1 Laws Governing Security and Privacy U.S. Jurisdictions at a Glance State Statute Year Statute Adopted or Significantly Revised Alabama* ALA. INFORMATION TECHNOLOGY POLICY (applicable to certain Executive Branch agencies only), 2016 ALA. S.B. NO. 238 (proposed legislation status: proposed on Feb. 16, 2016) Alaska ALASKA STAT Arizona ARIZ. REV. STAT. ANN Arkansas ARK. CODE ANN California CAL. CIV. CODE , , CAL. HEALTH & SAFETY CODE Updated May 10, 2016 BY GAVRILA BROTZ & JAMIE BIGAYER Upon Discovery of Breach, Is tice to State Attorney General Required? 2012, if an Executive Branch agency;, under proposed legislation, if a suffers a breach affecting more than 1,000 residents Is Breach tification to Affected Individuals Required if there is a Low Risk of Harm? Does Statute Cover, Paper Records, or Both? Both, if Executive Branch agency;, under proposed legislation Maximum Fine $50,000, under proposed legislation Does Statute Provide for a Private Cause of Action? 2008 Both $50, , 2015, 2013, 2009 (or to the State Public Health if the is regulated by that department) $10,000 $10,000 Both $3,000, or $250,000 for the unauthorized use of patient medical information
2 Colorado COLO. REV. STAT , Connecticut CONN. GEN. STAT. 36A-701B Delaware DEL. CODE ANN. tit. 6, 12B District of D.C. CODE 28- Columbia Florida FLA. STAT , Georgia GA. CODE ANN , Guam Hawaii Idaho Illinois GUAM CODE ANN. tit. 9, HAW. REV. STAT. 487N-1 7 IDAHO CODE ANN ILL. COMP. STAT. 530/1 - /40, 2016 ILL. LEGIS. SERV. P.A., (H.B. 1260) (legislation 2004, 2010 Both , $5,000 $10, $ (or to the Both $500,000 Agency for State Technology for state agencies) 2007, 2006 $0 for a data and breach; $100 for a Telephone failure of a credit Records reporting agency to implement a consumerrequested security , to the Office of Consumer Protection, if notice to more than 1, , 2006 (for covered government agencies) 2017, 2006,, effective Jan. 1, 2017, if is a state agency, if notice to more than 250 residents is freeze $150,000 Both $2,500 $25,000 Both $50,000 (plus an additional $10,000 if victim is 65 years of age or older)
3 status: effective Jan. 1, 2017) Indiana IND. CODE , Iowa IOWA CODE 715C.1.2 Kansas Kentucky Louisiana Maine KAN. STAT. ANN. 50-7A01 04 KY. REV. STAT. ANN , LA. REV. STAT. ANN. 51: , 40: , LA. ADMIN. CODE tit. 16, pt. III, 701 ME. REV. STAT. ANN. tit. 10, B ;, effective Jan. 1, 2017, if covered entity is subject to HIPAA or HITECH if notification to Secretary of Health and Human Services is 2006 (, if covered entity is a state agency) 2014, if notice to more than 500 (, if is a state agency) Both $150,000 Both $40, Both , 2014, to the commissioner of the Kentucky State Policy, the Auditor of Public Accounts, and the Attorney General 2007, 2005 (, if is the Health) 2009 (or to the Professional and Financial Regulation if the is regulated by that department) Both -- $5,000 $2,500
4 Maryland Massachusetts MD. CODE ANN. COM. LAW , MD. CODE ANN. STATE GOV T MASS. GEN. LAWS ch. 93H, 1 6 Michigan MICH. COMP. LAWS D Minnesota MINN. STAT , 325E.61, 325E.64 Mississippi MISS. CODE ANN Missouri MO. REV. STAT Montana Nebraska MONT. CODE ANN , , NEB. REV. STAT , 2016 NEB. LAWS L.B. 835 (legislation status: effective July 20, 2016) 2013 Both $1,000 for first violation, $5,000 for any subsequent violation by a covered merchant 2007 Both $5,000, or $10,000 for violating an injunction entered pursuant to an enforcement action 2016, 2010 $750, , 2007 $25, Both $10, , if notice to more than 1, , 2009, 2007 (and to the State s Chief Information Officer if a state agency) 2016, 2006 (, effective July 20, 2016) (, if is a licensee or insurancesupport organization) $150,000 Both $10,000 --
5 Nevada New Hampshire NEV. REV. STAT. 603A , N.H. REV. STAT. ANN. 359-C:19 :21, 189:66 New Jersey N.J. STAT. ANN. 56: New Mexico* H.B. 224 (proposed legislation status: postponed indefinitely) New York N.Y. GEN. BUS. LAW 899-AA, N.Y. STATE TECH. rth Carolina rth Dakota Ohio Oklahoma LAW N.C. GEN. STAT N.D. CENT. CODE OHIO REV. CODE ANN , OKLA. STAT. tit. 74, , tit. 24, , 2011 Both , 2007 (, if is the Education) 2005, to the Division of State Police in the Law and Public Safety 2014, if notice to more than , along with the State and the Division of State Police $10,000, and no less than double and no more than treble damages in private actions upon finding of willful violation Both -- Both $150,000 $150, , 2009 Both $5,000, if an individual has been injured 2015, 2013, if notice to more than , , 2008, if a state agency identifies a breach;, if an individual $1,000 cap; penalties can be as high as $10,000 per day of noncompliance $150,000
6 Oregon OR. REV. STAT. 646A Pennsylvania Puerto Rico 73 PA. CONS. STAT. ANN P.R. LAWS ANN. tit. 10, Rhode Island R.I. GEN. LAWS (repealed effective June 26, 2016 and July 2, 2016), R.I. GEN. LAWS (legislation status: effective June 26, 2016) South Carolina South Dakota* S.C. CODE ANN , , 2013, if notice to more than , to the Consumer Affairs (or to the Citizen s Advocate Office if the is a government agency or public corporation) 2016, 2005, (, if notice to more than 500, effective June 26, 2016) 2013, 2009, to the Consumer Protection Division of the Department of Consumer Affairs, if notice to more than 1,000 or business identifies a breach Both $500,000 $5,000 Both $5,000, (Both, effective June 26, 2016) $25,000, ( cap; $100 per record if violation was reckless; $200 per record if violation was knowing and willful, effective June 26, 2016) Both $1,000 per resident whose information was accessible if violation was knowing and willful
7 Tennessee Texas Utah Vermont TENN. CODE ANN , TEX. BUS. & COM. CODE ANN , TEX. EDUC. CODE ANN (B)(5) UTAH CODE ANN , 53A VT. STAT. ANN. tit. 9, Virginia VA. CODE ANN , :05 Virgin Islands V.I. CODE ANN. tit. 14, Washington WASH REV. CODE , , 2005 (, to the Comptroller of the Treasury if covered entity is a state agency) 2015, 2013, 2011 Both The greater of $10,000; $5,000 per day of an assumed identity theft; or 10 times the amount obtained or assumed to have been obtained using the identity theft Both $50,000, plus $250,000 for failure to take reasonable action to comply with notice requirements 2016, 2013 (, if student s data is breached, by the covered education entity) 2015, 2014 (or to the Financial Regulation if the is regulated by that department) 2011, , 2010, 2007, if notice to more than 500, to declare an individual a victim of identity theft Both $100,000 Both $10,000 $150, Both --
8 West Virginia W. VA. CODE 46A-2A Wisconsin WIS. STAT Wyoming WYO. STAT. ANN $150, Both $1, , , to declare an individual a victim of identity theft * State does not have a statute governing data breach This table constitutes a summary of the laws of various U.S. jurisdictions and does not purport to represent a detailed or complete analysis of current U.S. law.