Cyber Risk – Security Breach Notification Statutes

Date Posted

Thursday, September 19, 2024

Security breaches are making headlines the world over, with high-profile companies, including Target, Home Depot, LinkedIn, and Sony Pictures Entertainment, suffering crippling attacks over the past few years. Such breaches may be devastating to a business’ reputation. However, a breach may trigger important legal obligations under state and federal statutes. Nearly every state has enacted legislation governing a business’ obligation to notify an individual that his or her personal information may have been subject to a security breach. These laws are commonly referred to as “security breach” or “data breach” notification statutes. Fortunately, the expanding cyber liability insurance market offers insurance policies to cover the first-party and third-party expenses arising out of a security breach, including notification expenses. This survey is intended to examine several key, common issues with respect to state security breach notification laws. Below is an explanation of each column in the survey:

Who Must Comply

This column identifies who must comply with the statute. A majority of states provide that a “maintainer” of personal information is not required to provide notice to an impacted individual. Rather, a maintainer is charged with notifying the “owner” or “licensor,” and the “owner” or “licensor” must notify the impacted individual. Please consult the specific statute for the definition and responsibilities of a “maintainer.”

What is Personal Information

This column utilizes icons to define the phrase “personal information.” Please consult our key on the next page for the meaning of each icon

Notification Required Beyond Affected Individual

Every state with a notification statute requires that an individual impacted by the breach be notified. This column identifies whether there are any additional notice obligations.

When Must Notification Must Be Given

This column identifies when the notice obligation is triggered: when the security breach is discovered, or when there is a reasonable belief that “personal information” was acquired by an unauthorized person. This column also identifies the timeframe in which the impacted individual must be notified. A majority of states provide that notice may be delayed if a law enforcement agency determines that notification will impede a criminal investigation, notification shall typically be made after the law enforcement agency determines that notice will not compromise an investigation. A significant minority of states provide that if an entity conducts a good-faith investigation and determines there is not a reasonable likelihood of harm to the consumer, then notification is not required. Typically, the determination must be: (1) in writing, (2) maintained for a statutorily prescribed period of time, and (3) made in conjunction with local, state, and federal law enforcement agencies. Please consult the specific state statute for detailed requirements.

Private Cause of Action

This column identifies whether a law expressly provides an impacted individual with a private cause of action for an entity’s failure to comply with the notification requirements

Fines and Penalties

This column identifies whether the statute allows for fines and/or penalties to be assessed for failure to comply with the statute’s notification requirements.

KEY TO PERSONAL INFORMATION

  • General Professional Information: Individual’s name + one of the following: Social Security number, driver’s license number, state issued identification number, and information sufficient to access financial accounts (i.e., personal identification number “PIN,” debit or credit card number, bank account number, account password, etc.)
  • Abbreviated Terms:
  • AG = State Attorney General
  • PI = Personal Information

State Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Alabama

No Statute

Alaska

Alaska Stat.
§ 45.48.010, et seq.
Persons doing business, person with more than 10 employees, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of a breach Most expeditious time possible and without unreasonable delay Yes
  • $500 for each state resident who was not notified; not to exceed $50,000
  • Failure to notify is considered an unfair or deceptive act or practice under Alaska Stat. § 45.50.471 et seq. (inapplicable to gov’t agencies)
  • Gov’t agencies may be enjoined from further violations

Arizona

Ariz. Rev.
Stat. § 44-7501
Individuals, businesses, and gov’t entities who:
  • Conduct business in AZ and
  • Own or license PI
  • General Professional Information
No Investigation and reasonable likelihood of breach Most expedient manner and without unreasonable delay Statute silent
  • AG enforcement
  • Actual damages for willful or knowing violation
  • Civil penalty not to exceed $10,000 per breach or series of breaches

Arkansas

Ark. Code
§ 4-110 101, et seq.
Individuals, businesses, and gov’t agencies who:
  • Own, license, or acquire PI
  • General Professional Information
  • Medical Information
No Reasonable belief that PI was acquired by unauthorized person Most expedient manner and without unreasonable delay Statute silent AG may bring suit under Deceptive Trade Practices Act (Ark. Code § 4-88-101 et seq.)

California

Cal. Civ Code
§ 1798.29; § 1798.80, et seq.
Persons and businesses who:
  • Conduct business in CA and
  • Own or license PI
  • General Professional Information
  • Medical Information
  • Health Insurance Information
Yes: if over 500 residents, provide copy of sample notification to AG Reasonable belief that PI was acquired by unauthorized person Most expedient manner and without unreasonable delay Yes
  • Affected individual may seek damages
  • Any business that violates, proposes to violate, or has violated the statute may be enjoined

Colorado

Colo. Rev Stat.
§ 6-1-716
Individuals and businesses who:
  • Conduct business in CO and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Investigation and reasonable likelihood of misuse of PI Most expedient time possible and without unreasonable delay Statute silent AG may bring action in law or equity to address violations of statute

Connecticut

Conn. Gen. Stat.
§36a-701b
Individuals, businesses, and gov’t agencies who:
  • Conduct business in CT and
  • Own or license PI
  • General Professional Information
Yes: simultaneously give notice to AG Reasonable belief that PI was acquired by unauthorized person

Without unreasonable delay

Note: See Bulletin IC-25 for provisions that apply to registrants and licensees of the CT Insurance Dept.
Statute silent Failure to comply with statute constitutes an unfair trade practice under Conn. Gen. Stat. § 42-110b and is enforceable by AG

Delaware

Del. Code
tit. 6
§ 12B-101,
et seq.
Individuals, businesses, and gov’t agencies who:
  • Conduct business in DE and
  • Own or license PI
  • General Professional Information
No Investigation to determine likelihood that PI was or will be misused Most expedient time possible and without unreasonable delay Statute silent AG may bring an action in law or equity for violations of statute and may recover direct economic damages or “other relief that may be appropriate to ensure proper compliance,” or both

District of Columbia

D.C. Code
§ 28-3851, et seq
Persons and entities who:
  • Conduct business in DC and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of a breach Most expedient manner and without unreasonable delay Yes
  • AG may seek a temporary or permanent injunction, and restitution for property lost or damages suffered by DC residents
  • Civil penalty not to exceed $100 for each violation, plus costs of the action, and attorney’s fees
  • Each failure to notify is a separate violation

Florida

Fla. Stat.
§ 501.171
Businesses and gov’t entities who:
  • Own or license PI
  • General Professional Information
  • Medical Information
  • Health Insurance Information
  • Username + Password for any online account
  • Passport Number
Yes: if over 500 residents, notify FL Dept. of Legal Affairs (within 30 days) and if over 1,000 residents, notify national consumer reporting agencies Reasonable belief that PI was accessed as a result of a breach 30 days of determination of breach (may be given additional 15 days if good cause is shown) No
  • A violation of the statute is considered an unfair or deceptive trade practice
  • An entity shall be liable for a civil penalty not to exceed $500,000 ($1,000 each day for the first 30 days following any violation and $50,000 for each subsequent 30-day period or portion thereof for up to 180 days)
  • Penalties apply per breach, not per individual
  • Fines & penalties do not apply to gov’t agencies
State Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Georgia

Ga. Code
§ 10-1-910, et seq
Persons, entities, and certain gov’t agencies who:
• Maintain PI Note: for regulations specifically concerned with requirements of telephone records and a telecommunictaion company's obligations, see Ga. Code § 46- 5-214
  • General Professional Information
Yes: if over 10,000 residents, notify national consumer reporting agencies A breach where residents’ unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person PI was, or is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible and without unreasonable delay Statute silent Statute silent

Hawaii

Haw. Rev. Stat.
§ 487N-1, et seq
Businesses and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify Hawai‘i Office of Consumer Protection and national consumer reporting agencies (Gov’t agency does not have to notify consumer reporting agencies) After breach where illegal use of PI has occurred, or is reasonably like Without unreasonable delay No
  • AG or Executive Director of the Office of Consumer Protection may bring an action
  • Penalties shall not exceed $2,500 for each violation
  • No action against a gov’t agency

Idaho

Idaho Code Ann.
§ 28-51 104, et seq
Individuals, commercial entities, and gov’t agencies who:
  • Conduct business in ID and
  • Own or license PI
  • General Professional Information
Yes: when agency becomes aware of a breach notify AG within 24 hours Investigation to determine the likelihood that PI has been or will be misused Most expedient time possible and without unreasonable delay Statute silent
  • Intentional failure to give notice is subject to a fine, not to exceed $25,000 per breach
  • The “primary regulator” (usually the AG for individuals & commercial entities) of an agency/individual/commercial entity may bring a civil action to enforce compliance and to enjoin further violations
  • Gov’t employee who intentionally discloses PI, is guilty of a misdemeanor punishable by a fine not to exceed $2,000 or by imprisonment of not more than 1 year (or both)

Illinois

815 Ill Comp. Stat. § 530/5, et seq Businesses and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of breach where PI was or is reasonably believed to be acquired by unauthorized person Without unreasonable delay Statute silent Statute silent

Indiana

Individuals: Ind. Code § 24-4.9-1-1, et seq Individuals and businesses who:
  • Own or license PI
  • General Professional Information
Yes: notify AG and if over 1,000 residents, notify national consumer reporting agencies Breach where unencrypted PI was or may have been acquired by unauthorized person or encrypted PI was or may have been acquired by an unauthorized person with access to the encryption key Without unreasonable delay No
  • Failure to disclose or notify a resident is a deceptive act, actionable only by AG
  • For violations of the notification rules: The AG may bring an action to enjoin future violations of the statute, a civil penalty of not more than $150,000 per deceptive act, and the AG's reasonable costs
  • For violations of the record retention rules: The AG may bring an action to enjoin future violations of the statute, a civil penalty of not more than $5,000 per deceptive act, and the AG's reasonable costs.
Gov’t Agencies Ind. Code § 4-1-11-1, et seq Gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of breach where PI was or is reasonably believed to be acquired by unauthorized person Without unreasonable delay Statute silent Statute silent

Iowa

Iowa Code
§ 715C.1,et seq
Individuals, businesses, and gov’t agencies who:
  • Own or license PIused in the course ofthe person's business, vocation, occupation, or volunteer activity
  • General Professional Information
  • Biometric Data
Yes: if over 500 residents, notify the Director of Consumer Protection Division of the Office of AG within 5 business days of giving notice to resident Discovery of a breach Most expeditious manner possible andwithout unreasonable delay Statute silent Any violation of the statute is an unlawful practice (Iowa Code § 714.16) and AG may seek damages andequitable relief pursuant to Iowa Code § 714.16(7),including a civil penalty not to exceed $40,000
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Kansas

Kan. Stat. Ann.
§ 50-7a01, et seq
Individuals, businesses, and gov’t agencies who:
  • Conduct business in KS and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies An investigation to determine likelihood that PI has been or will be misused Most expedient time possible and without unreasonable delay Statute silent
  • AG may bring action in law or equity to address violations of the statute and for other appropriate relief
  • Insurance Commissioner has sole authority to enforce statute for violations by an insurance company licensed to do business in KS

Kentucky

Individuals: Ky. Rev. Stat. Ann. § 365.732 Persons and businesses who:
  • Conduct business in KY and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible and without unreasonable delay Statute Silent Statute silent
Gov’t Agencies Ky. Rev. Stat. Ann. § 61.933 Gov’t agencies who:
  • Collect, maintain, or store PI
  • General Professional Information
  • Biometric Data
  • Medical Information
  • Passport Number

Yes: within 72 hours notify: Commissioner of the KY State Police, Auditor of Public Accounts, and AG. If over 1,000 residents notify national consumer reporting agencies

See statute for additional requirements for individual agencies

Investigation to determine reasonable likelihood of misuse of PI
  • 72 hours of completion of investigation: notify respective agency officials and Dept. for Libraries
  • 35 days after notification of agency officials, must notify affected individuals
No AG’s office may bring an action in the Franklin Circuit Court against an agency or a nonaffiliated third party that is not an agency, or both, for injunctive relief, and for other legal remedies to enforce the statute

Louisiana

La. Stat. Ann.
§ 51:3071, et seq.; La. Admin. Code tit. 16, pt. III, § 701
Individuals, businesses, and gov’t agencies who:
  • Conduct business in LA or
  • Own or license PI
  • General Professional Information
Yes: notify the Consumer Protection Section of AG’s Office within 10 days of notifying residents Discovery of a breach that has reasonably resulted in unauthorized acquisition of and access to PI Most expedient time possible and without unreasonable delay Yes
  • Failure to provide timely notice of a breach to AG may be punishable by a fine not to exceed $5,000 per violation
  • Each day notice is not received by AG is a separate violation/li>

Maine

Me. Stat.
titl 10 § 1346, et seq.
Individuals, businesses, gov’t agencies, and information brokers who:
  • Maintain PI
  • General Professional Information
  • Username + Password for any online account
Yes: notify appropriate state regulator within Dept. of Professional and Financial Regulation (if not regulated by the Dept. then give notice to AG). If over 1,000 persons, notify national consumer reporting agencies Investigation to determine the likelihood that PI has been or will be misused As expediently as possible and without unreasonable delay Statute silent
  • A violation of the statute is a civil violation and is subject to one or more of the following: (1) a fine not to exceed $500 per violation, but a maximum of $2,500 for each day the person is in violation (this does not apply to gov’t agencies), (2) equitable relief, or (3) enjoinment from further violations
  • Enforcement is by the appropriate state regulators within the Dept. of Professional and Financial Regulation or AG

Maryland

Individuals: Md. Code, Com. Law § 14-3501, et seq. Businesses who:
  • Own or license PI
  • General Professional Information
  • Taxpayer Identification Number
Yes: notify AG (before notifying residents and even if investigation deems notification unnecessary) and if over 1,000 residents, notify national consumer reporting agencies Investigation to determine the likelihood that PI has been or will be misused Without unreasonable delay Yes A violation of the statute is an unfair or deceptive trade practice and is subject to enforcement and penalties provided in Md. Code Commercial Law § 13-301 et seq
Gov't Agencies: Md. Code, State Gov't. § 10-1305, et seq Gov’t agency, department, board, commission, authority, public institution of higher education, public corporation unit or instrumentality of the State, or any political subdivision of the State who:
  • Collects computerized data that includes PI
    Non-affiliated third party who:
  • Maintains computerized data that includes PI (if contract with gov’t entity authorizes notification)
  • General Professional Information
  • Taxpayer Identification Number
  • Passport Number
Yes: notify Office of the AG and the Dept. of Information Technology; if 1,000 or more individuals, also notify national consumer reporting agencies An investigation to determine whether the unauthorized acquisition of PI has resulted or is likely to result in the misuse of the information As soon as reasonably practicable after investigation Statute Silent Statute silent
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Massachusetts

Mass. Gen. Laws ch. 93H, § 1 et seq.; 201 Mass. Code Regs. 17.01, et seq Individuals, businesses, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: notify AG and Director of Consumer Affairs & Business Reg. If executive dep’t breach, notify Information Technology Division of Public Records When a person or agency (1) knows or has reason to know of a breach of security or (2) knows or has reason to know that PI was acquired or used by an unauthorized person or used for an unauthorized purpose As soon as practicable and without unreasonable delay Statute silent
  • AG may bring an action pursuant to Mass. Gen. Laws ch. 93A, § 4 for violations of the statute
  • Penalties may include injunctive relief and civil penalties

Michigan

Mich. Comp. Laws
§ 445.63; § 445.72
Individuals, businesses, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of a breach Without unreasonable delay Statute silent
  • A person that knowingly fails to provide any notice of a security breach is subject to a civil fine not to exceed $250 for each failure to provide notice, with aggregate liability not to exceed $750,000
  • AG or prosecuting attorney may bring an action to recover civil fines

Minnesota

Individuals:
Minn. Stat. § 325E.61
Persons and businesses:
  • Conduct business in MN and
  • Own or license PI
  • General Professional Information
Yes: if over 500 residents, notify national consumer reporting agencies Discovery of a breach Most expedient time possible and without unreasonable delay Statute silent AG has enforcement powers
Gov’t Agencies: Minn. Stat. § 13.01; § 13.05, et seq Gov’t agencies who:
  • Collect, create, receive, maintain, or disseminate private or confidential data on individuals
See statute for definitions of:
  • Confidential data on individuals
  • Private data on individuals

Yes: if over 1,000 residents, notify national consumer reporting agencies

Note: Eventually affected individual must be given a copy of the report detailing the breach

Discovery of the breach where private confidential data was, or is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible and without unreasonable delay Yes
  • Gov’t entity is deemed to have waived immunity
  • Gov’t entity is subject to actual damages, costs and attorney’s fees
  • For willful violations, gov’t entity shall be liable for exemplary damages of not less than $1,000, nor more than $15,000 for each violation
  • Gov’t entity may also be enjoined from future violations

Mississippi

Miss. Code Ann.
§ 75-24-29
Individuals and businesses who:
  • Conduct business in MS and
  • In ordinary course of their business functions: own, license or maintain PI
  • General Professional Information
No Breach of security, where there is an unauthorized acquisition of PI that has not been rendered unreadable or unusable Without unreasonable delay No Failure to comply with the statute constitutes an unfair practice and shall be enforced by AG

Missouri

Mo. Rev. Stat.
§ 407.1500
Individuals, businesses, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
  • Medical Information
  • Health Insurance Information
Yes: if over 1,000 residents, notify AG and national consumer reporting agencies Unauthorized access to and unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI Without unreasonable delay No AG has exclusive authority to bring an action for actual damages for a willful and knowing violation and may seek a civil penalty not to exceed $150,000 per security breach or series of breaches of a similar nature (discovered in a single investigation)

Montana

Individuals: Mont. Code Ann. § 30- 14-1701, et seq. Individuals and businesses who:
  • Conduct business in MT and
  • Own or license PI
  • General Professional Information
No Discovery of a breach, where unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person Without unreasonable delay Statute silent Statute silent
Gov't Agencies: Mont. Code Ann. § 2-6-501 State agencies or third parties on behalf of state agencies who:
  • Maintain PI
  • General Professional Information
  • Medical Information
  • Taxpayer Identification Number
Yes: simultaneously when issuing notification to affected individuals, send notification to AG’s consumer protection office Discovery or notification of a breach, where PI was or was reasonably believed to have been acquired by an unauthorized person Without unreasonable delay Statute silent Statute silent
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Nebraska

Neb. Rev. Stat. § 87-801, et seq. Individuals, businesses, and gov’t agencies who:
  • Conduct business in NE and
  • Own or license PI
  • General Professional Information
  • Biometric Data
  • Username + Password for any online account
No An investigation and determination that PI was used, or is reasonably likely to be used, for an unauthorized purpose As soon as possible and without unreasonable delay Statute silent AG may issue subpoenas and seek and recover direct economic damages for each affected resident injured by a violation of the statute

Nevada

Neb. Rev. Stat. § 87-801, et seq Individuals, businesses, and gov’t agencies who:
  • Conduct business in NE and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Breach of security where unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible and without unreasonable delay Statute silent AG or a district attorney may bring an action to obtain a temporary or permanent injunction against a person who violates, proposes to violate, or has violated the statute

New Hampshire

N.H. Rev. Stat.
§ 359-C:19, et seq
Individuals, businesses, and gov’t agencies who:
  • Conduct business in NH and
  • Own or license PI
Note: for specific regulations concerning data breach of school records, see N.H. Rev. Stat. §189.66
  • General Professional Information
Yes: notify the regulator who has primary authority over the specific trade/commerce (all others notify AG’s office) and if over 1,000 residents, notify national consumer reporting agencies A determination of the likelihood that PI has been or will be misused As soon as possible Yes
  • A person may institute an action for actual damages and for equitable relief, including an injunction
  • If the violation is willful or knowing, the court shall award as much as three times, but not less than two times, the amount of recovery
  • AG shall have enforcement power

New Jersey

N.J. Rev. Stat.
§ 56:8-161;§ 56:8-163
Businesses and gov’t agencies who:
  • Conduct business inNJ or
  • If gov’t agency –whether the agency complies or maintains records with PI
  • General Professional Information
Yes: notify Division of State Police in theDept. of Law and Public Safety and if over 1,000 residents, notify national consumer reporting agencies Discovery of a breach, where aresident’s PI was,or is reasonably believed to have been,accessed by anunauthorized person Most expedient time possible and without unreasonable delay Statute silent but see Holmes v. Country wide Fin. Corp., 5:08- CV00205-R, 2012 WL2873892 (W.D. Ky.July 12,2012).
  • It is an unlawful trade practice to willfully, knowingly, or recklessly violate the statute
  • AG may investigate breaches and impose penalties

New Mexico

No statute

New York

N.Y. Gen. Bus. Law§ 899-aa;N.Y. StateTech. Law§ 208
    Persons and businesses who:
  • Conduct business inNY and
  • Own or license PI
  • General Professional Information
Yes: notify AG, Dept. of State, and Division of State Police. If over5,000 residents, notify national consumer reporting agencies Any breach of a security system where PI was, or is reasonably believed to havebeen, acquired by aperson without valid authorization Most expedient time possible and without unreasonable delay Statute silent
  • AG may bring action to enjoin and restrain violations
  • Court may award actual costs or losses incurred byan affected resident, including consequential financiallosses
  • If a person or business knowingly or recklesslyviolates the statute a civil penalty of the greater of thefollowing: $5,000 or $10 per instance of failed notification (latter not to exceed $150,000)
Note: Statute of limitations: an action must be commenced within 2 years immediately after the date of theact or the date of discovery of the act

North Carolina

N.C. Gen. Stat.
§ 75-61;§75-65
Businesses who:
  • Own or license PI
  • General Professional Information
Yes: notify Consumer Protection Division ofAG’s Office and if over 1,000 persons, notify national consumer reporting agencies Discovery of a breach Without unreasonable delay Yes
  • Violation of the statute is an unfair or deceptive act or practice
  • See N.C. Gen. Stat. § 75-1.1
  • Civil penalities of up to $5,000
  • See N.C. Gen. Stat. § 75-15.2
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

North Dakota

N.D. Cent. Code
§ 51-30-01,et seq.
Persons who:
  • Conduct business in ND and
  • Own or license PI
  • General Professional Information
  • Biometric Data
  • Signature
  • Passport Number
  • Taxpayer Identification Number
No Discovery of a breach where PIwas, or is reasonably believed to havebeen, acquired by anunauthorized person Most expedient time possible and without unreasonable delay Statute silent
  • A violation of the statute is considered an unlawful deceptive practice or act (see N.D. Cent. Code § 51-15-01 et seq.)
  • AG has enforcement powers

Ohio

Individuals: Ohio Rev. Code
§ 1349.19
Individuals and businesses who:
  • Conduct business in OH and
  • Own or license PI
  • General Professional Information
  • Medical Information
  • Signature
  • Health Insurance Information
  • Date Of Birth
  • Employer Identification Number
  • Mother's Maiden Name
No Discovery of a breach where PI was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, where there is a reasonable belief of a material risk of identity theft or other fraud Most expedient time possible but not later than 45 days following discovery of the breach Statute silent AG has investigative powers and right to bring a civil action against any person who fails to comply with the statute
Gov't Agencies: Ohio Rev. Code
§ 1347.12
Any state agency or agency of a political subdivision who:
  • Owns or license PI
  • General Professional Information
No Discovery of any breach where PI was, or is reasonably believed to have been accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed to cause a material risk of identity theft or other faud to a resident of this state Most expedient time possible but not later than 45 days following discovery of the breach Statute silent AG, pursuant to Ohio Rev. Code § § 1349.191 and 1349.192, may conduct an investigation and bring a civil action upon an alleged failure by a state agency or agency of a political subdivision to comply with the requirements of this section

Oklahoma

Individuals: Okla. Stat. tit. 24, § 161, et seq. Individuals, businesses, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
No Discovery of a breach where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and there is a reasonable belief identify theft or fraud has occurred or will occur Without unreasonable delay Statute silent
  • A violation of the statute that results in injury or loss to residents constitutes an unlawful practice under the Oklahoma Consumer Protection Act and is enforceable by AG
  • AG may bring an action to obtain actual damages or a civil penalty not to exceed $150,000 per security breach or series of breaches of a similar nature discovered in a single investigation
Gov't Agencies: Okla. Stat. § 74-3113.1 Any state agency or agency of a political subdivision.
  • Owns or license PI
  • General Professional Information
No Discovery or notification of the breach or is reasonably believed to have been acquired by an unauthorized person. In the most expedient time possible without unreasonable delay, consistent with the legitimate needs of law enforcement. Statute silent Statute Silent

Oregon

Rev. Stat.
§ 46A.600; § 46A.602; § 46A.604; § 46A.624; § 46A.626
Individuals, businesses, and gov’t agencies who:
  • Own PI and
  • Use PI in the course of the individual or entity’s business, vocation, occupation or volunteer activities.
  • Biometric Data
  • Medical Information
  • Health Insurance Information
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies Discovery of a breach, i.e., an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI Most expeditious time possible and without unreasonable delay Possibly, see Or. Rev. Stat.
§ 646A.62 4(4)
  • Director of Dept. of Consumer & Business Protection may conduct an investigation
  • Director may issue a “cease and desist” order or require a person to pay compensation to injured individuals
  • Any person who violates, procures, aids, or abets a violation is subject to a civil penalty not to exceed $1,000 per violation and $500,000 total (each violation is a separate offense and each day is a separate violation)

Pennsylvania

73 Pa. Stat.
§ 2301, et seq
Individuals, businesses, and gov’t agencies who:
  • Maintain, store or manage PI
  • General Professional Information
Yes: if over 1,000 persons, notify national consumer reporting agencies Discovery of a security breach, where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person Without unreasonable delay Statute silent A violation of the statute is an unfair or deceptive act or practice and AG has exclusive authority to bring an action
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Rhode Island

11 R.I. Gen. Laws
§ 11-49.2-1, et seq
Individuals, businesses, and gov’t agencies who:
  • Own, maintain, or license PI
  • General Professional Information
  • Health Insurance Information
  • Medical Information
  • Username + Password for any online account
No Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person Most expedient time possible but no later than 45 days after the confirmation of the breach Statute silent
  • Each reckless violation a penalty of not more than $100
  • Each knowing and willful violation a penalty of not more than $200

South Carolina

S.C. Code Ann.
§ 39-1-90
Persons who:
  • Conduct business in SC and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify Consumer Protection Division of the Dept. of Consumer Affairs and national consumer reporting agencies Discovery of a breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person and there is a material risk of harm to the resident Most expedient time possible and without unreasonable delay Yes A person who knowingly and willfully violates the statute is subject to a $1,000 administrative fine for each resident whose information was accessible by reason of the breach, with the total amount decided by the Dept. of Consumer Affairs

South Dakota

No statute

Tennessee

Tenn. Code Ann.
§ 47-18-2107
Individuals, businesses, and gov’t agencies who:
  • Conduct business in TN and
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 persons, notify national consumer reporting agencies Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person Immediately but no later than 45 days following the discovery or notification to covered entity of a security breach Yes Violations fall unter the Tennessee Consumer protection act and are an unfair or deceptive act

Texas

Tex. Bus. & Com. Code
§ 521.002; § 521.053; § 521.151
Persons who:
  • Conduct business in TX and
  • Own or license PI
  • General Professional Information
  • Medical Information
  • Health Insurance Information
Yes: if over 10,000 persons, notify national consumer reporting agencies Discovery of a breach, where PIwas, or is reasonably believed to have been, acquired by an unauthorized person As quickly as possible Statute silent
  • Civil penalty of at least $2,000 but not more than $50,000 for each violation
  • AG may: (1) bring an action to recover penalty, (2) file a TRO or (3) file a temporary or permanent injunction
  • Violator of § 521.053(b) is liable to the state for a civil penalty of not more than $100 for each individual to whom notification is due and for each consecutive day the person fails to comply
  • Civil penalties may not exceed $250,000 for all individuals to whom notification is due after a single breach
  • AG has enforcement power
  • For criminal penalties see Tex. Pen. Code § 33.02

Utah

Utah Code
§ 13-44-101; § 13-44-202; § 13-44-301
Persons who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify national consumer reporting agencies A prompt investigation With the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach or notification from a third party Statute silent Dept. of Financial Regulation, AG, and the state's attorney have sole and full authority to investigate potential violations and to enforce, prosecute, obtain, and impose remedies

Vermont

Vt .Stat. Ann.
Tit. 9§ 2430;§ 2435
Businesses and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 residents, notify nationalconsumer reportingagencies A prompt investigation With the most expedient timepossible and without unreasonable delay,but not later than 45 days after discoveryof the breach ornotification from athird party Statute silent Dept. of Financial Regulation, AG, and the state's attorney have sole and full authority to investigatepotential violations and to enforce, prosecute, obtain,and impose remedies
STATE Authority Who Must Comply What is Personal Information? Notification Required Beyond Affected Individual When Must Notification Be Given: Private Cause of Action Fines & Penalties
Following: Within:

Virginia

Va. Code Ann.
§ 18.2-186.6
Individuals, businesses, and gov’t agencies who:
  • Own or license PI
  • General Professional Information
Yes: if over 1,000 persons, notify AG and national consumer reporting agencies A reasonable belief that unencryptedor unredacted PI was accessed and acquired by an unauthorized person which causes, or the individual or entity reasonably believes will cause, identity theft or fraud Without unreasonable delay Yes AG may impose a civil penalty not to exceed $150,000 per breach of the security of the system or aseries of breaches of a similar nature that are discovered in a single investigation
Va. Code Ann.
§ 32.1- 127.1:05
Gov’t agencies who:
  • Own or license medical information
  • Medical Information

See Va. Code § 32.1- 127.1:05
Yes: notify AG and Commissioner of Health. If unencrypted or unredacted medical information was or is reasonably believed to have been accessed and acquired by an unauthorized person Without unreasonable delay Statute silent Statute silent

Washington

Individuals: Wash. Rev. Code § 19.255.010, et seq Persons and businesses who:
  • Conduct business in WA and
  • Own or license PI
  • General Professional Information
No Discovery of a breach Most expedient time possible and without unreasonable delay Yes Any business that violates, proposes to violate, or has violated the statute may be enjoined
Gov't agencies: Wash. Rev. Code § 42.56.590, et seq Gov’t agencyies who:
  • Owns or licenses PI
  • General Professional Information
Yes: if more than 500 persons, must notify the AG Following discovery or notification of a breach Most expedient time possible and without unreasonable delay, no more than 45 days after the breach was discovered Yes Any agency that violates or proposes to violate this section may be enjoined

West Virginia

W. Va. Code
§ 46A-2A101, et seq
Individuals, businesses, and gov’t agencies who:
  • Owns or licenses PI
  • General Professional Information
Yes: if over 1,000 persons, notify national consumer reporting agencies Discovery of a breach, where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and is reasonably likely to lead to identity theft or fraud Without unreasonable delay Statute silent
  • Failure to comply constitutes an unfair or deceptive act or practice, enforceable by AG
  • No civil penalty shall exceed $150,000 per breach or series of breaches of a similar nature that are discovered in a single investigation
  • Court must find that defendant engaged in a course of repeated and willful violations
  • Violation by a licensed financial institution shall be enforceable exclusively by the institution’s primary functional regulator

Wisconsin

Wis. Stat.
§ 134.98
Businesses who:
  • Maintain or license PI in WI
  • General Professional Information
  • Biometric Data
Yes: if over 1,000 persons, notify national consumer reporting agencies Business’ knowledge that PI, in its possession, has been acquired by an unauthorized person A reasonable time not to exceed 45 days Statute silent Statute silent

Wyoming

Wyo. Stat. Ann.
§ 40-12-501, et seq.
Individuals and commercial entities who:
  • Conduct business in WY and
  • Own or license PI
  • General Professional Information
  • Username + Password for any online account
  • Medical Information
  • Healthcare Information
  • Biometric Data
  • Taxpayer Identification Number
No An investigation to determine the likelihood that PI has been or will be misused As soon as possible, in the most expedient time possible and without unreasonable delay Statute silent AG may bring an action in law or equity to address any violation and for other relief that may be appropriate to ensure proper compliance, to recover damages, or both

Disclaimer: This survey is current as of 5/2018. This material is made available for general informational purposes only. The field of insurance law is ever-evolving, and courts may change their views at any time. Readers are advised to independently verify the information contained herein. This material is not intended to, and does not constitute, legal advice, nor is it intended to constitute a solicitation for the formation of an attorney-client relationship. 

For more information or questions on cyber risk strategies, please contact us at coverage@sdvlaw.com.

Contact Us

Our clients span a broad range and include individuals, non-profit institutions, universities, hospitals, municipalities, utilities, and corporations. No matter who you are or where you’re located, SDV is the right choice for policyholders.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.