| 1 |
Alabama |
2018 |
$500,000 |
$5,000 per day |
45 days |
10 days |
1,000 individuals |
2018 S.B. 318, Act No. 396 |
2018 S.B. 318, Act No. 396 |
| 2 |
Alaska |
2008 |
$50,000 |
|
|
|
1,000 individuals |
Alaska Statutes 45.48.010: Personal Information Protection Act |
Alaska Statutes 45.48.010 |
| 3 |
Arizona |
2006 |
$500,000 |
|
45 days |
|
1,000 individuals |
Arizona Revised Statutes 18-545 |
Arizona Revised Statutes 18-545 |
| 4 |
Arkansas |
2005 |
$250,000 |
|
45 days |
|
1,000 individuals |
Arkansas Code 4-110-101: Personal Information Protection Act |
Arkansas Code 4-110-101 |
| 5 |
California |
2002 |
$250,000 |
|
|
|
500 individuals |
California Civil Code 1798:29 and 1798:80 |
California Civil Code 1798:29 and 1798:80 |
| 6 |
Colorado |
2006 |
$250,000 |
|
30 days |
|
500 individuals |
Colorado Revised Statutes 6-1-716 |
Colorado Revised Statutes 6-1-716 |
| 7 |
Connecticut |
2005 |
$250,000 |
|
90 days |
|
|
Connecticut General Statutes 36a-701b |
Connecticut General Statutes 36a-701b |
| 8 |
Delaware |
2005 |
$75,000 |
|
60 days |
|
500 individuals |
Delaware Code Title 6, Chapter 12B |
Delaware Code Title 6, Chapter 12B |
| 9 |
Florida |
2014 |
$500,000 |
$1,000 per day, then $50,000 per month |
30 days |
|
500 individuals |
Fla. Stat. § 501.171 |
Fla. Stat. § 501.171 |
| 10 |
Georgia |
2005 |
$50,000 + $100/customer |
|
|
24 hours |
10,000 individuals |
Georgia Code 10-1-912 |
Georgia Code 10-1-912 |
| 11 |
Hawaii |
2006 |
$100,000 + $2,500 per incident + actual damages per customer |
|
|
|
1,000 individuals |
Hawaii Revised Statutes 487N-1 |
Hawaii Revised Statutes 487N-1 |
| 12 |
Idaho |
2006 |
$25,000 per breach |
|
|
|
|
Idaho Code 28-51-104 |
Idaho Code 28-51-104 |
| 13 |
Illinois |
2005 |
$250,000 |
|
|
|
500 individuals |
815 ILCS 530: Personal Information Protection Act |
815 ILCS 530: Personal Information Protection Act |
| 14 |
Indiana |
2005 |
$250,000 + $150,000 per violation |
|
45 days |
|
|
Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. |
Ind. Code §§ 4-1-11 et seq., 24-4.9 et seq. |
| 15 |
Iowa |
2008 |
$250,000 |
|
|
|
500 individuals |
Iowa Code 715C.1 |
Iowa Code 715C.1 |
| 16 |
Kansas |
2006 |
$100,000 |
|
|
|
|
Kansas Statutes 50-7a01 |
Kansas Statutes 50-7a01 |
| 17 |
Kentucky |
2014 |
$250,000 |
|
|
|
|
KY Rev. Stat. § 365.732 |
KY Rev. Stat. § 365.732 |
| 18 |
Louisiana |
2005 |
$100,000 + civil damages + unlimited fines of $5,000/day |
$5,000 per day (ref: page 33) |
60 days (10 days to notify Attorney General to avoid $5,000/day fine) |
|
|
Louisiana Revised Statutes 51:3071 |
Louisiana Revised Statutes 51:3071 |
| 19 |
Maine |
2005 |
$5,000 for each breach plus $500 per violation, and $2,500 per day (for unlimited days) |
|
30 days |
|
|
10 Me. Rev. Stat. § 1346 et seq. |
10 Me. Rev. Stat. § 1346 et seq. |
| 20 |
Maryland |
2007 |
$100,000 |
|
45 days |
|
|
Maryland Commercial Code 14-3501 |
Maryland Commercial Code 14-3501 |
| 21 |
Massachusetts |
2007 |
|
|
|
|
|
Massachusetts General Laws 93H, Section 1 |
Massachusetts General Laws 93H, Section 1 |
| 22 |
Michigan |
2006 |
$250,000 + $250 per customer + $750,000 per breach |
|
|
|
|
Mich. Comp. Laws §§ 445.63, 445.72 |
Mich. Comp. Laws §§ 445.63, 445.72 |
| 23 |
Minnesota |
2005 |
$250,000 |
|
|
|
|
Minnesota Statutes 325E.61 |
Minnesota Statutes 325E.61 |
| 24 |
Mississippi |
2010 |
$5,000 |
|
|
|
|
Mississippi Code 75-24-29 |
Mississippi Code 75-24-29 |
| 25 |
Missouri |
2009 |
$100,000 + $150,000 per breach |
|
|
|
1,000 individuals |
Missouri Revised Statutes 407.1500 |
Missouri Revised Statutes 407.1500 |
| 26 |
Montana |
2006 |
$250,000 |
|
|
|
|
Montana Code 30-14-1704 |
Montana Code 30-14-1704 |
| 27 |
Nebraska |
2006 |
$75,000 |
|
|
|
|
Nebraska Revised Statutes 87-801 |
Nebraska Revised Statutes 87-801 |
| 28 |
Nevada |
2005 |
$250,000 |
|
|
|
|
Nevada Revised Statutes 603A.010 |
Nevada Revised Statutes 603A.010 |
| 29 |
New Hampshire |
2006 |
$5,000 + 3 times actual damages + legal costs of victims |
|
|
|
|
New Hampshire Revised Statutes 359-C:20 |
New Hampshire Revised Statutes 359-C:20 |
| 30 |
New Jersey |
2005 |
$250,000 |
|
|
|
|
New Jersey Statutes 56:8-163: Identity Theft Prevention Act |
New Jersey Statutes 56:8-163 |
| 31 |
New Mexico |
2017 |
$100,000, or $150,000 for failure to notify |
|
45 days |
|
1,000 individuals |
New Mexico Data Breach Act - HB 15 |
New Mexico Data Breach Act - HB 15 |
| 32 |
New York |
2005 |
$250,000, or $250,000 for failure to notify + actual damages per customer + $5,000 per violation for failure to safeguard information |
|
|
|
|
New York General Business Law 899-aa and State Technology Law 208 |
New York General Business Law 899-aa and State Technology Law 208 |
| 33 |
North Carolina |
2005 |
$250,000 |
|
|
|
1,000 individuals |
North Carolina General Statutes 75-61 and 75-65 |
Statutes 75-61 and 75-65 |
| 34 |
North Dakota |
2005 |
$250,000 |
|
|
|
|
North Dakota Century Code 51-30-01 |
North Dakota Century Code 51-30-01 |
| 35 |
Ohio |
2005 |
$250,000 |
|
45 days |
|
|
Ohio Revised Code 1349.19 |
Ohio Revised Code 1349.19 |
| 36 |
Oklahoma |
2008 |
$50,000 if compliant; or $150,000 per breach if notice not given |
|
|
|
|
24 Okla. Stat. § 161 et seq. |
24 Okla. Stat. § 161 et seq. |
| 37 |
Oregon |
2007 |
$250,000 |
|
45 days |
10 days |
250 individuals |
Oregon Revised Statutes 646A.600: Oregon Consumer Identity Theft Protection Act |
Oregon Revised Statutes 646A.600 |
| 38 |
Pennsylvania |
2006 |
$100,000 if in compliance |
|
|
|
|
Pennsylvania Statutes 73-2301: Breach of Personal Information Notification Act |
Pennsylvania Statutes 73-2301 |
| 39 |
Rhode Island |
2006 |
$25,000 if in compliance; $200 per customer that did not receive notice of breach |
|
45 days |
|
|
Rhode Island General Laws 11-49.3 |
Rhode Island General Laws 11-49.3 |
| 40 |
South Carolina |
2008 |
$250,000 if in compliance; $1,000 per customer if willfully failed to notify + actual damages + attorney fees |
|
|
|
|
South Carolina Code 39-1-90 |
South Carolina Code 39-1-90 |
| 41 |
South Dakota |
2018 |
$10,000 per day per violation |
|
60 days |
|
250 individuals |
South Dakota S.B. 62 |
South Dakota S.B. 62 |
| 42 |
Tennessee |
2005 |
$250,000 |
|
45 days |
|
|
Tennessee Code 47-18-2107 |
Tennessee Code 47-18-2107 |
| 43 |
Texas |
2007 |
$250,000 if in compliance; $50,000 per violation; in addition, up to $250,000 fine per breach + attorney fees and all expenses |
|
60 days |
|
|
Texas Business and Commerce Code 521.002 and 521.053 |
Commerce Code 521.002 and 521.053 |
| 44 |
Utah |
2006 |
$2,500 per customer up to $100,000 per breach, and unlimited fines for breaches greater than 10,000 Utah records + 10,000 non-Utah records |
|
|
|
|
Utah Code 13-44-101, 13-44-202 and 13-44-301: Protection of Personal Information Act |
Utah Code 13-44-101, 13-44-202 and 13-44-301 |
| 45 |
Vermount |
2006 |
$10,000 if compliant; unlimited fees and punishments if non-compliant |
|
45 days |
|
|
Vermont Statutes Annotated 9-2430 and 2435 |
Vermont Statutes Annotated 9-2430 and 2435 |
| 46 |
Virginia |
2008 |
$50,000 if compliant; $150,000 per breach if non-compliant + unlimited civil damages |
|
|
|
1,000 individuals |
Virginia Code 18.2-186.6 and 32.1-127.1:05 |
Virginia Code 18.2-186.6 and 32.1-127.1:05 |
| 47 |
Washington |
2005 |
$250,000 |
|
45 days |
|
500 individuals |
Washington Revised Code 19.255.010 |
Washington Revised Code 19.255.010 |
| 48 |
West Virginia |
2008 |
$50,000 if compliant; $150,000 per breach if non-compliant |
|
|
|
|
West Virginia Code 46A-2A-101 |
West Virginia Code 46A-2A-101 |
| 49 |
Wisconsin |
2006 |
unlimited fines and unlimited costs to notify |
|
45 days |
|
|
Wisconsin Statutes 134.98 |
Wisconsin Statutes 134.98 |
| 50 |
Wyoming |
2007 |
$10,000 if a compliant Wyoming business; $250,000 if a compliant non-Wyoming business; unlimited damages for non-compliance |
|
|
|
|
Wyoming Statutes 40-12-501 and 40-12-502 |
Wyoming Statutes 40-12-501 and 502 |