Select a state below to see its data breach legislation.
ALASKA STAT. §§ 45.48.010, – .090
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if more than 1,000 state residents are notified
Number of Days Required for Notification
To affected individuals – In the most expeditious time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$500 for each state resident. Total penalty may not exceed $50,000.
Does Statute Provide for a Private Cause of Action?
Yes
Ariz. Rev. Stat. Ann. § 18-545
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient manner possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per breach
Does Statute Provide for a Private Cause of Action?
No
Ark. Code Ann. §§ 4-110-101, – 108
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time and manner possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per violation
Does Statute Provide for a Private Cause of Action?
No
Cal. Civ. Code §§ 1798.29, 1798.80 – .84
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only, if notice to more than 500 residents is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$500 per violation or $3,000 for a willful, intentional or reckless violation
Does Statute Provide for a Private Cause of Action?
Yes
COLO. REV. STAT. §§ 6-1-713, 6-1-716
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 Colorado residents is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
No
CONN. GEN. STAT. § 36A-701B
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals –without unreasonable delay but not later than 90 days after the discovery of such breach, unless a shorter time is required under federal law
To Attorney General – not later than the time when notice is provided to the resident
Law Enforcement Delay?
Yes, otherwise notice must be provided no later than 90 days after discovery of breach
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 per violation
Does Statute Provide for a Private Cause of Action?
No
DEL. CODE ANN. tit. 6, §§ 12B-101 – 104
Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to more than 500 residents is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – without unreasonable delay but no later than 60 days after a determination of breach
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
Yes
D.C. CODE §§ 28-3851 – 3853
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
No
Fines and/or Penalties
Not more than $100 per violation (each failure to provide a notification shall constitute a separate violation)
Does Statute Provide for a Private Cause of Action?
Yes
FLA. STAT. §§ 501.171, 282.318
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Department of Legal Affairs, if 500 residents are affected by breach or To the Agency for State Technology, if covered entity is a state agency
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals and Attorney General – as expeditiously as practicable and without unreasonable delay, but no later than 30 days after the determination of a breach or reason to believe a breach occurred
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$1,000 per day for the first 30 days following any violation and $50,000 for each subsequent 30-day period for up to 180 days
If violation continues for more than 180 days, the penalty is an amount not to exceed $500,000
Does Statute Provide for a Private Cause of Action?
No
O.C.G.A. §§ 10-1-910 – 915, 46-5-214
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 10,000 residents is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data and Telephone Records
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$0 for a data breach; $100 for a failure of a credit reporting agency to implement a consumer-requested security freeze
Does Statute Provide for a Private Cause of Action?
Yes
GUAM CODE ANN. tit. 9, §§ 48.10 – .80
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per breach of the security system
Does Statute Provide for a Private Cause of Action?
No
HAW. REV. STAT. §§ 487N-1, – 7
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Office of Consumer Protection, if notice to more than 1,000 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals, the Office of Consumer Protection, and credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $2,500 per violation
Does Statute Provide for a Private Cause of Action?
Yes
IDAHO CODE ANN. §§ 28-51-104 – 107
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General, if covered entity is a public agency
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To Attorney General – within 24 hours of awareness of breach
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $25,000 per violation
Does Statute Provide for a Private Cause of Action?
No
815 ILL. COMP. STAT. 530/1 – /50
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General, if covered entity is a state agency and notice to more than 250 residents is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if covered entity is a state agency and notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To Attorney General – within 45 days of the state agency’s discovery of the security breach or when the state agency provides notice to affected individuals
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$100 per individual (not to exceed $50,000)
Does Statute Provide for a Private Cause of Action?
Yes
IND. CODE §§ 4-1-11-1 – 10, 24-4.9-1-1 – 5-1
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only (No, if covered entity is a state agency)
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals, Attorney General, credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No (Yes, if covered entity is a state agency)
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per violation
Does Statute Provide for a Private Cause of Action?
No
IOWA CODE §§ 715C.1, – .2
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only, if notice to more than 500 Iowa residents is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expeditious manner possible and without unreasonable delay
To Attorney General – within 5 days of providing notice to consumer
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $40,000 per violation
Does Statute Provide for a Private Cause of Action?
No
KAN. STAT. ANN. §§ 50-7A01 – 02
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
No
KY. REV. STAT. ANN. §§ 365.720 – .734, 61.931-.934
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General and if breach involves a public agency to the commissioner of the Kentucky State Police, the Auditor of Public Accounts, and the Attorney General if the breach involves a public agency
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – In the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
To Attorney General and regulators – as soon as possible, but within seventy-two (72) hours of determination or notification of the security breach
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
Yes
LA. REV. STAT. ANN. §§ 51:3071 – 3077, 40:1173.1-.6, LA. ADMIN. CODE tit. 16, pt. III, § 701
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To Attorney General – within ten (10) days of distribution of notice to Louisiana citizens
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No (Yes, if covered entity is the Department of Health)
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 per violation (each day notice is not received by the Attorney General shall be deemed a separate violation)
Does Statute Provide for a Private Cause of Action?
Yes
ME. REV. STAT. ANN. tit. 10, §§ 1346 – 1350-B
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the appropriate state regulators within the Department of Professional and Financial Regulators or if the person is not regulated to the Attorney General
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – as expediently as possible and without unreasonable delay
To credit agencies – without unreasonable delay
To regulators or Attorney General – when notice of a breach of the security system is required
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $500 per violation, up to a maximum of $2,500 for each day the person is in violation of this chapter.
Does Statute Provide for a Private Cause of Action?
No
MD. CODE ANN. COM. LAW §§ 14-3501 – 3508, MD. CODE ANN. STATE GOV’T §§ 10-1301 – 1308
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General and if breach involves a public agency to the Department of Informational Technology
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – as soon as practicable after the business conducts the required investigation
To credit agencies – without unreasonable delay
To Attorney General and/or Department of Information Technology – prior to giving notification to consumer
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$1,000 for first violation, a subsequent repeat violation results in fine of not more than $5,000 for each subsequent violation
Does Statute Provide for a Private Cause of Action?
Yes
MASS. GEN. LAWS ch. 93H, §§ 1 – 6
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General and the director of consumer affairs and business regulation
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes
Number of Days Required for Notification
To affected individuals, credit agencies, Attorney General and director of consumer affairs and business regulation – as soon as practicable and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 for each violation, or $10,000 for violating an injunction entered pursuant to an enforcement action
Does Statute Provide for a Private Cause of Action?
No
2017 MI H.B. 6405-06
Upon Discovery of Breach, Is Notice to State Regulators Required?
To department of technology, management, and budget if number of residents to notify exceeds 750.
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – as expeditiously as possible and without unreasonable delay. A covered entity that uses a credit card payment processor or gateway in the conduct of its business should provide notice within 45 days. An covered entity that does not should provide notice within 75 days.
To the department of technology, management, and budget – after notifying affected individuals and without unreasonable delay. A covered entity should provide notice within 45 days from the determination
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply. A person’s aggregate liability for civil fines for multiple violations related to the same breach shall not exceed $250,000.
Does Statute Provide for a Private Cause of Action?
No, the Attorney General has exclusive authority to bring an action to recover a civil fine.
MINN. STAT. §§ 13.055, 325E.61, 325E.64
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 500 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – within 48 hours
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not to exceed $25,000
Does Statute Provide for a Private Cause of Action?
Yes
MISS. CODE ANN. § 75-24-29
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per violation
Does Statute Provide for a Private Cause of Action?
No
MO. REV. STAT. § 407.1500
2019 MO. H.B. 35 Proposed Legislation
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General, if notice to more than 1,000 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – immediately following discovery of the breach.
Proposed legislation requires notice to consumers within 30 days of the discovery.
To Attorney General – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per breach
Does Statute Provide for a Private Cause of Action?
No
MONT. CODE ANN. §§ 2-6-1503, 30-14-1701 – 1736, 33-19-321
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General and if breach involves a state agency to the State’s Chief Information Officer at the Department of Administration
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
If notice is provided to any resident and the notice suggests, indicates or implies that the resident may obtain a copy of their consumer report, entity must coordinate with consumer report agency as to timing, content and distribution of notice
Number of Days Required for Notification
To affected individuals – without unreasonable delay
To credit agencies – the business shall coordinate with agency as to timing of notice to individual. Coordination may not unreasonably delay notice to affected individuals
To Attorney General and State’s Chief Information Officer – simultaneously
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No (Yes, if covered entity is a licensee or insurance-support organization)
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per violation
Does Statute Provide for a Private Cause of Action?
No
NEB. REV. STAT. §§ 87-801 – 807
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – as soon as possible and without unreasonable delay
To Attorney General– not later than the time when notice is provided to the Nebraska resident
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
No
NEV. REV. STAT. §§ 603A.010 – .920, 242.183
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
No, but Attorney General may bring an action to obtain a temporary or permanent injunction against violations of the breach notification statute.
Further, a data collector that provides the requisite breach notification may commence an action for damages against a person that unlawfully obtained information or benefited from a breach.
N.H. REV. STAT. ANN. §§ 359-C:19 – :21, 189:66
Upon Discovery of Breach, Is Notice to State Regulators Required?
To regulator which has primary regulatory authority over such trade or commerce if engaged in trade or commerce that is subject to jurisdiction of bank commissioner, director of securities regulation, insurance commission, public utilities commission. All others to the Attorney General
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – as soon as possible
To credit agencies – without unreasonable delay
To Attorney General and/or regulators – prior to giving notice to individuals
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No (Yes, if covered entity is the Department of Education)
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per violation, and no less than double and no more than treble damages in private actions upon finding of willful violation
Does Statute Provide for a Private Cause of Action?
Yes
N.J. STAT. ANN. §§ 56:8-161 – 166
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Division of State Police in the Department of Law and Public Safety
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies – without unreasonable delay
To police – in advance of the disclosure to the customer
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Yes (Under New Jersey Consumer Protection Act)
Does Statute Provide for a Private Cause of Action?
Yes (Under New Jersey Consumer Protection Act; N.J. STAT. ANN. § 56:8-2.11)
H.B. 15 (signed by governor on April 6, 2017, law is effective as of June 16, 2017)
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General, if notice to more than 1,000 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals, credit agencies and Attorney General – in the most expedient time possible, but not later than 45 calendar days following discovery
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Penalty of the greater of $25,000 or in the case of failed notification $10 per failed notification up to a maximum of $150,000
Does Statute Provide for a Private Cause of Action?
Yes
N.Y. GEN. BUS. LAW § 899-AA, N.Y. STATE TECH. LAW §§ 201 – 208
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General and the Department of State and the Division of State Police
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 5,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To credit agencies , Attorney General and Department of State and State Police – without delaying notice to affected New York residents
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 or up to $10 per instance of failed notification up to a maximum of $150,000, for knowing or reckless violations
Does Statute Provide for a Private Cause of Action?
Yes
N.C. GEN. STAT. §§ 75-60 – 66
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General Only
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals, credit agencies and Attorney General- without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 per violation
Does Statute Provide for a Private Cause of Action?
Yes, if an individual has been injured
N.D. CENT. CODE §§ 51-30-01 – 07
Upon Discovery of Breach, Is Notice to State Regulators Required?
To Attorney General, if notice to more than 250 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals and Attorney General – in the most expedient time possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $5,000 per violation
Does Statute Provide for a Private Cause of Action?
Yes
OHIO REV. CODE ANN. §§ 1347.12, 1349.19 – .192
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible but no later than 45 days
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
After 60 days of non-compliance, $1,000 per day for first the 60 days, and $5,000 per day from day 61. After 90 days of non-compliance $1,000 per day for first the 60 days, $5,000 per day for days 61 through 90, and $10,000 per day from day 91.
Does Statute Provide for a Private Cause of Action?
No
OKLA. STAT. tit. 74, § 3113.1, tit. 24, §§ 161 – 166
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes, if a state agency identifies a breach; No, if an individual or business identifies a breach
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per breach or series of breaches of a similar nature that are discovered in a single investigation
Does Statute Provide for a Private Cause of Action?
No
OR. REV. STAT. §§ 646A.600 – .628
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General, if notice to more than 250 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals and the Attorney General – in the most expeditious manner possible, without unreasonable delay but not later than 45 days
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$1,000 per (each violation is a separate offense and, in the case of a continuing violation, each day’s continuance is a separate violation) with a maximum penalty not to exceed $500,000
Does Statute Provide for a Private Cause of Action?
Yes (implicitly authorized)
73 PA. STAT. ANN. §§ 2301 – 2329
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals and credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$1,000 per willful violation, $3,000 per willful violation if consumer is 60 or older
Does Statute Provide for a Private Cause of Action?
No
P.R. LAWS ANN. tit. 10, §§ 4051 – 4055
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Department of Consumer Affairs (or to the Citizen’s Advocate Office if the covered entity is a government agency or public corporation)
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – As expeditiously as possible
To the Department of Consumer Affairs – within a non-extendable term of ten days
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Between $500 and $5,000 for each violation
Does Statute Provide for a Private Cause of Action?
Yes
R.I. GEN. LAWS §§ 11-49.3-1 – .3-6
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General, if notice to more than 500 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 500 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible, but no later than 45 calendar days
To the Attorney General and credit agencies – without delaying notice to affected Rhode Island residents
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$100 per record for reckless violations; $200 per record for knowing and willful violations
Does Statute Provide for a Private Cause of Action?
No
S.C. CODE ANN. §§ 39-1-90, 1-11-490
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Consumer Protection Division of the Department of Consumer Affairs if notice to more than 1,000 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
To the Consumer Protection Division of the Department of Consumer Affairs and credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
$1,000 per resident for knowing and willful violations
Does Statute Provide for a Private Cause of Action?
Yes
2018 S.D. S.B. 62 (Signed by the Governor 3/21/18, effective July 1, 2018)
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General if notice to more than 250 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes
Number of Days Required for Notification
To affected individuals – not later than 60 days from the discovery or notification of the breach
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 per day per violation
Does Statute Provide for a Private Cause of Action?
No
TENN. CODE ANN. §§ 47-18-2101 – 2111, 8-4-119
Upon Discovery of Breach, Is Notice to State Regulators Required?
No (Yes, to the Office of the Comptroller of the Treasury, if covered entity is a state agency)
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – immediately, but no later than 45 days
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
The greater of $10,000; $5,000 per day for each day that a person’s identity has been assumed, or 10 times the amount obtained or attempted to be obtained by the person using the identity theft
Does Statute Provide for a Private Cause of Action?
Yes
TEX. BUS. & COM. CODE ANN. §§ 521.001 – .152, TEX. EDUC. CODE ANN. § 37.007(B)(5)
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 10,000 individuals is required
Number of Days Required for Notification
To affected individuals – as quickly as possible
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
At least $2,000 but no more than $50,000 for each violation, plus, if a person fails to take reasonable action to comply with the individual notice requirement, not more than $100 for each individual to whom notification is due for each consecutive day that person fails to comply, not exceeding $250,000 for all individuals to whom notification is due after a single breach
Does Statute Provide for a Private Cause of Action?
Yes, to declare an individual a victim of identity theft
UTAH CODE ANN. §§ 13-44-101 – 301, 53E-9-304
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No (Yes, if student’s data is breached, by the covered education entity)
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $2,500 for a violation or series of violations concerning a specific consumer, and no greater than $100,000 in the aggregate for related violations concerning more than one consumer
Does Statute Provide for a Private Cause of Action?
No
VT. STAT. ANN. tit. 9, §§ 2430 – 2445
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General (or to the Department of Financial Regulation if the covered entity is regulated by that department)
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay, but not later than 45 days
To the Attorney General – within 14 business days
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $10,000 for each violation
Does Statute Provide for a Private Cause of Action?
No
VA. CODE ANN. §§ 18.2-186.6, 32.1-127.1:05
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General (and to the Commissioner of Health if medical information was acquired)
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals, the Attorney General, and credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per breach of the security of the system or a series of breaches of a similar nature that are discovered in a single investigation
Does Statute Provide for a Private Cause of Action?
Yes
V.I. CODE ANN. tit. 14, §§ 2200 – 2212
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
Yes
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
Yes
WASH REV. CODE §§ 19.255.010 – .020, 42.56.590
Upon Discovery of Breach, Is Notice to State Regulators Required?
To the Attorney General, if notice to more than 500 individuals is required
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals and the Attorney General – in the most expedient time possible and without unreasonable delay, no more than 45 calendar days
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $2,000 for each violation
Does Statute Provide for a Private Cause of Action?
Yes
W. VA. CODE §§ 46A-2A-101 – 105
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals and credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $150,000 per breach of security of the system or series of breaches of a similar nature that are discovered in a single investigation for repeated and willful violations
Does Statute Provide for a Private Cause of Action?
No
WIS. STAT. §§ 134.97 – .98
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1,000 individuals is required
Number of Days Required for Notification
To affected individuals – within a reasonable time, not to exceed 45 days
To credit agencies – without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Both
Encryption Safe Harbor?
Yes
Fines and/or Penalties
Not more than $1,000 per violation
Does Statute Provide for a Private Cause of Action?
Yes
WYO. STAT. ANN. §§ 40-12-501 – 509
Upon Discovery of Breach, Is Notice to State Regulators Required?
No
Upon Discovery of Breach, Is Notice to Credit Agencies Required?
No
Number of Days Required for Notification
To affected individuals – in the most expedient time possible and without unreasonable delay
Law Enforcement Delay?
Yes
Is Breach Notification to Affected Individuals Required if there is a Low Risk of Harm?
No
Does Statute Cover Electronic Data, Paper Records, or Both?
Electronic Data
Encryption Safe Harbor?
Yes
Fines and/or Penalties
None
Does Statute Provide for a Private Cause of Action?
Yes, to declare an individual a victim of identity theft
Last Updated on May 22, 2019
December 18, 2018: 2017 MI H.B. 6405 (NS) – Recent amendments to the previously updated Michigan house bill. The amendment modifies the requirement to notify state regulators to include the department of technology, management, and budget, instead of the Attorney General. The amendment also creates two categories relating to the number of days required for notification – 45 days from discovery for covered entities that use a credit card payment processor or gateway in the conduct of its business, and 75 days from discovery for covered entities that do not use a credit card payment processor or gateway.
Statute
2017 MI H.B. 6405-06Upon Discovery of Breach, Is Notice to State Regulators Required?
To department of technology, management, and budget if number of residents to notify exceeds 750.Number of Days Required for Notification
To affected individuals – as expeditiously as possible and without unreasonable delay. A covered entity that uses a credit card payment processor or gateway in the conduct of its business should provide notice within 45 days. Any covered entity that does not should provide notice within 75 days.To the department of technology, management, and budget – after notifying affected individuals and without unreasonable delay. A covered entity should provide notice within 45 days from the determination
Fines and/or Penalties
Not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply. A person’s aggregate liability for civil fines for multiple violations related to the same breach shall not exceed $250,000.Does Statute Provide for a Private Cause of Action?
No, the Attorney General has exclusive authority to bring an action to recover a civil fine.
December 3, 2018: 1. 2019 MO H.B. 35 (NS) – proposed legislation in Missouri changing the notification time period from “immediately following discovery” to “within 30 days of the discovery.”
Statute
MO. REV. STAT. § 407.1500
2019 MO. H.B. 35 Proposed LegislationNumber of Days Required for Notification
To affected individuals – immediately following discovery of the breach.
Proposed legislation requires notice to consumers within 30 days of the discovery.
To Attorney General – without unreasonable delay
June 6, 2018: Colorado amends data breach law, to take effect September 1, 2018.
Statute
COLO. REV. STAT. §§ 6-1-716; 24-73-101, -103Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to 500 or more residents is requiredNumber of Days Required for Notification
To affected individuals and the AG – in the most expedient time possible and without unreasonable delay, but no later than 30 days from breach determination
June 6, 2018: Arizona amends data breach law, to take effect August 1, 2018.
Statute
Renumbered to ARIZ. REV. STAT. ANN. § 18-551, -552Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to more than 1000 individuals is requiredUpon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1000 individuals is requiredNumber of Days Required for Notification
Notice must be provided within 45 days of breach determinationFines and/or Penalties
Not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss; maximum penalty of $500,000 per breach
May 3, 2018: Delaware amends data breach law.
Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to more than 500 residents is requiredNumber of Days Required for Notification
To affected individuals – without unreasonable delay but no later than 60 days after a determination of breach
March 24, 2018: Oregon amends data breach law.
Number of Days Required for Notification
To affected individuals and the Attorney General – in the most expeditious manner possible, without unreasonable delay but not later than 45 days
March 21, 2018: South Dakota enacts data breach notification law. (Use the Drop-Down Menu above to view South Dakota’s data breach law.)
