State Data Breach Laws: Who To Notify and How Long You Have To Do It

ACCORDING TO STATE LAWS, WHO DO YOU NOTIFY ABOUT A DATA BREACH?

As you may have guessed by now, state data breach notification laws aren't necessarily all cut from the same cloth. States often define what constitutes "sensitive data" differently from one another, some of the states' data security laws are much more far-reaching than others, and a breach that may seem minuscule to one state could be seen as a massive breach to another. Comparing these laws to one another is best done by finding common ground and breaking the laws down to the most fundamental questions they should answer: who should I notify if a breach were to occur, and how long do I have to notify them?

Thankfully, approaching state data breach laws in this way allows some similarities to emerge. Depending on the size of the breach, it's often necessary to report the breach to the state's Attorney General or a closely related executive department. It's also sometimes necessary to report a breach to Consumer Reporting Agencies (CRAs) to protect those affected by the breach against fraud.

The single common denominator among all state data breach notification laws, however, is that they all require the breached entity to notify the individuals whose information was compromised assuming an investigation finds the breach to be potentially harmful. Not only that, but nearly every state's data breach notification law encourages the breached entities to notify the affected individuals "in the most [expedient/expeditious] time possible," and "without unreasonable delay." In other words, regardless of whether your state's breach notification law specifies an acceptable timeline, anyone whose information was compromised in a breach should be notified as soon as possible by the breached entity. 

To read more about who you should report a breach to and how long you have to notify them, find your state below and click the link for more information.

BREACH NOTIFICATION LAWS WITH NO SPECIFIED TIME LIMIT

Alaska - Alaska Stat. § 45.48.010

• The Alaska Attorney General and CRAs must be notified as soon as possible if over 1000 residents are affected.

Arkansas - Ark. Code § 4-110-105

• Affected individuals are to be notified in the most expedient time and manner possible and without unreasonable delay. Notifying regulators is not mandated.

California - Cal. Civ. Code § 1798.82

• The California Attorney General must be notified as soon as possible if over 500 residents are affected.

Georgia - Ga. Code § 10-1-912

• CRAs must be notified as soon as possible if over 10,000 residents are affected.

Hawaii - Haw. Rev. Stat. § 487N-2

• The Hawaii Office of Consumer Protection and CRAs must be notified as soon as possible if over 1000 residents are affected.

Idaho - Idaho Code § 28-51-105

• The Idaho Attorney General must be notified within 24 hours after discovering the breach.

Illinois - 815 Ill. Comp. Stat. 530/10

• The Illinois Attorney General must be notified at the same time as affected residents if over 500 Illinois residents were affected by the breach.

Indiana - Ind. Code § 24-4.9-3-1

• The Indiana Attorney General and CRAs must be notified as soon as possible if over 1000 residents are affected.

Iowa - Iowa Code § 715C.1

• The Director of the Consumer Protection Division of the Iowa Attorney General must be notified within five days if over 500 residents are affected.

Kansas - Kan. Stat. § 50-7a02

• CRAs must be notified immediately if over 1000 residents are affected.

Kentucky - Ky. Rev. Stat. § 365.732

• CRAs must be notified immediately if over 1000 residents are affected.

Maine - 10 Me. Rev. Stat. § 1348

• CRAs must be notified immediately if over 1000 residents are affected.

Massachusetts - Mass. Gen. Laws 93H § 3

• The Massachusetts Director of Consumer Affairs and Business Regulation and Attorney General must be notified as soon as possible after discovering the breach.

Michigan - Mich. Comp. Laws § 445.72

• CRAs must be notified as soon as possible if over 1000 residents are affected.

Minnesota - Minn. Stat. § 325E.61

• CRAs must be notified within 48 hours of the discovery of the breach if over 500 residents are affected.

Mississippi - MS Code § 75-24-29

• Affected individuals are to be notified without unreasonable delay. Notifying regulators is not mandated.

Missouri - Mo. Rev. Stat. § 407.1500

• The Missouri Attorney General must be notified as soon as possible if over 500 residents are affected.

Montana - Mont. Code §§ 30-14-1704, 33-19-321

• The Montana Attorney General's Office of Consumer Protection must be notified immediately upon discovery of the breach so as to assist in the notification of affected individuals. 

Nebraska - Neb. Rev. Stat. § 87-803

• The Nebraska Attorney General must be notified at the same time as the affected individuals.

Nevada - Nev. Rev. Stat. 603A.220

• CRAs must be notified immediately if over 1000 residents are affected.

New Hampshire - N.H. Rev. Stat. 359-C:20

• The New Hampshire Attorney General and CRAs must be notified as soon as possible if over 1000 residents are affected.

New Jersey - N.J. Stat. § 56:8-163

• The Division of State Police in the New Jersey Department of Law and Public Safety must be notified before affected individuals.
• CRAs must be notified as soon as possible if over 1000 residents are affected.

New York - N.Y. Gen. Bus. Law § 899-aa

• The offices of the New York Attorney General, the New York State Division of State Police, and the Department of the State’s Division of Consumer Protection must be informed immediately if a breach occurs.
• CRAs also must be notified immediately if over 5000 residents are affected.

North Carolina - N.C. Gen. Stat. § 75-65

• The Consumer Protection Division of the North Carolina Attorney General's Office and all CRAs must be notified as soon as possible if over 1000 residents are affected.

North Dakota - N.D. Cent. Code § 51-30-02

• The North Dakota Attorney General must be notified if over 250 residents are affected.

Oklahoma - Ok. Stat., Tit. 24, § 163

• Affected individuals are to be notified without unreasonable delay. Notifying regulators is not mandated.

Pennsylvania - 73 Pa. Stat. §§ 2303; 2305

• CRAs must be notified as soon as possible if over 1000 residents are affected.

South Carolina - S.C. Code Ann. § 39-1-90

• The Consumer Protection Division of the South Carolina Department of Consumer Affairs and CRAs are to be informed if notices are sent to more than 1,000 residents.

Texas - Tex. Bus. & Com. Code §§ 521.002; 521.053

• The Texas Attorney General is to be notified of the breach within 60 days of the breach if over 250 residents are affected.
• CRAs must be notified if over 10,000 residents are affected.

Utah - Utah Code § 13-44-202

• Affected individuals are to be notified in the most expedient time and manner possible and without unreasonable delay. Notifying regulators is not mandated.

Virginia - Va. Code §§ 18.2-186.6, 32.1-127.1:05

• The Attorney General and all consumer reporting agencies are to be informed if notices are sent to more than 1,000 residents.
• If medical information was compromised in the breach, the Office of the Virginia Attorney General and the Commissioner of Health are to be informed as soon as possible if over 1000 residents are affected.

West Virginia - W.V. Code § 46A-2A-101

• CRAs must be notified as soon as possible if over 1000 residents are affected.

Wyoming - Wyo. Stat. § 40-12-502

• Affected individuals are to be notified in the most expedient time and manner possible and without unreasonable delay. Notifying regulators is not mandated.

BREACH NOTIFICATION LAWS WITH A SPECIFIED TIME LIMIT

Alabama - Ala. Code §§ 8-38-5 - 8-38-7

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The Alabama Attorney General and CRAs must be notified if over 1000 residents are affected.

Arizona - Ariz. Rev. Stat. § 18-552

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The Arizona Attorney General and CRAs must be notified if over 1000 residents are affected.

Colorado - Colo. Rev. Stat. § 6-1-716

• Affected individuals must be notified as soon as possible, but no later than 30 days after discovery of the breach.
• The Colorado Attorney General must be notified within 30 days if over 500 residents are affected.
• CRAs must be notified if over 1000 residents are affected.

Connecticut - Public Act No. 21-59

• Affected individuals must be notified as soon as possible, but no later than 60 days after discovery of the breach.
• The Connecticut Attorney General must be notified at the same time as the affected individuals.

Delaware - 6 DE Code § 12B-102

• Affected individuals must be notified as soon as possible, but no later than 60 days after discovery of the breach.
• The Delaware Attorney General must be notified if over 500 residents are affected.

Florida - Fla. Stat. § 501.171

• Affected individuals must be notified as soon as possible, but no later than 30 days after discovery of the breach.
• The Florida Department of Legal Affairs must be notified within 30 days if over 500 residents are affected.
• CRAs must be notified if over 1000 residents are affected.

Louisiana - La. Rev. Stat. § 51:3074

• Affected individuals must be notified as soon as possible, but no later than 60 days after discovery of the breach.
• The Consumer Protection Section of the Louisiana Attorney General's Office must always be notified immediately.

Maryland - Md. Code Com. Law § 14-3504

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• CRAs must be notified if over 1000 residents are affected.

New Mexico - N.M. Stat. §§ 57-12C-6; 57-12C-10

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The New Mexico Attorney General and CRAs must be notified within 45 days if over 1000 residents are affected.

Ohio - Ohio Rev. Code §§ 1349.19; 1349.192

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• CRAs must be notified if over 1000 residents are affected.

Oregon - Or. Rev. Stat. § 646A.604

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The Oregon Attorney General must be notified at the same time as affected individuals if over 250 residents are affected.
• CRAs must be notified if over 1000 residents are affected.

Rhode Island - R.I. Gen. Laws § 11-49.3-4

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The Rhode Island Attorney General and CRAs must be notified if over 500 residents are affected.

South Dakota - SDCL §§ 22-40-20; 22-40-24

• Affected individuals must be notified as soon as possible, but no later than 60 days after discovery of the breach.
• CRAs must always be notified as soon as possible.
• The South Dakota Attorney General must be notified if over 250 residents are affected.

Tennessee - Tenn. Code Ann. § 47-18-2107

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• CRAs must be notified if over 1000 residents are affected.

Vermont - 9 V.S.A. § 2435

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• The Vermont Attorney General or the Department of Financial Regulation (if applicable) must be notified within 14 business days.
• CRAs must be notified if over 1000 residents are affected.

Washington - Wash. Rev. Code § 19.255.010

• Affected individuals must be notified as soon as possible, but no later than 30 days after discovery of the breach.
• The Washington Attorney General must be notified within 30 days of the breach if over 500 residents are affected.

Wisconsin - Wis. Stat. § 134.98

• Affected individuals must be notified as soon as possible, but no later than 45 days after discovery of the breach.
• CRAs must be notified if over 1000 residents are affected.