Laws Governing Data Security and Privacy by State

Select a state below to see its data breach legislation.


Last Updated on May 22, 2019

December 18, 2018: 2017 MI H.B. 6405 (NS) – Recent amendments to the previously updated Michigan house bill. The amendment modifies the requirement to notify state regulators to include the department of technology, management, and budget, instead of the Attorney General. The amendment also creates two categories relating to the number of days required for notification – 45 days from discovery for covered entities that use a credit card payment processor or gateway in the conduct of its business, and 75 days from discovery for covered entities that do not use a credit card payment processor or gateway.

Statute
2017 MI H.B. 6405-06

Upon Discovery of Breach, Is Notice to State Regulators Required?
To department of technology, management, and budget if number of residents to notify exceeds 750.

Number of Days Required for Notification
To affected individuals – as expeditiously as possible and without unreasonable delay. A covered entity that uses a credit card payment processor or gateway in the conduct of its business should provide notice within 45 days. Any covered entity that does not should provide notice within 75 days.

To the department of technology, management, and budget – after notifying affected individuals and without unreasonable delay. A covered entity should provide notice within 45 days from the determination

Fines and/or Penalties
Not more than $2,000 for each violation, or not more than $5,000 per day for each consecutive day the covered entity fails to take reasonable action to comply. A person’s aggregate liability for civil fines for multiple violations related to the same breach shall not exceed $250,000.

Does Statute Provide for a Private Cause of Action?
No, the Attorney General has exclusive authority to bring an action to recover a civil fine.

December 3, 2018: 1. 2019 MO H.B. 35 (NS) – proposed legislation in Missouri changing the notification time period from “immediately following discovery” to “within 30 days of the discovery.”

Statute
MO. REV. STAT. § 407.1500
2019 MO. H.B. 35 Proposed Legislation

Number of Days Required for Notification
To affected individuals – immediately following discovery of the breach.
Proposed legislation requires notice to consumers within 30 days of the discovery.
To Attorney General – without unreasonable delay

June 6, 2018: Colorado amends data breach law, to take effect September 1, 2018.

Statute
COLO. REV. STAT. §§ 6-1-716; 24-73-101, -103

Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to 500 or more residents is required

Number of Days Required for Notification
To affected individuals and the AG – in the most expedient time possible and without unreasonable delay, but no later than 30 days from breach determination

June 6, 2018: Arizona amends data breach law, to take effect August 1, 2018.

Statute
Renumbered to ARIZ. REV. STAT. ANN. § 18-551, -552

Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to more than 1000 individuals is required

Upon Discovery of Breach, Is Notice to Credit Agencies Required?
Yes, if notice to more than 1000 individuals is required

Number of Days Required for Notification
Notice must be provided within 45 days of breach determination

Fines and/or Penalties
Not to exceed the lesser of $10,000 per affected individual or the total amount of economic loss; maximum penalty of $500,000 per breach

May 3, 2018: Delaware amends data breach law.

Upon Discovery of Breach, Is Notice to State Regulators Required?
Yes, if notice to more than 500 residents is required

Number of Days Required for Notification
To affected individuals –  without unreasonable delay but no later than 60 days after a determination of breach

March 24, 2018: Oregon amends data breach law.

Number of Days Required for Notification
To affected individuals and the Attorney General – in the most expeditious manner possible, without unreasonable delay but not later than 45 days

March 21, 2018: South Dakota enacts data breach notification law. (Use the Drop-Down Menu above to view South Dakota’s data breach law.)