State Data Breach Notification Laws - Overview of Requirements for Responding to a Data Breach

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. The chart offers an overview of the similarities and differences in data breach laws adopted in 47 states and the District of Columbia. For example, laws may differ as to the information defined as “personal” or “sensitive” and the triggers for notification. Twenty states require that specific content be included in notices, and those requirements differ. In addition, twenty-one states impose obligations to notify certain state agencies in some or all cases. Because privacy is a politically popular topic for legislators, laws continue to evolve and change. Thus, it is important to confirm that no changes have been made to relevant laws whenever you deal with a data breach.

CRA = Consumer Reporting Agency (Experian, Equifax, TransUnion)

AG = State Attorney General

FTC = Federal Trade Commission

1. What Type of Personal Information Triggers a Breach Notification Obligation to Individuals?

Type of Personal Information

States

First name/initial and last name plus any of:

- Social Security number (SSN)

- Driver’s license number, state ID #

- Account number, credit or debit card number, in combination w/ any PIN, security code, access code, or password that would permit access to an individual’s financial account

Used by all states (except D.C.) with data breach laws [1]

(AK, AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)

MA – financial account number, or credit or debit card number, even without any required security code, access code, PIN or password, is reportable if associated with first name/initial and last name.

Name, phone number, or address plus SSN, driver’s license #, ID card #, credit or debit card #, or any other #, code, or combo that allows access to/use of individual’s account[2]

ADDITIONAL TYPES OF PERSONAL INFORMATION:

Type of Personal Information

States

Passwords, personal identification numbers, or other access codes for financial accounts when used with a first name/initial and last name

Account #, credit card #, or debit card # (alone) -- if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised

Account passwords, PIN or other access codes (alone) -- if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised

Driver’s license number, or state ID # (alone) -- if information compromised would be sufficient to perform or attempt to perform identity theft against the person whose information was compromised

Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account when used with a first name/initial and last name

Unique biometric data, such as a fingerprint, retina or iris image, or other unique representation of biometric data when used with a first name/initial and last name

IA, NE, NC, WI , WY

An individual’s DNA profile when used with a first name/initial and last name

An Individual or Employer Taxpayer Identification Number when used with a first name/initial and last name

User name or e-mail address plus a password or security question and answer that would permit access to an online account

Electronic identification numbers, electronic mail names or addresses, Internet account numbers, or Internet identification names when used with a first name/initial and last name

ID # assigned by individual’s employer when used with a first name/initial and last name

Digital or electronic signature when used with a first name/initial and last name

Date of birth when used with a first name/initial and last name

Mother’s maiden name when used with a first name/initial and last name

AR, CA, FL, MO, MT, ND, WY (if used in combination with first name/initial and last name)

TX (specifically the physical or mental health or condition of the individual)

VA (If used in combination with the first name/initial and last name and maintained by a state government entity)

Health Insurance Information

CA, FL, MO, ND, WY (if used in combination with first name/initial and last name)

VA (If used in combination with the first name/initial and last name and maintained by a state government entity)

GA (if information compromised would alone be sufficient to perform or attempt to perform identity theft against the person whose information was compromised)

IN (if SSN not encrypted or redacted)

ME (if information compromised would alone be sufficient to permit a person to fraudulently assume or attempt to assume identity of the person whose information was compromised)

Any other numbers or information that can be used to access a person's financial resources when used with a first name/initial and last name

Any elements that when not combined with a name would be sufficient to permit a person to commit identity theft

Dissociated data that, if linked, would constitute personal information, if the means to link the dissociated data is accessed in connection with access to the dissociated data.

Passport number or other United States issued identification number

Numbers or information issued by a governmental or regulatory entity that uniquely identify an individual

Tribal identification card

Federal or state government issued identification card

2. What Form of Data Triggers a Breach Notification Obligation to Individuals?[3]

Form of Data

State(s)

All states (except D.C. and OR) with data breach laws

(AK, AZ, AR, CA, CO, CT, DE, FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)

All states (except OR) with data breach laws

(AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)

Any Form (electronic, paper, etc.)

AK, HI, IA (if transferred to other medium from computerized form), MA, NC, SC, WA, WI

3. When Must Notice to Individuals be Given?

Timing to Notify Residents

States

Most expedient time possible and without unreasonable delay

AK, AZ, AR, CA, CO, CT, DE, D.C., GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OR, PA, RI, SC, TN, TX, UT, VA, WA, WY

NOTE : CA guidance document recommends notifying within 10 business days.

No later than 45 days after discovery of breach

As soon as reasonably practicable after discovery of breach

Within 30 days of breach (plus additional 15 days for good cause shown)

4. What Form of Notice is Permitted?

Form of Notification

States

All states with data breach laws.

(AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WI, WY)

(consistent w/ 15 U.S.C. § 7001)

AK, AZ, AR, CA, CO, CT, DE, D.C., FL, GA, HI, ID, IL, IN, IA, KS, KY, LA, ME, MD, MA, MI, MN, MS, MO, MT, NE, NV, NH, NJ, NY, NC, ND, OH, OK, OR, PA, RI, SC, TN, TX, UT, VT, VA, WA, WV, WY

Same states that permit written notice, except that WI permits notification “by a method the entity has previously employed to communicate with the subject of the personal information.”

AZ, CO, CT, DE, GA, ID, IN, MD, MS, MT, NE, OH, OK, SC, UT, VA, WV

HI, MO, NC, OR, VT (if contact is made directly with the affected persons)

MI (if notice is not given by use of a recorded message, and the recipient has expressly consented to receive notice by telephone; or if recipient has not expressly consented to receive notice by telephone, and notice by telephone does not result in a live conversation within 3 business days after initial attempt to provide telephone notice, then written or electronic notice is also provided)

NH, NY (if a log of each such notification is kept by the person or business who notifies affected persons)

PA (if the customer can be reasonably expected to receive it and the notice is given in a clear and conspicuous manner, describes the incident in general terms and verifies personal information but does not require the customer to provide personal information and the customer is provided with a telephone number to call or Internet Website to visit for further information or assistance)

Newspaper of general circulation

UT (but notice must be in accordance with Utah Code Section 45-1-101)

Substitute notice (consisting of email; conspicuous posting on website; AND notice to major statewide media) where cost > $250K, > 500,000 affected, or insufficient contact information

AR, CA, CT, FL, IL, IN, KY, LA, MA, MI, MN, MT, NV, NJ, NY, NC, ND, OH, SC, TN, TX, WA

Substitute notice (consisting of email; conspicuous posting on website; AND notice to major statewide media) with other cost/affected individual thresholds

- AK (cost > $150K, >300,000 affected)

- AZ, D.C., GA, OK, VA, WV (cost > $50K,

- CO (cost > $250K, >250,000 affected)

- DE and NE (cost >$75K, >100,000 affected)

- HI (cost >$100K, >200,000 affected)

- ID and RI (cost >$25K, >50,000 affected)

- IA and OR (cost >$250K, >350,000 affected)

- KS (cost >$100K, >5,000 affected)

- ME and NH (cost >$5K, >1,000 affected)

- MD and PA (cost >$100K, >175,000 affected)

- MS (cost > $5K, > 5,000 affected)

- MO (cost >$100K, >150,000 affected)

- VT (cost > $5K, > 5,000 affected)

- WY (cost > $10K for WY business or $250K

for others, > 10,000 affected for WY

businesses; 500,000 for others)

5. What Must Be Included in Breach Notices to Individuals Under Statute?[4]

States

Content Required

California

Notification must include:

  1. The name and contact information of the business.
  2. A list of the types of personal information believed to be breached.
  3. The date or estimated date of the breach, if known.
  4. Whether notification was delayed as a result of a law enforcement investigation.
  5. A general description of the incident.
  6. The toll free telephone numbers and addresses of the major credit reporting agencies if the breach exposed a social security number or a driver’s license or California identification card number.

Notification may include the following:

  1. Information about what the business has done to protect individuals whose information has been breached.
  2. Advice on steps that the person may take to protect themselves from the breach.

Effective January 1, 2015, companies that report a breach must provide free identity theft protection for 12 months. For a breach involving PI for an online account and no other PI, companies can comply with the notification requirement by providing notice in electronic or other form that directs affected person to change his/her password and security question or answer, or take other steps appropriate to protect the account and all other online accounts for which the person uses the same user name or email address and password or security question or answer.

Connecticut

The statute does not list required content, but the state Attorney General website specifies that any breach notification should include:

  1. Name of person reporting, name of business and contact information
  2. A list of the types of personal information that were or are reasonably believed to have been the subject of the breach
  3. A general description of the breach, including the date of the breach and the number of Connecticut residents affected
  4. Whether the notification was delayed because of a law enforcement investigation (if applicable).

Hawaii

  1. The incident in general terms.
  2. Type of PI subject unauthorized access and acquisition.
  3. General acts of the business to protect PI from further unauthorized access.
  4. Telephone number to call for information and assistance, if one exists.
  5. Advice to remain vigilant by reviewing account statements and monitoring free credit reports.

Illinois

Notification must include, but need not be limited to:

  1. The toll-free numbers and addresses for consumer reporting agencies.
  2. The toll-free number, address, and website address for the Federal Trade Commission.
  3. A statement that the individual can obtain information from these sources about fraud alerts and security freezes.

Notification shall not include information concerning the number of Illinois residents affected by the breach.

Iowa

  1. Description of the breach.
  2. Approximate date of the breach.
  3. Type of PI obtained as a result of the breach.
  4. Contact information for CRAs.
  5. Advice to report suspected ID theft to local law enforcement or AG.

Maryland

  1. To the extent possible, a description of the information acquired, including PI
  2. Contact info for the company (address, telephone number, and toll-free telephone number if maintained).
  3. Toll-free telephone numbers and addresses for CRAs.
  4. Toll-free telephone numbers, addresses, and websites for FTC and MD AG and statement that individual can obtain information from them on steps to avoid identity theft.

Massachusetts

  1. Individual’s right to obtain a police report.
  2. How to request a security freeze and information to be provided when requesting a security freeze.
  3. Required fees for CRAs.
  4. Notification must not describe the nature of the breach or number of residents affected.

Michigan

  1. The breach in general terms.
  2. Type of PI that is the subject of the unauthorized access or use.
  3. What the business has done to protect data from further security breaches.
  4. Telephone number where a notice recipient may obtain assistance or additional information.
  5. Remind notice recipients of the need to remain vigilant for ID theft and fraud.

Missouri

  1. The incident in general terms.
  2. Type of PI obtained.
  3. Telephone number for the business.
  4. Contact information for CRAs.
  5. Advice to remain vigilant by reviewing account statements and monitoring free credit reports.

Montana

If a business discloses a breach and gives notice to the individual that suggests, indicates, or implies that the individual may obtain a copy of the file on the individual from a CRA, then the business must coordinate with the CRA as to the timing, content, and distribution of the notice to the individual.

New Hampshire

  1. The incident in general terms.
  2. Approximate date of breach.
  3. Type of PI obtained.
  4. Telephone number for the business.

New York

  1. Contact information for the business.
  2. A description of the categories of information that were, or are reasonably believed to have been, acquired, including elements of PI.

North Carolina

  1. The incident in general terms.
  2. Type of PI subject to the unauthorized access and acquisition.
  3. General acts of the business to protect PI from further unauthorized access.
  4. Telephone number for the business.
  5. Advice to remain vigilant by reviewing account statements and monitoring free credit reports.
  6. Toll-free numbers and addresses for CRAs.
  7. Toll-free numbers, addresses, websites for FTC and NC AG with a statement that the individual can obtain information from these sources about preventing identity theft.

Oregon

  1. Description of the breach.
  2. Approximate date of the breach.
  3. Type of PI obtained as a result of the breach.
  4. Contact information for the business.
  5. Contact information for CRAs.
  6. Advice to report suspected identity theft to law enforcement, including the FTC.

Vermont

  1. The incident in general terms.
  2. Type of PI subject to the security breach.
  3. General acts of the business to protect PI from further security breach.
  4. Toll-free number to call for further information and assistance.
  5. Advice to remain vigilant by reviewing account statements and monitoring free credit reports.
  6. Approximate date of the security breach.

Virginia

  1. The incident in general terms.
  2. Type of PI that was subject to the unauthorized access and acquisition.
  3. General acts of the entity to protect the PI from further unauthorized access.
  4. Telephone number to call for further information and assistance, if one exists.
  5. Advice to remain vigilant by reviewing account statements and monitoring free credit reports.

Washington

  1. Name and contact information for the reporting entity.
  2. Types of personal information subject to the security breach.
  3. Toll-free numbers and addresses for CRAs

West Virginia

  1. To the extent possible, a description of information that was reasonably believed to have been accessed or acquired, including SSNs, driver’s licenses or state identification numbers and financial data.
  2. Telephone number or website to contact to learn: (A) what types of info the entity maintained about individuals; and (B) whether or not the entity maintained info about that individual.
  3. Toll-free contact numbers and addresses for CRAs and info on how to place a fraud alert or security freeze.

Wisconsin

Indicate that the entity knows of the unauthorized acquisition of PI pertaining to the individual.

Wyoming

  1. Types of PI reasonably believed to have been the subject of the breach.
  2. General description of the breach.
  3. Approximate date of the breach, if reasonably possible to determine at the time of notice.
  4. General actions taken to protect the system containing PI from further breaches.
  5. Advice to remain vigilant by reviewing account statements and monitoring credit reports.
  6. Whether notification was delayed as a result of law enforcement investigation.
  7. Toll-free number to contact the person collecting the data or his agent and from which the individual can obtain toll-free numbers and addresses for CRAs.

4. What States Require Notification to State Agencies?

State

State Agency(ies) Requiring

Notification & Agency Information

Threshold, Timing, and Specific Content to be Included In Notice

California

Threshold : If notice is given to >500 residents at one time.

Timing : None specified.

Specific Content : Must electronically submit a sample copy of the notification to residents, excluding any PI.

Connecticut

Threshold : None specified.

Timing : No later than when the affected residents are notified

Florida

Office of Attorney General

Department of Legal Affairs

Threshold : If notice is given to 500 or more residents

Timing : As expeditiously as possible, but no later than 30 days after determination of the breach or reason to believe a breach occurred. May receive an additional 15 days for good cause provided to the Dept. in writing.

To be provided upon request:

Hawaii

Office of Consumer Protection

Notify by U.S. Mail :

Office of Consumer Protection

Department of Commerce and Consumer Affairs

235 South Beretania Street, Suite 801

Honolulu, Hawaii 96813-2419

Threshold : If notice is given to >1,000 residents at one time

Timing : Without unreasonable delay.

Specific Content : None specified.

Indiana

Notify by U.S. Mail :

Consumer Protection Division

Office of the Indiana Attorney General

ATTN: Security Breach Notification

302 W. Washington St., 5th Floor

Indianapolis, IN 46204

Threshold : None specified.

Timing : Without unreasonable delay.

Specific Content : None specified.

Iowa

Consumer Protection Division

Notify by U.S. Mail :
1305 E. Walnut Street
Des Moines, IA 50319

Threshold : If > 500 residents affected.

Timing : Within 5 business days of notifying consumers.

Specific Content : None specified.

Louisiana

Consumer Protection Section of the Attorney General’s Office

Notify by U.S. Mail :

Office of the Attorney General

1885 North Third St.

Baton Rouge, LA 70802

Baton Rouge, LA 70804

Threshold : None specified.

Timing : Within 10 days of notice to LA residents.

Specific Content : Notice must be written and include names of all individuals affected by the breach.

Maine

Department of Professional and Financial Regulation (if regulated by the Department)

Notify by U.S. Mail :

Department of Professional & Financial Regulation
35 State House Station
Augusta, Maine 04333

Attorney General (if not regulated by the Department)

Notify by U.S. Mail :

Maine Attorney General

Attn: Consumer Protection Division

6 State House Station

Augusta, Maine 04333

Threshold : None specified.

Timing : None specified.

Maryland

Notify by U.S. Mail :

Office of the Attorney General

Attn: Security Breach Notification

200 St. Paul Place

Baltimore, MD 21202

Notify by Fax : (410) 576-6566

Attn: Security Breach Notification

Notify by E-mail : Idtheft@oag.state.md.us

Threshold : None specified.

Timing : Before notifying affected individuals.

Massachusetts

Director of Consumer Affairs and Business Regulation

Notify by U.S. Mail :

Massachusetts Office of the Attorney General

Public Information and Assistance Center

One Ashburton Pl.

Boston, MA 02108-1518

Office of Consumer Affairs and Business Regulation

10 Park Plaza, Suite 5170

Boston, MA 02116

Threshold : None specified.

Timing : As soon as practicable and without unreasonable delay.

· Detailed description of the incident.

· Number of MA residents affected.

· Steps taken relating to the incident.

· Steps to be taken subsequent to notification.

· Whether law enforcement is investigating.

· Name and contact information for the person whom the Office of the Attorney General may contact.

Sample letter available on website

Missouri

Notify by U.S. Mail :

Attorney General’s Office

Consumer Protection Unit

207 W. High St.
P.O. Box 899
Jefferson City, MO 65102

Threshold : If notice is given to > 1,000 residents at once

Timing : Without unreasonable delay.

Specific Content : Timing, distribution, and content of the notice to individuals.

Montana

Notify by U.S. Mail :

Office of Consumer Protection
P.O. Box 200151
Helena, MT 59620-0151

Threshold : None specified.

Timing : Simultaneously with notice to individuals.

New Hampshire

Notify by U.S. Mail :

New Hampshire Department of Justice

Office of the Attorney General
33 Capitol Street
Concord, NH 03301

Other State Regulatory Agencies:

Entities subject to the jurisdiction of the bank commissioner, the director of securities regulation, the insurance commissioner, the public utilities commission, the financial institutions and insurance regulators of other states, or federal banking or securities regulators who possess the authority to regulate unfair or deceptive trade practices shall notify the regulator with primary regulatory authority.

Threshold : None specified.

Timing : None specified.

New Jersey

Department of Law and Public Safety, Division of State Police

A breach of security can be reported to the New Jersey State Police 24 hours a day at: 609-963-6900

Threshold : None specified.

Timing : Before notifying affected individuals; quickly and without unreasonable delay.

Specific Content : None specified.

New York

Must notify the following three (3) agencies by fax or email:

Attorney General's Office :

Security Breach Notification

Consumer Frauds & Protection Bureau

120 Broadway - 3rd Floor

New York, NY 10271

New York State Division of State Police:

Security Breach Notification

New York State Intelligence Center

630 Columbia Street Ext

Latham, NY 12110

New York State Department of State Division of Consumer Protection:

Attn: Director of the Division of Consumer Protection

Security Breach Notification

99 Washington Avenue, Suite 650

Albany, NY 12231

Threshold : None specified.

Timing : None specified.

Specific Content : Notice made using New York State Information Security Breach and Notification Act Reporting form, available at: http://www.dhses.ny.gov/ocs/breach-notification/documents/Business-Data-Breach-Form.pdf

North Carolina

Consumer Protection Division of the Attorney General's Office

Notify by U.S. Mail :

Consumer Protection Division

NC Attorney General’s Office

9001 Mail Service Center

Raleigh, NC 27699-9001

Threshold : None specified.

Timing : Without unreasonable delay.

North Dakota

Notify by U.S. Mail :

Office of the Attorney General
Consumer Protection and Antitrust Division
Gateway Professional Center
1050 E. Interstate Ave., Suite 200
Bismarck, ND 58503-5574

Threshold : If notice is given to >250 residents at once

Timing : In the most expedient time possible and without unreasonable delay.

Specific Content : None specified.

South Carolina

Consumer Protection Division of the Department of Consumer Affairs

Notify by U.S. Mail :

RE: Security Breach Notification

South Carolina Department of Consumer Affairs

Columbia, SC 29250

Threshold : If notice is given to >1,000 residents at once

Timing : Without unreasonable delay.

Vermont

Notify by telephone, fax, or email:

Threshold : None specified.

Timing : Within 14 days of discovering the breach. However, 14 day preliminary notice need not be submitted if, prior to the date of the breach, owner has sworn in the form provided by the AG that it maintains written policies and procedures to maintain the security of PI and to respond to a breach in a manner consistent with VT law.

Virginia

Notify by U.S. Mail :

Computer Crime Section

Virginia Attorney General’s Office

900 East Main Street

Richmond, VA 23219

Threshold : None specified.

Timing : Without unreasonable delay.

Washington

Amendments to data breach notification law, which take effect July 24, 2015, require electronic notification.

Threshold : If notice is given to >500 residents at once

Timing : By the time notice is provided to consumers.

5. Other Notification Requirements

State(s)

Notice Requirements

Texas

Requires disclosure of a breach to all individuals (regardless of the state of residency) whose personal information is breached. If the individual is a resident of another state that requires breach notification, then the breach notification to that individual may be provided under that state’s law or under Texas’ law.

6. When is Notification to CRAs Required?

State(s)

Timing of Notification

Notice of Breach

Within 48 hours of discovering circumstances requiring notification.

If notification of breach is given to > 500 MN residents at once

AK, CO, D.C., FL, HI, IN, KS, KY, MD, ME, MI, MO, NC, NV, NJ, OH, OR, PA, SC, TN, VA, VT, WV, WI

Without unreasonable delay.

If notification of breach is given to > 1,000 state residents at once.

Without unreasonable delay.

If notification of breach is given to > 1,000 persons/consumers at a single time (persons do not all need to be state residents).

Without unreasonable delay.

If notification of breach is given to > 5,000 NY residents at once. Must notify as to timing, content and distribution of notices and approximate number of affected persons.

Without unreasonable delay.

If notification of breach is given to > 10,000 GA residents at once.

Without unreasonable delay.

If notification of breach is given to > 10,000 persons at once (persons do not all need to be state residents).

Contact Information for Three National CRAs:

EQUIFAX:

Contact Number: 866-510-4211

EXPERIAN:

Contact Number: 866-751-1323

TRANSUNION:

Contact Number: 800-719-1636

TransUnion Data Breach Reporting Hotline: 800-971-4307

This chart provides general information, and does not constitute legal advice regarding specific facts or circumstances. For more information on privacy and data security matters, please contact us:

Sheila Millar (+1 202.434.4143, millar@khlaw.com)

[1] Only Alabama, New Mexico and South Dakota do not have data breach notification laws. As described in Section 7, however, Texas law requires disclosure of a breach to all individuals whose personal information is affected, regardless of their place of residence.

[2] This definition of “personal information” and some of the other types of personal information described in this chart that trigger the breach notification requirement is similar to the definition of “sensitive customer information” under the Gramm-Leach-Bliley (GLB) Act. That term is defined in the GLB Act as a customer's name, address, or telephone number, plus a SSN, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. It also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.

[3] Obligation to notify applies generally to businesses that own or license personal information of resident of the state except GA, where law applies to information brokers or a person or business who maintains such data on behalf of an information broker.

[4] AG or other approval prior to or simultaneously with notifying affected individuals is required in some states. See Section 6.