Cyber Risk – Security Breach Notification Statutes

Date Posted

Security breaches are making headlines the world over, with high-profile companies, including Target, Home Depot, LinkedIn, and Sony Pictures Entertainment, suffering crippling attacks over the past few years. Such breaches may be devastating to a business’ reputation. However, a breach may trigger important legal obligations under state and federal statutes. Nearly every state has enacted legislation governing a business’ obligation to notify an individual that his or her personal information may have been subject to a security breach. These laws are commonly referred to as “security breach” or “data breach” notification statutes. Fortunately, the expanding cyber liability insurance market offers insurance policies to cover the first-party and third-party expenses arising out of a security breach, including notification expenses. This survey is intended to examine several key, common issues with respect to state security breach notification laws. Below is an explanation of each column in the survey:

Who Must Comply

This column identifies who must comply with the statute. A majority of states provide that a “maintainer” of personal information is not required to provide notice to an impacted individual. Rather, a maintainer is charged with notifying the “owner” or “licensor,” and the “owner” or “licensor” must notify the impacted individual. Please consult the specific statute for the definition and responsibilities of a “maintainer.”

What is Personal Information

This column utilizes icons to define the phrase “personal information.” Please consult our key on the next page for the meaning of each icon

Notification Required Beyond Affected Individual

Every state with a notification statute requires that an individual impacted by the breach be notified. This column identifies whether there are any additional notice obligations.

When Must Notification Must Be Given

This column identifies when the notice obligation is triggered: when the security breach is discovered, or when there is a reasonable belief that “personal information” was acquired by an unauthorized person. This column also identifies the timeframe in which the impacted individual must be notified. A majority of states provide that notice may be delayed if a law enforcement agency determines that notification will impede a criminal investigation, notification shall typically be made after the law enforcement agency determines that notice will not compromise an investigation. A significant minority of states provide that if an entity conducts a good-faith investigation and determines there is not a reasonable likelihood of harm to the consumer, then notification is not required. Typically, the determination must be: (1) in writing, (2) maintained for a statutorily prescribed period of time, and (3) made in conjunction with local, state, and federal law enforcement agencies. Please consult the specific state statute for detailed requirements.

Private Cause of Action

This column identifies whether a law expressly provides an impacted individual with a private cause of action for an entity’s failure to comply with the notification requirements

Fines and Penalties

This column identifies whether the statute allows for fines and/or penalties to be assessed for failure to comply with the statute’s notification requirements.

KEY TO PERSONAL INFORMATION

• General Professional Information: Individual’s name + one of the following: Social Security number, driver’s license number, state issued identification number, and information sufficient to access financial accounts (i.e., personal identification number “PIN,” debit or credit card number, bank account number, account password, etc.)
• Abbreviated Terms:
• AG = State Attorney General
• PI = Personal Information

State	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Alabama	Al St § 8-38- 1, et seq.	Persons, businesses, or gov’t entities that: acquire or use sensitive PI.	General Professional Information Medical Information Health Insurance Information Username + Password for any online account	Yes: if over 1,000 individuals, notify AG and all national consumer reporting agencies	Investigation and rea- sonable belief that PI was acquired by un- authorized person, and is reasonably likely to cause substantial harm to individuals to whom the information relates.	Expeditiously without unreasonable delay, but within 45 days from notice of breach from third- party agent	No	AG may bring suit for civil penalties under Deceptive Trade Practices Act Al St § 8-19-1. Civil penalty of not more than $5,000 per day for each consecutive day that the covered entity fails to take reasonable action to comply with the notice provisions. Gov’t entities exempt from any penalty Recovery limited to actual damages for knowing violation plus reasonable attorney’s fees and costs.
Alaska	Alaska Stat. § 45.48.010, et seq.	Persons doing business, person with more than 10 employees, and gov’t agencies who: Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify national consumer reporting agencies	Investigation and reasonable belief harm has or will result from breach	Most expeditious time possible and without unreasonable delay	Statute Silent	If information collector is gov’t agency: - liable to the state up to $500 for each state resident who was not notified; but not to exceed $50,000. Enjoined from further violations If information collector is not gov’t agency: - failure to notify is considered an unfair or deceptive act or practice under Alaska Stat. § 45.50.471 et seq. - liable to state up to $500 for each state resident who was not notified, but not to exceed $50,000.
Arizona	Ariz. Stat. § 18-552	Individuals, businesses, and gov’t entities who: Conduct business in AZ and Own or license PI	General Professional Information Username + Password for any online account	Yes: if over 1,000 individuals, notify three largest national consumer reporting agencies, AG, and director of AZ dept of homeland security.	Investigation and reasonable likelihood of breach	Within 45 days after determination of breach	No	AG enforcement of civil penalty not to exceed $10,000 per affected individual or the total amount of loss sustained by affected individual, but not to exceed $500,000 for a breach or series of breaches Actual damages for willful or knowing violation
Arkansas	Ark. Code § 4-110 101, et seq.	Individuals, businesses, and gov’t agencies who: Own, license, or acquire PI	General Professional Information Medical Information Biometric Data	Yes: if over 1,000 individuals, simultaneously (or within 45 days) notify AG	Reasonable belief that PI was acquired by unauthorized person and there is reasonable likelihood of harm to customers	Most expedient manner and without unreasonable delay	Statute silent	AG may bring suit under Deceptive Trade Practices Act (Ark. Code § 4-88-101 et seq.)
California	Cal. Civ Code § 1798.29; § 1798.80, et seq.	Persons and businesses who: Conduct business in CA and Own or license PI	General Professional Information Medical Information Health Insurance Information Date of Birth Username + Password for any online account	Yes: if over 500 residents, provide copy of sample notification to AG	Reasonable belief that PI was acquired by unauthorized person	Most expedient manner and without unreasonable delay	Yes	Affected individual may seek damages For willful, intentional, or reckless breaches, customer may recover up to $3,000 per violation; otherwise, customer may recover up to $500 per violation Reasonable attorney’s fees and costs. Any business that violates, proposes to violate, or has violated the statute may be enjoined
Colorado	Colo. Rev Stat. § 6-1-716	Individuals and businesses who: Conduct business in CO and Own or license PI	General Professional Information Health Insurance Information Medical Insurance Biometric Data Passport Number Username + Passport for any online account	Yes: if over 500 Colorado residents, notify AG within 30 days and if over 1,000 residents, notify all national consumer reporting agencies	Investigation and reasonable likelihood of misuse of PI	Most expedient time possible and without unreasonable delay within 30 days of determination of breach	Statute silent	AG may bring action in law or equity to address violations of statute
Connecticut	Conn. Gen. Stat. §36a-701b	Individuals, businesses, and gov’t agencies who: Conduct business in CT and Own or license PI	General Professional Information Taxpayer Identification number Passport Number Medical Information Health Insurance Information Biometric Data Username + Password for any online account	Yes: simultaneously give notice to AG	Reasonable belief that PI was acquired by unauthorized person	Without unreasonable delay but not later than 60 days of discovery of breach. Note: See Bulletin IC-25 for provisions that apply to regis- trants and licensees of the CT Insurance Dept.	Statute silent	Failure to comply with statute constitutes an unfair trade practice under Conn. Gen. Stat. § 42-110b and is enforceable by AG
Delaware	Del. Code tit. 6 § 12B-101, et seq.	Individuals, businesses, and gov’t agencies who: Conduct business in DE and Own or license PI	General Professional Information Health Insurance Information Biometric Data Medical Information Passport Number Username + Password for any online account Taxpayer Identification Number	Yes: If more then 500 residents, notify the AG	Investigation to determine likelihood that PI was or will be misused	Without unreasonable delay but within 60 days	Statute silent	AG may bring an action in law or equity for violations of statute and may recover direct economic damages or “other relief that may be appropriate to ensure proper compliance,” or both
District of Columbia	D.C. Code § 28-3851, et seq	Persons and entities who: Conduct business in DC and Own or license PI	General Professional Information Taxpayer Identification Number Passport Number Medical Information Health Insurance Information Biometric Data Username + Password for any online account	Yes: if over 50 residents, simultaneously notify the AG and if over 1,000 residents, notify all national consumer reporting agencies	Discovery of a breach	Most expedient manner and without unreasonable delay	Statute Silent	Failure to comply with statute constitutes an unfair trade practice under D.C. Code § 28-3904 The remedies are cumulative with each other and those available under other laws
Florida	Fla. Stat. § 501.171	Businesses and gov’t entities who: Acquires, maintains, stores or uses PI	General Professional Information Medical Information Health Insurance Information Username + Password for any online account Passport Number	Yes: if over 500 residents, notify FL Dept. of Legal Affairs (within 30 days) and if over 1,000 residents, notify national consumer reporting agencies	Reasonable belief that PI was accessed as a result of a breach	30 days of determination of breach (may be given additional 15 days if good cause is shown)	No	A violation of the statute is considered an unfair or deceptive trade practice An entity shall be liable for a civil penalty not to exceed $500,000 ($1,000 each day for the first 30 days following any violation and $50,000 for each subsequent 30-day period or portion thereof for up to 180 days) Penalties apply per breach, not per individual Fines & penalties do not apply to gov’t agencies

State	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Georgia	Ga. Code § 10-1-910 to § 10-1-912, et seq.	Persons, entities, and certain gov’t agencies who: • Maintain PI Note: for regulations specifically concerned with requirements of telephone records and a telecommunictaion company's obligations, see Ga. Code § 46- 5-214	General Professional Information Username + Password for any online account	Yes: if over 10,000 residents, notify national consumer reporting agencies	A breach where residents’ unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible and without unreasonable delay	Statute silent	Statute silent
Hawaii	Haw. Rev. Stat. § 487N-1, et seq	Businesses and gov’t agencies who: Own or license PI Maintains or processes records containing PII Are in the business of record destruction	General Professional Information Username + Password for any online account	Yes: if over 1,000 residents, notify Hawai‘i Office of Consumer Protection and national consumer reporting agencies (Gov’t agency does not have to notify consumer reporting agencies)	Immediately following discovery of breach	Without unreasonable delay	No	AG or Executive Director of the Office of Consumer Protection may bring an action Penalties shall not exceed $2,500 for each violation Reasonable attorney's fees No action against a gov’t agency
Idaho	Idaho Code Ann. § 28-51 104, et seq	Individuals, commercial entities, and gov’t agencies who: Conduct business in ID and Own or license PI	General Professional Information	Yes: when agency becomes aware of a breach notify AG within 24 hours	Investigation to determine the likelihood that PI has been or will be misused	Most expedient time possible and without unreasonable delay	Statute silent	Intentional failure to give notice is subject to a fine, not to exceed $25,000 per breach The “primary regulator” (usually the AG for individuals & commercial entities) of an agency/individual/commercial entity may bring a civil action to enforce compliance and to enjoin further violations Gov’t employee who intentionally discloses PI, is guilty of a misdemeanor punishable by a fine not to exceed $2,000 or by imprisonment of not more than 1 year (or both)
Illinois	815 Ill Comp. Stat. § 530/5, et seq	Businesses and gov’t agencies who: Own or license PI	General Professional Information Health Insurance Information Medical Information Biometric Data Username + Password for any online account	Yes: if business and over 500 residents, notify AG and if gov’t agency and over 250 residents, notify AG within 45 days, and if gov’t agency and over 1,000 persons affected, notify all national consumer reporting agencies	Discovery of security breach	Most expedient time possible and without unreasonable delay	Statute silent	A violation of the statute is an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act
Indiana	Individuals: Ind. Code § 24-4.9-1-1, et seq	Individuals and businesses who: Own or license PI	General Professional Information	Yes: notify AG and if over 1,000 residents, notify national consumer reporting agencies	Breach where unencrypted PI was or may have been acquired by unauthorized person or encrypted PI was or may have been acquired by an unauthorized person with access to the encryption key	Without unreasonable delay, but not more than 45 days after discovery of breach	No	Failure to disclose or notify a resident is a deceptive act, actionable only by AG For violations of the notification rules: The AG may bring an action to enjoin future violations of the statute, a civil penalty of not more than $150,000 per deceptive act, and the AG's reasonable costs For violations of the record retention rules: The AG may bring an action to enjoin future violations of the statute, a civil penalty of not more than $5,000 per deceptive act, and the AG's reasonable costs.
	Gov’t Agencies Ind. Code § 4-1-11-1, et seq	Gov’t agencies who: Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify national consumer reporting agencies	Discovery of breach where PI was or is reasonably believed to be acquired by unauthorized person	Without unreasonable delay	Statute silent	Statute silent
Iowa	Iowa Code § 715C.1,et seq	Individuals, businesses, and gov’t agencies who: Own or license PIused in the course ofthe person's business, vocation, occupation, or volunteer activity	General Professional Information Biometric Data	Yes: if over 500 residents, notify the Director of Consumer Protection Division of the Office of AG within 5 business days of giving notice to resident	Discovery of a breach	Most expeditious manner possible andwithout unreasonable delay	Statute silent	Any violation of the statute is an unlawful practice (Iowa Code § 714.16) and AG may seek damages andequitable relief pursuant to Iowa Code § 714.16(7),including a civil penalty not to exceed $40,000

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Kansas	Kan. Stat. Ann. § 50-7a01, et seq	Individuals, businesses, and gov’t agencies who: Conduct business in KS and Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify national consumer reporting agencies	An investigation to determine likelihood that PI has been or will be misused	Most expedient time possible and without unreasonable delay	Statute silent	AG may bring action in law or equity to address violations of the statute and for other appropriate relief Insurance Commissioner has sole authority to enforce statute for violations by an insurance company licensed to do business in KS
Kentucky	Individuals: Ky. Rev. Stat. Ann. § 365.732	Persons and businesses who: Conduct business in KY and Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify all national consumer reporting agencies and credit bureaus	Breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible and without unreasonable delay	Statute Silent	Statute silent
	Gov’t Agencies Ky. Rev. Stat. Ann. § 61.933	Gov’t agencies who: Collect, maintain, or store PI	General Professional Information Biometric Data Medical Information Passport Number	Yes: within 72 hours notify: Commissioner of the KY State Police, Auditor of Public Accounts, and AG. If over 1,000 residents notify national consumer reporting agencies See statute for additional requirements for individual agencies	Investigation to determine reasonable likelihood of misuse of PI	72 hours of completion of investigation: notify respective agency officials and Dept. for Libraries 35 days after notification of agency officials, must notify affected individuals	No	AG’s office may bring an action in the Franklin Circuit Court against an agency or a nonaffiliated third party that is not an agency, or both, for injunctive relief, and for other legal remedies to enforce the statute
Louisiana	La. Stat. Ann. § 51:3071, et seq.; La. Admin. Code tit. 16, pt. III, § 701	Individuals, businesses, and gov’t agencies who: Conduct business in LA or Own or license PI	General Professional Information Biometric Data Passport Number	Yes: notify the Consumer Protection Section of AG’s Office within 10 days of notifying residents	Discovery of a breach that has reasonably resulted in unauthorized acquisition of and access to PI	Most expedient time possible and without unreasonable delay	Yes	Failure to provide timely notice of a breach to AG may be punishable by a fine not to exceed $5,000 per violation Each day notice is not received by AG is a separate violation Civil action may be instituted to recover damages resulting from failure to disclosen
Maine	Me. Stat. titl 10 § 1346, et seq.	Individuals, businesses, gov’t agencies, and information brokers who: Maintain PI	General Professional Information Username + Password for any online account	Yes: notify appropriate state regulator within Dept. of Professional and Financial Regulation (if not regulated by the Dept. then give notice to AG). If over 1,000 persons, notify national consumer reporting agencies	Investigation to determine the likelihood that PI has been or will be misused	As expediently as possible and without unreasonable delay	Statute silent	A violation of the statute is a civil violation and is subject to one or more of the following: (1) a fine not to exceed $500 per violation, but a maximum of $2,500 for each day the person is in violation (this does not apply to gov’t agencies), (2) equitable relief, or (3) enjoinment from further violations Enforcement is by the appropriate state regulators within the Dept. of Professional and Financial Regulation or AG
Maryland	Individuals: Md. Code, Com. Law § 14-3501, et seq.	Businesses who: Own or license PI	General Professional Information Taxpayer Identification Number Health Insurance Information Medical Information Biometric Data	Yes: notify AG (before notifying residents and even if investigation deems notification unnecessary) and if over 1,000 residents, notify national consumer reporting agencies	Investigation to determine the likelihood that PI has been or will be misused	As soon as reasonably possible, within 45 days	Yes	A violation of the statute is an unfair or deceptive trade practice and is subject to enforcement and penalties provided in Md. Code Commercial Law § 13-301 et seq
	Gov't Agencies: Md. Code, State Gov't. § 10-1305, et seq	Gov’t agency, department, board, commission, authority, public institution of higher education, public corporation unit or instrumentality of the State, or any political subdivision of the State who: Collects computerized data that includes PI Non-affiliated third party who: Maintains computerized data that includes PI (if contract with gov’t entity authorizes notification)	General Professional Information Taxpayer Identification Number Passport Number	Yes: notify Office of the AG and the Dept. of Information Technology; if 1,000 or more individuals, also notify national consumer reporting agencies	An investigation to determine whether the unauthorized acquisition of PI has resulted or is likely to result in the misuse of the information	As soon as reasonably practicable after investigation	Statute Silent	Statute silent

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Massachusetts	Mass. Gen. Laws ch. 93H, § 1 et seq.; 201 Mass. Code Regs. 17.01, et seq	Individuals, businesses, and gov’t agencies who: Own or license PI	General Professional Information	Yes: notify AG and Director of Consumer Affairs & Business Reg. If executive dep’t breach, notify Information Technology Division of Public Records	When a person or agency (1) knows or has reason to know of a breach of security or (2) knows or has reason to know that PI was acquired or used by an unauthorized person or used for an unauthorized purpose	As soon as practicable and without unreasonable delay	Statute silent	AG may bring an action pursuant to Mass. Gen. Laws ch. 93A, § 4 for violations of the statute Penalties may include injunctive relief and civil penalties
Michigan	Mich. Comp. Laws § 445.63; § 445.72	Individuals, businesses, and gov’t agencies who: Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify national consumer reporting agencies	Discovery of a breach	Without unreasonable delay	Statute silent	A person that knowingly fails to provide any notice of a security breach is subject to a civil fine not to exceed $250 for each failure to provide notice, with aggregate liability not to exceed $750,000 AG or prosecuting attorney may bring an action to recover civil fines
Minnesota	Individuals: Minn. Stat. § 325E.61	Persons and businesses: Conduct business in MN and Own or license PI	General Professional Information	Yes: if over 500 residents, notify national consumer reporting agencies	Discovery of a breach	Most expedient time possible and without unreasonable delay	Statute silent	AG has enforcement powers
	Gov’t Agencies: Minn. Stat. § 13.01; § 13.05, et seq	Gov’t agencies who: Collect, create, receive, maintain, or disseminate private or confidential data on individuals	See statute for definitions of: Confidential data on individuals Private data on individuals	Yes: if over 1,000 residents, notify national consumer reporting agencies Note: Eventually affected individual must be given a copy of the report detailing the breach	Discovery of the breach where private confidential data was, or is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible and without unreasonable delay	Yes	Gov’t entity is deemed to have waived immunity Gov’t entity is subject to actual damages, costs and attorney’s fees For willful violations, gov’t entity shall be liable for exemplary damages of not less than $1,000, nor more than $15,000 for each violation Gov’t entity may also be enjoined from future violations
Mississippi	Miss. Code Ann. § 75-24-29	Individuals and businesses who: Conduct business in MS and In ordinary course of their business functions: own, license or maintain PI	General Professional Information	No	Breach of security, where there is an unauthorized acquisition of PI that has not been rendered unreadable or unusable	Without unreasonable delay	No	Failure to comply with the statute constitutes an unfair practice and shall be enforced by AG
Missouri	Mo. Rev. Stat. § 407.1500	Individuals, businesses, and gov’t agencies who: Own or license PI	General Professional Information Medical Information Health Insurance Information	Yes: if over 1,000 residents, notify AG and national consumer reporting agencies	Unauthorized access to and unauthorized acquisition of PI that compromises the security, confidentiality, or integrity of the PI	Without unreasonable delay	No	AG has exclusive authority to bring an action for actual damages for a willful and knowing violation and may seek a civil penalty not to exceed $150,000 per security breach or series of breaches of a similar nature (discovered in a single investigation)
Montana	Individuals: Mont. Code Ann. § 30- 14-1701, et seq.	Individuals and businesses who: Conduct business in MT and Own or license PI	General Professional Information Passport Number Medical Information Taxpayer Identification Number	No	Discovery of a breach, where unencrypted PI was or is reasonably believed to have been acquired by an unauthorized person	Without unreasonable delay	Statute silent	Statute silent
	Gov't Agencies: Mont. Code Ann. § 2-6-501	State agencies or third parties on behalf of state agencies who: Maintain PI	General Professional Information Medical Information Taxpayer Identification Number	Yes: simultaneously when issuing notification to affected individuals, send notification to MO’s chief information security officer at dept of administration and AG’s consumer protection office	Discovery or notification of a breach, where PI was or was reasonably believed to have been acquired by an unauthorized person	Without unreasonable delay	Statute silent	Statute silent

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Nebraska	Neb. Rev. Stat. § 87-801, et seq.	Individuals, businesses, and gov’t agencies who: Conduct business in NE and Own or license PI	General Professional Information Biometric Data Username + Password for any online account	No	An investigation and determination that PI was used, or is reasonably likely to be used, for an unauthorized purpose	As soon as possible and without unreasonable delay	Statute silent	AG may issue subpoenas and seek and recover direct economic damages for each affected resident injured by a violation of the statute
Nevada	Nev. Rev. Stat. § 603A.010, et seq.	Businesses and gov’t agencies who: Own or license PI	General Professional Information Health Insurance Information Medical Information Username + Password for any online account	Yes: if over 1,000 residents, notify national consumer reporting agencies	Breach of security where unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible and without unreasonable delay	Statute silent	AG or a district attorney may bring an action to obtain a temporary or permanent injunction against a person who violates, proposes to violate, or has violated the statute
New Hampshire	N.H. Rev. Stat. § 359-C:19, et seq	Individuals, businesses, and gov’t agencies who: Conduct business in NH and Own or license PI Note: for specific regulations concerning data breach of school records, see N.H. Rev. Stat. §189.66	General Professional Information	Yes: notify the regulator who has primary authority over the specific trade/commerce (all others notify AG’s office) and if over 1,000 residents, notify national consumer reporting agencies	A determination of the likelihood that PI has been or will be misused	As soon as possible	Yes	A person may institute an action for actual damages and for equitable relief, including an injunction If the violation is willful or knowing, the court shall award as much as three times, but not less than two times, the amount of recovery AG shall have enforcement power
New Jersey	N.J. Rev. Stat. § 56:8-161; § 56:8-163; § 56:8-166	Businesses and gov’t agencies who: Conduct business inNJ or If gov’t agency –whether the agency complies or maintains records with PI	General Professional Information Username + Password for any online account	Yes: notify Division of State Police in theDept. of Law and Public Safety and if over 1,000 residents, notify national consumer reporting agencies	Discovery of a breach, where aresident’s PI was,or is reasonably believed to have been,accessed by anunauthorized person	Most expedient time possible and without unreasonable delay	Statute silent but see Holmes v. Country wide Fin. Corp., 5:08- CV00205-R, 2012 WL2873892 (W.D. Ky.July 12,2012).	It is an unlawful trade practice to willfully, knowingly, or recklessly violate the statute AG may investigate breaches and impose penalties
New Mexico	NM St § 57- 12C, et seq.	Persons who: Own or license PI	General Professional Information Biometric Data	Yes: If over 1,000 New Mexico residents notify AG and major consumer reporting agencies no later than 45 days calendar days following discovery of breach	Discovery of a breach.	Notification shall be made in the most expedient time possible, but no later than 45 calendar days following discovery of the security breach	No	Enforcement by AG only If knowing or reckless violation, the court may impose a civil penalty of the greater of ($25,000) In the case of failed notification, ($10.00) per instance of failed notification up to a maximum of ($150,000).
New York	N.Y. Gen. Bus. Law§ 899-aa;N.Y. StateTech. Law§ 208	Persons and businesses who: Conduct business inNY and Own or license PI	General Professional Information Biometric Data Username + Password for any online account	Yes: notify AG, Dept. of State, and Division of State Police. If over5,000 residents, notify national consumer reporting agencies	Any breach of a security system where PI was, or is reasonably believed to havebeen, acquired by aperson without valid authorization	Most expedient time possible and without unreasonable delay	Statute silent	AG may bring action to enjoin and restrain violations Court may award actual costs or losses incurred byan affected resident, including consequential financiallosses If a person or business knowingly or recklesslyviolates the statute a civil penalty of the greater of thefollowing: $5,000 or $20 per instance of failed notification (latter not to exceed $250,000) Note: Statute of limitations: an action must be commenced within 3 years immediately after the date of theact or the date of discovery of the act
North Carolina	N.C. Gen. Stat. § 75-61;§75-65	Businesses who: Own or license PI	General Professional Information	Yes: notify Consumer Protection Division ofAG’s Office and if over 1,000 persons, notify national consumer reporting agencies	Discovery of a breach	Without unreasonable delay	No unless individual is injured as a result of the violation	Violation of the statute is an unfair or deceptive act or practice See N.C. Gen. Stat. § 75-1.1 Civil penalities of up to $5,000 See N.C. Gen. Stat. § 75-15.2

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
North Dakota	N.D. Cent. Code § 51-30-01,et seq.	Persons who: Conduct business in ND and Own or license PI	General Professional Information Biometric Data Signature Passport Number Taxpayer Identification Number Date of Birth Mother's Maiden Name Medical Information Health Insurance Information	Yes: Over 250 people notify the AG	Discovery of a breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible and without unreasonable delay	Statute silent	A violation of the statute is considered an unlawful deceptive practice or act (see N.D. Cent. Code § 51-15-01 et seq.) AG has enforcement powers
Ohio	Individuals: Ohio Rev. Code § 1349.19	Individuals and businesses who: Conduct business in OH and Own or license PI	General Professional Information Medical Information Signature Health Insurance Information Date Of Birth Employer Identification Number	Yes: over 1,000 residents, notify all consumer reporting agencies	Discovery of a breach where PI was, or is reasonably believed to have been, accessed and acquired by an unauthorized person, where there is a reasonable belief of a material risk of identity theft or other fraud	Most expedient time possible but not later than 45 days following discovery of the breach	Statute silent	AG has investigative powers and right to bring a civil action against any person who fails to comply with the statute
	Gov't Agencies: Ohio Rev. Code § 1347.12	Any state agency or agency of a political subdivision who: Owns or license PI	General Professional Information	Yes: over 1,000 residents, notify all consumer reporting agencies	Discovery of any breach where PI was, or is reasonably believed to have been accessed and acquired by an unauthorized person if the access and acquisition by the unauthorized person causes or reasonably is believed to cause a material risk of identity theft or other faud to a resident of this state	Most expedient time possible but not later than 45 days following discovery of the breach	Statute silent	AG, pursuant to Ohio Rev. Code § § 1349.191 and 1349.192, may conduct an investigation and bring a civil action upon an alleged failure by a state agency or agency of a political subdivision to comply with the requirements of this section
Oklahoma	Individuals: Okla. Stat. tit. 24, § 161, et seq.	Individuals, businesses, and gov’t agencies who: Own or license PI	General Professional Information	No	Discovery of a breach where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and there is a reasonable belief identify theft or fraud has occurred or will occur	Without unreasonable delay	Statute silent	A violation of the statute that results in injury or loss to residents constitutes an unlawful practice under the Oklahoma Consumer Protection Act and is enforceable by AG AG may bring an action to obtain actual damages or a civil penalty not to exceed $150,000 per security breach or series of breaches of a similar nature discovered in a single investigation A violation by a state-charted or state-licensed financial institution is enforceable exclusively by the primary state regulator of the financial institution
	Gov't Agencies: Okla. Stat. § 74-3113.1	Any state agency or agency of a political subdivision. Owns or license PI	General Professional Information	No	Discovery or notification of the breach or is reasonably believed to have been acquired by an unauthorized person.	In the most expedient time possible without unreasonable delay.	Statute silent	Statute Silent
Oregon	Rev. Stat. § 46A.600; § 46A.602; § 46A.604; § 46A.624; § 46A.626	Individuals, businesses, and gov’t agencies who: Own PI and Use PI in the course of the individual or entity’s business, vocation, occupation or volunteer activities.	General Professional Information Biometric Data Medical Information Health Insurance Information Passport Number	Yes: if over 250 individuals, notify AG, if over 1,000 residents, notify all national consumer reporting agencies	Discovery of a breach, i.e., an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI	Discovery of a breach, i.e., an unau- thorized acquisition of computerized data that materially compromises the se- curity, confidentiality, or integrity of PI	Possibly, see Or. Rev. Stat. § 646A.62 4(4)	Director of Dept. of Consumer & Business Protection may conduct an investigation Director may issue a “cease and desist” order or require a person to pay compensation to injured individuals Any person who violates, procures, aids, or abets a violation is subject to a civil penalty not to exceed $1,000 per violation and $500,000 total (each violation is a separate offense and each day is a separate violation)
Pennsylvania	73 Pa. Stat. § 2301, et seq	Individuals, businesses, and gov’t agencies who: Maintain, store or manage PI	General Professional Information Medical Information Health Insurance Information Username + Password for any online account	Yes: if over 1,000 persons, notify national consumer reporting agencies	Discovery of a security breach, where unencrypted and unredacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person	Without unreasonable delay	Statute silent	A violation of the statute is an unfair or deceptive act or practice and AG has exclusive authority to bring an action

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Rhode Island	11 R.I. Gen. Laws § 11-49.2-1, et seq	Individuals, businesses, and gov’t agencies who: Own, maintain, or license PI	General Professional Information Health Insurance Information Medical Information Username + Password for any online account	No	Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person	Most expedient time possible but no later than 45 days after the confirmation of the breach	Statute silent	Each reckless violation a penalty of not more than $100 Each knowing and willful violation a penalty of not more than $200
South Carolina	S.C. Code Ann. § 39-1-90	Persons who: Conduct business in SC and Own or license PI	General Professional Information	Yes: if over 1,000 residents, notify Consumer Protection Division of the Dept. of Consumer Affairs and national consumer reporting agencies	Discovery of a breach where PI was, or is reasonably believed to have been, acquired by an unauthorized person and there is a material risk of harm to the resident	Most expedient time possible and without unreasonable delay	Yes	A person who knowingly and willfully violates the statute is subject to a $1,000 administrative fine for each resident whose information was accessible by reason of the breach, with the total amount decided by the Dept. of Consumer Affairs
South Dakota	S.D Codified Laws § § 22 40-19 to26	Person or business that: Conduct business in SD and Own or licenses computerized personal or protected information	General Professional Information Health Insurance Information	Yes: if over 250 people notify the AG and all consumer reporting agencies.	Discovery of breach if there is a rea- sonable belief that personal or PI has been acquired by an unauthorized person	No later than 60 days from discovery.	Statute Silent
Tennessee	Tenn. Code Ann. § 47-18-2107	Individuals, businesses, and gov’t agencies who: Conduct business in TN and Own or license PI	General Professional Information	Yes: if over 1,000 persons, notify national consumer reporting agencies	Discovery of a breach where PI is reasonably believed to have been, acquired by an unauthorized person	Immediately but no later than 45 days following the discovery or notification to covered entity of a security breach	Yes	Violations fall unter the Tennessee Consumer protection act and are an unfair or deceptive act
Texas	Tex. Bus. & Com. Code § 521.002; § 521.053; § 521.151	Persons who: Conduct business in TX and Own or license PI	General Professional Information Medical Information Health Insurance Information Biometric Data Mother's Maiden Name	Yes: if over 10,000 persons, notify national consumer reporting agencies	Yes: if over 10,000 per- sons, notify all national consumer reporting agencies and if over 250 residents notify AG no later than 30 days after discovery of breach	Within 60 days after breach is deter- mined and without unreasonable delay	Statute silent	Civil penalty of at least $2,000 but not more than $50,000 for each violation AG may: (1) bring an action to recover penalty, (2) file a TRO or (3) file a temporary or permanent injunction Violator of § 521.053(b) is liable to the state for a civil penalty of not more than $100 for each individual to whom notification is due and for each consecutive day the person fails to comply Civil penalties may not exceed $250,000 for all individuals to whom notification is due after a single breach AG has enforcement power For criminal penalties see Tex. Pen. Code § 33.02
Utah	Utah Code § 13-44-101; § 13-44-202; § 13-44-301	Persons who: Own or license PI	General Professional Information	Yes: if 500 or more residents, notify AG and Utah Cyber Center and if 1,000 or more notify all consumer reporting agencies	An investigation to determine likelihood that PI has been or will be misused for identity theft or fraud purposes	Most expedient time possible and without unreasonable delay	No	Enforcement by AG Civil fine no greater than $2,500 for a violation or series of violations concerning a consumer; and no greater than $100,000 in the aggregate for related violations concerning multiple consumers AG may also seek injunctive relief and person may be liable for AG’s costs to investigate Div. of Corporations & Commercial Code may revoke person’s authorization to do business in Utah if person does not pay AG’s costs
Vermont	Vt .Stat. Ann. Tit. 9§ 2430;§ 2435	Businesses and gov’t agencies who: Own or license PI	General Professional Information Biometric Data Medical Information Health Insurance Information	Yes: notify AG within 14 days, if regulated by Dept of Financial Regulation notify the dept, and if over 1,000 residents, notify all national consumer reporting agencies	Discovery or notification of a breach	With the most expedient time possible and without unreasonable delay, but not later than 45 days after discovery of the breach or notification	Statute silent	Dept. of Financial Regulation, AG, and the state's attorney have sole and full authority to investigatepotential violations and to enforce, prosecute, obtain,and impose remedies

STATE	Authority	Who Must Comply	What is Personal Information?	Notification Required Beyond Affected Individual	When Must Notification Be Given:		Private Cause of Action	Fines & Penalties
					Following:	Within:
Virginia	Va. Code Ann. § 18.2-186.6	Individuals, businesses, and gov’t agencies who: Own or license PI	General Professional Information Passport Number	Yes: if over 1,000 persons, notify AG and national consumer reporting agencies	A reasonable belief that unencryptedor unredacted PI was accessed and acquired by an unauthorized person which causes, or the individual or entity reasonably believes will cause, identity theft or fraud	Without unreasonable delay	Yes	AG may impose a civil penalty not to exceed $150,000 per breach of the security of the system or aseries of breaches of a similar nature that are discovered in a single investigation
	Va. Code Ann. § 32.1- 127.1:05	Gov’t agencies who: Own or license medical information	Medical Information See Va. Code § 32.1- 127.1:05	Yes: notify AG and Commissioner of Health.	If unencrypted or unredacted medical information was or is reasonably believed to have been accessed and acquired by an unauthorized person	Without unreasonable delay	Statute silent	Statute silent
Washington	Individuals: Wash. Rev. Code § 19.255, et seq.	Persons and businesses who: Conduct business in WA and Own or license PI	General Professional Information	No	Discovery of a breach	Most expedient time possible and without unreasonable delay	Yes	Any business that violates, proposes to violate, or has violated the statute may be enjoined
	Gov't agencies: Wash. Rev. Code § 42.56.590, et seq	Gov’t agencyies who: Owns or licenses PI	General Professional Information Medical Information Passport Number Biometric Data Date of Birth Health Insurance Information Signature Username + Password for any online account	Yes: if more than 500 residents, must notify the AG no more than 30 days after breach discovered	Following discovery where PI was, or is reasonably believed to have been acquired by an unauthorized person	Most expedient time possible and without unreason- able delay, no more than 30 days after the breach was dis- covered	Yes	Any agency that violates or proposes to violate this section may be enjoined
West Virginia	W. Va. Code § 46A-2A101, et seq	Individuals, businesses, and gov’t agencies who: Owns or licenses PI	General Professional Information	Yes: if over 1,000 persons, notify national consumer reporting agencies	Discovery or notification of a breach, where unencrypted and un- redacted PI was or is reasonably believed to have been accessed and acquired by an unauthorized person and is reasonably likely to lead to identity theft or fraud	Without unreasonable delay	Statute silent	Failure to comply constitutes an unfair or deceptive act or practice, enforceable by AG No civil penalty shall exceed $150,000 per breach or series of breaches of a similar nature that are discovered in a single investigation Court must find that defendant engaged in a course of repeated and willful violations Violation by a licensed financial institution shall be enforceable exclusively by the institution’s primary functional regulator
Wisconsin	Wis. Stat. § 134.98	Businesses who: Maintain or license PI in WI	General Professional Information Biometric Data	Yes: if over 1,000 persons, notify national consumer reporting agencies	Business’ knowledge that PI, in its possession, has been acquired by an unauthorized person	A reasonable time not to exceed 45 days	Statute silent	Statute silent
Wyoming	Wyo. Stat. Ann. § 40-12-501, et seq.	Individuals and commercial entities who: Conduct business in WY and Own or license PI	General Professional Information Username + Password for any online account Medical Information Healthcare Information Biometric Data Taxpayer Identification Number	No	An investigation to determine the likelihood that PI has been or will be misused	As soon as possible, in the most expedient time possible and without unreasonable delay	Statute silent	AG may bring an action in law or equity to address any violation and for other relief that may be appropriate to ensure proper compliance, to recover damages, or both

Disclaimer: This survey is current as of 5/2018. This material is made available for general informational purposes only. The field of insurance law is ever-evolving, and courts may change their views at any time. Readers are advised to independently verify the information contained herein. This material is not intended to, and does not constitute, legal advice, nor is it intended to constitute a solicitation for the formation of an attorney-client relationship. 

For more information or questions on cyber risk strategies, please contact us at coverage@sdvlaw.com.