State Security Breach Notification Laws


46 out of 50 plus the District of Columbia have compliance requirement if there is a security breach with personal information

Compliance ManagementThe landscape for CIOs and protection of personal information continues to become more complex as more states add breach notification laws.  Currently forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.

Each of these requirements need to be reviewed as the laws typically apply to not only enterprises that have "operations" in those states but also if the state's "residents" or "enterprises" are affected.

Order Compliance Managment Kit

State Notification Laws

The graphic clearly depicts the magnitude of the current situation and the table provided by The National Conference of State Legislatures includes links to the individual states.The Security Manual Template address each of these mandate requirements.

  Alaska   Alaska Stat. § 45.48.010 et seq.
  Arizona   Ariz. Rev. Stat. § 44-7501
  Arkansas   Ark. Code § 4-110-101 et seq.
  California   Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.29, 1798.82
  Colorado   Colo. Rev. Stat. § 6-1-716
  Connecticut   Conn. Gen Stat. 36a-701b
  Delaware   Del. Code tit. 6, § 12B-101 et seq.
  Florida   Fla. Stat. § 817.5681
  Georgia   Ga. Code §§ 10-1-910, -911
  Hawaii   Haw. Rev. Stat. § 487N-2
  Idaho   Idaho Stat. §§ 28-51-104 to 28-51-107
  Illinois   815 ILCS 530/1 et seq.
  Indiana   Ind. Code §§ 24-4.9 et seq., 4-1-11 et seq.
   Iowa   Iowa Code § 715C.1
  Kansas   Kan. Stat. 50-7a01, 50-7a02
  Louisiana   La. Rev. Stat. § 51:3071 et seq.
  Maine   Me. Rev. Stat. tit. 10 §§ 1347 et seq.
   Maryland   Md. Code, Com. Law § 14-3501 et seq.
   Massachusetts   Mass. Gen. Laws § 93H-1 et seq.
  Michigan   Mich. Comp. Laws § 445.72
  Minnesota   Minn. Stat. §§ 325E.61, 325E.64
   Mississippi   2010 H.B. 583 (effective July 1, 2011)
   Missouri   Mo. Rev. Stat. § 407.1500
  Montana   Mont. Code §§ 30-14-1704, 2-6-504
  Nebraska   Neb. Rev. Stat. §§ 87-801, -802, -803, -804, -805, -806, -807
  Nevada   Nev. Rev. Stat. §§  603A.010 et seq., 242.183
  New Hampshire   N.H. Rev. Stat. §§ 359-C:19, -C:20, -C:21
  New Jersey   N.J. Stat. 56:8-163
  New York   N.Y. Gen. Bus. Law § 899-aa
  North Carolina   N.C. Gen. Stat § 75-65
  North Dakota   N.D. Cent. Code § 51-30-01 et seq.
  Ohio   Ohio Rev. Code §§ 1347.12, 1349.19, 1349.191, 1349.192
  Oklahoma   Okla. Stat. § 74-3113.1 and § 24-161 to -166
  Oregon   Oregon Rev. Stat. § 646A.600 et seq.
  Pennsylvania   73 Pa. Stat. § 2303
  Rhode Island   R.I. Gen. Laws § 11-49.2-1 et seq.
  South Carolina    S.C. Code § 39-1-90
  Tennessee   Tenn. Code § 47-18-2107, 2010 S.B. 2793
  Texas   Tex. Bus. & Com. Code § 521.03, Tex. Ed. Code 37.007(b)(5) (2011 H.B. 1224)
  Utah   Utah Code §§  13-44-101, -102, -201, -202, -310
  Vermont   Vt. Stat. tit. 9 § 2430 et seq.
   Virginia    Va. Code § 18.2-186.6, § 32.1-127.1:05
  Washington   Wash. Rev. Code § 19.255.010, 42.56.590
  West Virginia    W.V. Code §§ 46A-2A-101 et seq.
  Wisconsin   Wis. Stat. § 134.98  et seq. 
  Wyoming   Wyo. Stat. § 40-12-501 to -502
  District of Columbia   D.C. Code § 28- 3851 et seq.

States with no security breach law: Alabama, Kentucky, New Mexico, and South Dakota. 

The current version of this can be found at http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx