State Security Breach Notification Laws

46 out of 50 plus the District of Columbia have compliance requirement if there is a security breach with personal information

Compliance Management Kit The landscape for CIOs and protection of personal information continues to become more complex as more states add breach notification laws.  Currently forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

Each of these requirements need to be reviewed as the laws typically apply to not only enterprises that have "operations" in those states but also if the state's "residents" or "enterprises" are affected.

Order compliance management Kit

State Notification Laws

The graphic clearly depicts the magnitude of the current situation and the table provided by The National Conference of State Legislatures includes links to the individual states.The Security Manual Template address each of these mandate requirements.

Alaska Alaska Stat. § 45.48.010 et seq.
Arizona Ariz. Rev. Stat. § 44-7501
Arkansas Ark. Code § 4-110-101 et seq.
California Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82
Colorado Colo. Rev. Stat. § 6-1-716
Connecticut Conn. Gen Stat. 36a-701b
Delaware Del. Code tit. 6, § 12B-101 et seq.
Florida Fla. Stat. § 817.5681
Georgia Ga. Code §§ 10-1-910, -911
Hawaii Haw. Rev. Stat. § 487N-2
Idaho Idaho Stat. §§ 28-51-104 to 28-51-107
Illinois 815 ILCS 530/1 et seq.
Indiana Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.
Iowa Iowa Code § 715C.1
Kansas Kan. Stat. 50-7a01, 50-7a02
Louisiana La. Rev. Stat. § 51:3071 et seq.
Maine Me. Rev. Stat. tit. 10 §§ 1347 et seq.
Maryland Md. Code, Com. Law § 14-3501 et seq.
Massachusetts Mass. Gen. Laws § 93H-1 et seq.
Michigan Mich. Comp. Laws § 445.72
Minnesota Minn. Stat. §§ 325E.61, 325E.64
Mississippi 2010 H.B. 583 (effective July 1, 2011)
Missouri Mo. Rev. Stat. § 407.1500
Montana Mont. Code §§ 30-14-1704, 2-6-504
Nebraska Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
Nevada Nev. Rev. Stat. §§ 603A.010 et seq., 242.183
New Hampshire N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
New Jersey N.J. Stat. 56:8-163
New York N.Y. Gen. Bus. Law § 899-aa
North Carolina N.C. Gen. Stat § 75-65
North Dakota N.D. Cent. Code § 51-30-01 et seq.
Ohio Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
Oklahoma Okla. Stat. § 74-3113.1 and § 24-161 to -166
Oregon Oregon Rev. Stat. § 646A.600 et seq.
Pennsylvania 73 Pa. Stat. § 2303
Rhode Island R.I. Gen. Laws § 11-49.2-1 et seq.
South Carolina S.C. Code § 39-1-90
Tennessee Tenn. Code § 47-18-2107, 2010 S.B. 2793
Texas Tex. Bus. & Com. Code § 521.03, Tex. Ed. Code 37.007(b)(5) (2011 H.B. 1224)
Utah Utah Code §§ 13-44-101, -102, -201, -202, -310
Vermont Vt. Stat. tit. 9 § 2430 et seq.
Virginia Va. Code § 18.2-186.6, § 32.1-127.1:05
Washington Wash. Rev. Code § 19.255.010, 42.56.590
West Virginia W.V. Code §§ 46A-2A-101 et seq.
Wisconsin Wis. Stat. § 134.98 et seq.
Wyoming Wyo. Stat. § 40-12-501 to -502
District of Columbia D.C. Code § 28- 3851 et seq.

States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota.

The current version of this can be found at http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx