Mintz Matrix

State Data Security Breach Notification Laws

As data breaches dominate national headlines it remains important as ever for businesses to invest in security and to be ready to respond if a breach occurs. Part of your preparedness program should be staying current on data breach legislation at the state level and we are here to help with our “Mintz Matrix,” a detailed survey of U.S. state data breach notification laws.

mintz matrixHIMSNHVTMARICTNJDEMDDCWVPRVI

Click here to download a print-version of the Mintz Matrix

Alabama  
Alaska  
Arizona  
Arkansas  
California  
Colorado  
Connecticut  
Delaware  
District of Columbia  
Florida  
Georgia  
Hawaii  
Idaho  
Illinois  
Indiana  
Iowa  
Kansas  
Kentucky		Louisiana  
Maine  
Maryland  
Massachusetts  
Michigan  
Minnesota  
Mississippi  
Missouri  
Montana  
Nebraska  
Nevada  
New Hampshire  
New Jersey  
New Mexico  
New York  
North Carolina  
North Dakota  
Ohio		Oklahoma  
Oregon  
Pennsylvania  
Puerto Rico  
Rhode Island  
South Carolina  
South Dakota  
Tennessee  
Texas  
Utah  
Vermont  
Virginia  
Virgin Islands  
Washington  
West Virginia  
Wisconsin  
Wyoming

The general definition of “personal information” used in the majority of statutes is: An individual’s first name or first initial and last name plus one or more of the following data elements: (i) Social Security number, (ii) driver’s license number or state-issued identification card number, and (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account. The general definition generally applies to computerized data that includes personal information and usually excludes publicly available information that is lawfully made available to the general public from federal, state or local governments or widely distributed media. When a statute varies from this general definition, it will be pointed out and underlined in the chart.

The term “security breach” is used in this chart to capture the concept variably described in state statutes as a “security breach,” “breach of the security,” “breach of the security system,” or “breach of the security of the system,” among other descriptions.

For those entities doing business in Texas, be sure to review the relevant Texas law. This chart does not include information on the California Consumer Privacy Act

Please note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific data breach incidents. You should seek the advice of experienced legal counsel when reviewing options and obligations in responding to a particular data security breach.

Laws and regulations change quickly in the data security arena.

This chart is current as of February 28, 2025.

Professionals

  • Cynthia J. Larose
  • Scott T. Lashway
  • Christopher J. Buontempo
  • Michael B. Katz

    • Related Practices

  • Privacy & Cybersecurity