they exempt Public records, that exemption does not extend past items “lawfully made available to the general public from federal, state, or local government records.”

Ohio scored worst, with Connecticut, Idaho, and Utah not far behind. Each of these states (and many others) require First and Last Name to be a part of the breached data, along with another element from a list. In these cases of these States, the list of Data Elements is short as well, encompassing primarily SSN, DL, and Financial data. Finally, they all exempt Public data including data “widely distributed in the media,” without regard to the sensitivity of that data.

There are problems with most state data breach laws. Based on the loopholes in almost all of these regulations, a catastrophic breach of a major entity might technically not even be a “breach.” Let’s look at a hypothetical: If FB lost facial recognition patterns, biometric info, Like data, location and derived psychometric data on millions of Americans – but the breached info did NOT include first and last name – it wouldn’t be legally considered a breach in nearly every US State. With that data, most Americans would be reidentified and profiled in the worst ways by bad actors.

The chart below shows you the details, sortable in many ways, and links you to the primary State Statute. You can also view detailed analyses of those regulations to check our work by jumping to State pages from Perkins Coie and Baker Hostetler.

We would love your feedback and commentary. Have we got it right? Are we missing something? Submit feedback to info@privacyplan.net or find Jeff on LinkedIn or on Twitter as @Privacy_Stan.

Data Breach PII Analysis

StatesStrength ScoreCombinationsOfPersonalData#1SSN DL IDsPass portCC# Fin$MedData HealthInsOnline AcctsTax IDsBio metricsOther#2Public DataGov RecsWide Distrib MediaSpecial#3BH AnalysisStateDataBreachLawFullCitationAndLink
District of Columbia28.5First+Last+[List] [User/Email]+[Authentication] [any combo that allows ID theft]3YYYBOTHYYDNA7YY3https://code.dccouncil.us/dc/council/code/titles/28/chapters/38/subchapters/II/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-district-of-columbia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DCDC Consumer Security Breach Information
Oregon19.5First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft] 3YYYBOTHY5YY3https://www.oregonlaws.org/ors/646A.604https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oregon.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OROregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act
Washington19.5First+Last+[List] [Username, Other]+[Authentication] [any combo that allows ID theft]3YYBOTHYeSig Full DOB5YY3https://app.leg.wa.gov/RCW/default.aspx?cite=19.255.010https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-washington.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WAWashington Revised Code 19.255.010
California18First+Last+[List] [User/Email]+[Authentication]2YYYBOTHYYALPR7YY3http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.29https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-california.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=CACalifornia Civil Code 1798:29 and 1798:80
Colorado16.5First+Last+[List] [User/Email]+[Authentication] [Accnt/CC]+[Authentication]3YYYBOTHY5YYY6https://codes.findlaw.com/co/title-6-consumer-and-commercial-affairs/co-rev-st-sect-6-1-716.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-colorado.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=COColorado Revised Statutes 6-1-716
Maryland12First+Last+[List] [User/Email]+[Authentication]2YYYBOTHYY6YYY6https://codes.findlaw.com/md/commercial-law/md-code-com-law-sect-14-3501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maryland.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MDMaryland Commercial Code 14-3501
Nebraska9First+Last+[List] [User OR Email]+[pass OR SecureQ&A]2YYYY4YY3https://nebraskalegislature.gov/laws/statutes.php?statute=87-802https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nebraska.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NENebraska Revised Statutes 87-801
Illinois9First+Last+[List] [User/Email]+[Authentication]2YYBOTHY4YY3http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act.https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-illinois.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=IL815 ILCS 530: Personal Information Protection Act
Florida9First+Last+[List] [User/Email]+[Authentication]2YYYBOTH4YY3http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&Search_String=&URL=0500-0599/0501/Sections/0501.171.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-florida.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=FLFla. Stat. ยง 501.171
Vermont7.5First+Last+[List]1YYYBOTHYYDNA7YY3https://legislature.vermont.gov/statutes/section/09/062/02435https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-vermont.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VTVermont Statutes Annotated 9-2430 and 2435
Delaware6First+Last+[List]1YYYBOTHYYYDNA8YYY6http://delcode.delaware.gov/title6/c012b/index.shtmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-delaware.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=DEDelaware Code Title 6, Chapter 12B
New York6Info+[List] [User/Email]+[Authentication]2YYY3YY3https://www.nysenate.gov/legislation/laws/GBS/899-AAhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-york.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NYNew York General Business Law 899-aa and State Technology Law 208
Arkansas6First+Last+[List]1YYMEDY40https://law.justia.com/codes/arkansas/2010/title-4/subtitle-7/chapter-110/4-110-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arkansas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ARArkansas Code 4-110-101: Personal Information Protection Act
Maine4.5First+Last+[List] [any combo that allows ID theft]3YYY3YYYY9http://legislature.maine.gov/statutes/10/title10ch210-Bsec0.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-maine.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=ME10 Me. Rev. Stat. ยง 1346 et seq.
Wyoming4.5First+Last+[List]1YYBOTHYYYMarriage/Birth Cert Tribal ID7YYY6https://codes.findlaw.com/wy/title-40-trade-and-commerce/wy-st-sect-40-12-501.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wyoming.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WYWyoming Statutes 40-12-501
Arizona4.5First+Last+[List]1YYYBOTHYYeSig7YYY6https://www.azleg.gov/viewdocument/?docName=https://www.azleg.gov/ars/18/00551.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-arizona.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AZArizona Revised Statutes 18-545
South Dakota4.5First+Last+[List]1YYBOTHYEmploter IDs5YY3https://sdlegislature.gov/Statutes/Codified_Laws/2047702https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-dakota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SDSouth Dakotaโ€™s Senate Bill 62
Texas4.5First+Last+[List]1YYBOTHYMaiden Name Full DOB5YY3https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-texas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TXTexas Business and Commerce Code 521.002 and 521.053
North Dakota4.5First+Last+[List]1YYBOTHYMaiden Name Full DOB Employer ID eSig5YY3https://codes.findlaw.com/nd/title-51-sales-and-exchanges/nd-cent-code-sect-51-30-02.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-dakota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NDNorth Dakota Century Code
North Carolina3First+Last+[List]1YYYYYeSig6YYY6https://codes.findlaw.com/nc/chapter-75-monopolies-trusts-and-consumer-protection/nc-gen-st-sect-75-65.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-north-carolina.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NCNorth Carolina General Statutes 75-61 and 75-65
Louisiana3First+Last+[List]1YYYY4YY3https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-louisiana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=LALa. Rev. Stat. ยงยง 51:3071 et seq.
Montana3First+Last+[List]1YYBOTHY4YY3https://leg.mt.gov/bills/mca_toc/30_14_17.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-montana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MTMontana Code 30-14-1704
Nevada3First+Last+[List]1YYHISNY4YY3https://www.leg.state.nv.us/nrs/nrs-603a.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-nevada.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NVNevada Revised Statutes 603A.010
Virginia3First+Last+[List]1YYYMilitary IDs4YY3http://law.lis.virginia.gov/vacode/title18.2/chapter6/section18.2-186.6/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-virginia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=VIVirginia Code 18.2-186.6 and 32.1-127.1:05
Indiana3First+Last+[List] SSN2YY2YY3http://iga.in.gov/legislative/laws/2020/ic/titles/004#4-1-11https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-indiana.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=INInd. Code ยงยง 4-1-11 et seq., 24-4.9 et seq.
Alaska3First+Last+[List]1YY20http://law.alaska.gov/department/civil/consumer/4548.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alaska.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AKAlaska Statutes 45.48.010: Personal Information Protection Act
Kentucky3First+Last+[List]1YY20https://codes.findlaw.com/ky/title-xxix-commerce-and-trade/ky-rev-st-sect-365-732.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kentucky.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KYKY Rev. Stat. ยง365.732
Michigan3First+Last+[List]1YY20https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-michigan.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MIMich. Comp. Laws ยงยง 445.63, 445.72
Alabama1.5First+Last+[List]1YYYBOTHY5YYY6http://alisondb.legislature.state.al.us/alison/CodeOfAlabama/1975/8-38-2.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-alabama.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=AL2018 S.B. 318, Act No. 396
Iowa1.5First+Last+[List]1YYY3YY3https://www.legis.iowa.gov/docs/code/715c.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-iowa.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=INIowa Code 715C.1
New Mexico1.5First+Last+[List]1YYY3YY3https://nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-mexico.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NMNew Mexico Data Breach Act - HB 15
Georgia1.5First+Last+[List]1YYY3YY3https://codes.findlaw.com/ga/title-10-commerce-and-trade/ga-code-sect-10-1-910.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-georgia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GAGeorgia Code 10-1-912
Missouri1.5First+Last+[List]1YYBOTH3YY3https://revisor.mo.gov/main/OneSection.aspx?section=407.1500&bid=23329&hl=https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-missouri.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MOMissouri Revised Statutes 407.1500
Rhode Island1.5First+Last+[List]1YYBOTH3YY3http://webserver.rilin.state.ri.us/Statutes/TITLE11/11-49.3/11-49.3-4.HTMhttps://www.perkinscoie.com/en/news-insights/rhode-island.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RIRhode Island General Laws 11-49.3
Puerto Rico0First+Last+[List]1YYMEDYYTax Info Work Evals6YYYY9https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=3dae5e3e-ddd2-49bf-8535-aadcdeb8fb71&nodeid=AAMAADABGAAB&nodepath=%2FROOT%2FAAM%2FAAMAAD%2FAAMAADABG%2FAAMAADABGAAB&level=4&haschildren=&populated=false&title=%C2%A7+4051.+Definitions&config=00JABkODU1MGI4OC1hMmRkLTQ2MGYtOGY1NS03YjVjOWM4YjJlZjAKAFBvZENhdGFsb2d0HiKld62itjBDGzN8H7lV&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A5D6S-8B41-66SD-80SR-00008-00&ecomp=k5v8kkk&prid=80ede612-e1e6-4866-a3e4-ff35f4f52440https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-puerto-rico.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=RI10 P.R. Laws Ann. ยงยง 4051โ€“4055
Wisconsin0First+Last+[List]1YYYDNA4YYY6https://docs.legis.wisconsin.gov/statutes/statutes/134/98https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-wisconsin.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WIWisconsin Statutes 134.98
Guam0First+Last+[List]1YY2YY3http://www.guamcourts.org/CompilerofLaws/GCA/09gca/9gc048.pdfhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=GUGuam Law Link
Hawaii0First+Last+[List]1YY2YY3https://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487N/HRS_0487N-0002.htmhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-hawaii.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=HIHawaii Revised Statutes 487N-1
Kansas0First+Last+[List]1YY2YY3http://www.kslegislature.org/li_2014/b2013_14/statute/050_000_0000_chapter/050_007a_0000_article/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-kansas.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=KSKansas Statutes 50-7a01
Massachusetts0First+Last+[List]1YY2YY3https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXV/Chapter93H/Section1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-massachusetts.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MAMassachusetts General Laws 93H, Section 1
Minnesota0First+Last+[List]1YY2YY3https://www.revisor.mn.gov/statutes/?id=325E.61https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-minnesota.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MNMinnesota Statutes 325E.61
Mississippi0First+Last+[List]1YY2YY3https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=44f0d968-6ef3-4aef-a2db-7ec4c9f0e2c7&nodeid=ABNAAWAABAAQ&nodepath=%2FROOT%2FABN%2FABNAAW%2FABNAAWAAB%2FABNAAWAABAAQ&level=4&haschildren=&populated=false&title=%C2%A7+75-24-29.+Persons+conducting+business+in+Mississippi+required+to+provide+notice+of+a+breach+of+security+involving+personal+information+to+all+affected+individuals%3B+enforcement.&config=00JABhZDIzMTViZS04NjcxLTQ1MDItOTllOS03MDg0ZTQxYzU4ZTQKAFBvZENhdGFsb2f8inKxYiqNVSihJeNKRlUp&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A8P6B-8782-8T6X-74VC-00008-00&ecomp=k5v8kkk&prid=9be20549-c96b-46a9-b338-d9943601c47dhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-mississippi.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=MSMississippi Code 75-24-29
New Hampshire0First+Last+[List]1YY2YY3https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-hampshire.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NHNew Hampshire Revised Statutes 359-C:20
Oklahoma0First+Last+[List]1YY2YY3https://www.bakerlaw.com/webfiles/Privacy/Map/State-Data-Breach-Statute/Oklahoma.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-oklahoma.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OK24 Okla. Stat. ยง 161 et seq.
Pennsylvania0First+Last+[List]1YY2YY3https://govt.westlaw.com/pac/Document/N5406B1B08C5311DA943797541B5FDE35?viewType=FullText&originationContext=documenttoc&transitionType=CategoryPageItem&contextData=(sc.Default)&bhcp=1https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-pennsylvania.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=PAPennsylvania Statutes 73-2301: Breach of Personal Information Notification Act
South Carolina0First+Last+[List]1YY2YY3https://www.scstatehouse.gov/query.php?search=DOC&searchtext=SECTION%2039%201%2090&category=CODEOFLAWS&conid=36689925&result_pos=0&keyval=17283&numrows=10https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-south-carolina.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=SCSouth Carolina Code 39-1-90
Tennessee0First+Last+[List]1YY2YY3https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=ae167118-3d03-4a8c-af3c-83c6191bfd5e&nodeid=ABVAAUAAVAAH&nodepath=%2FROOT%2FABV%2FABVAAU%2FABVAAUAAV%2FABVAAUAAVAAH&level=4&haschildren=&populated=false&title=47-18-2107.+Release+of+personal+consumer+information.&config=025054JABlOTJjNmIyNi0wYjI0LTRjZGEtYWE5ZC0zNGFhOWNhMjFlNDgKAFBvZENhdGFsb2cDFQ14bX2GfyBTaI9WcPX5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A4X8K-XB40-R03J-K1K5-00008-00&ecomp=f38_kkk&prid=1ebbe805-18ab-4aae-92e0-ec985d915ffahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-tennessee.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=TNTennessee Code 47-18-2107
Virgin Islands0First+Last+[List]1YY2YY3https://law.justia.com/codes/virgin-islands/2019/title-14/chapter-110/subchapter-i/2208/https://www.bakerlaw.com/datamap_ajax.aspx?statename=VIV.I. Code tit. 14, ยงยง 2208, 2209
West Virginia0First+Last+[List]1YY2YY3http://www.wvlegislature.gov/WVCODE/Code.cfm?chap=46a&art=2A#2Ahttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-west-virginia.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=WVWest Virginia Code 46A-2A-101
New Jersey-1.5First+Last+[List]1YYY3YYY6https://codes.findlaw.com/nj/title-56-trade-names-trademarks-and-unfair-trade-practices/nj-st-sect-56-8-162.htmlhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-new-jersey.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=NJNew Jersey Statutes 56:8-163: Identity Theft Prevention Act
Connecticut-3First+Last+[List]1YY2YYY6https://www.cga.ct.gov/current/pub/chap_669.htm#sec_36a-701bhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-connecticut.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=CTConnecticut General Statutes 36a-701b
Idaho-3First+Last+[List]1YY2YYY6https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-idaho.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=IDIdaho Code 28-51-104
Utah-3First+Last+[List]1YY2YYY6https://le.utah.gov/xcode/Title13/Chapter44/C13-44_1800010118000101.pdfhttps://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-utah.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=UTUtah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act
Ohio-6First+Last+[List]1YY2YYYY9https://codes.ohio.gov/ohio-revised-code/section-1349.19https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart-ohio.htmlhttps://www.bakerlaw.com/datamap_ajax.aspx?statename=OHOhio Revised Code 1349.19

Legend

PII Strength Score* Calculated as (ComboScore*(ElementScore*1.5))-ExceptionScore
An indication of the broadness of the coverage of information that might be breached and would trigger a breach notification.

Data Combos There are 5 methodologies used:
Combo First+Last+[List] FirstName plus LastName plus something from list of Elements
Combo [Username, Other]+[Authentication] Username (or Other) plus and Authentication mechanism
Combo [User OR Email]+[pass OR SecureQ&A] Username or Email plus and Authentication mechanism
Combo [Accnt/CC]+[Authentication] Account or Credit Card plus and Authentication mechanism
Combo [any combo that allows ID theft] Any data Elements in combination if leads to Identity Theft
Data Elements States list Data Elements that can Trigger a Breach notification
Element SSN / DL / IDs Social Security Number, Drivers License, Government Identification
Element Passport Passport Number
Element CC# / Fin$ Credit Card or Financial Account data
Element MedInfo / HealthIns Medical data and/or Health Insurance Identification Number
Element Online Accts Information used to access an online account (Username/Password, etc)
Element Tax IDs Tax IDs
Element Biometrics Biometric Identifiers
Element Other Anything else interesting
Exceptions States often exclude some forms of Publicly Available Data
Exception Public Data Base Exclusion – some form is excluded
Exception Gov Recs Information available from government records is excluded
Exception Wide Distrib Media Information widely distributed in the media is excluded
Exception Special Other specific exclusions are noted