Skip to Main Content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Research Data Management

This guide provides best practices and resources for managing your research data for any discipline.

Data Breach Laws

All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have regulations that require private entities and/or government agencies to notify individuals of security breaches that might compromise their PII.  When doing business (or research) in these localities, you should be aware of the local laws and responsibilities. These are accurate as of August 11, 2021. Subject to change without notice.

DigitalGuardian has a document that summarizes the rules for each locality. They include information on notification requirements, to individuals, to regulators, covered info, penalties, data breaches, and pending legislation.

IT Governance maintains a website on the Data Breach Notification Laws by State

JUSTIA US Law provides free access to federal and state court decisions, codes, and regulations. They also provide the full text of the Annotated US Constitution, as well as recent dockets and selected case filings from the US federal district and appellate courts. 

The National Conference of State Legislatures (NCSL) maintains a website of the Security Breach Notification Laws of all 50 states and territories.  

  • Alabama: 8-38-2 Alabama Data Breach Notification Act of 2018 
  • Alaska: Sec. 45.48.010. Disclosure of breach of security
  • Arizona: Chapter 5 Network Security Article 4 Data Security Breaches 18-551 and 18-552  
  • Arkansas: AR 4-110-105 (2019) Title 4, Subtitle 7, Chapter 110 - Personal Information Protection Act 
  • California: 1798.29 Accounting of Disclosures and 1798.82 Customer Records
  • Colorado: Colo. Rev. Stat. 6-1-716 Notification of security breach and 24-73 101-103 Security Breaches and Personal Information.
  • Connecticut: Conn. Gen Stat. 36a-701b Breach of security re computerized data containing personal information and 4e-70
  • Delaware: Del. code tit. 6, 12B-101 et seq. Title 6, Subtitle II, Chapter 12B Computer Security Breaches 
  • Florida: Flor. Stat. 501.171 Security of confidential personal information, 282.0041 Definitions282.318(2)(i) Security of data and information technology 
  • Georgia: Ga. Code 10-1-910-911-912 and 46-5-214  
  • Hawaii: Haw. Rev. Stat. 487N-1 et seq. 
  • Idaho: Idaho Stat. 28-51-104 to -107 Title 28, Chapter 51 Identity Theft
  • Illinois:815 ILCS 530/1 to 530/25 Personal Information Protection Act SB1624 
  • Indiana: Ind. Code 4-1-11 et seq. Notice of Security Breach and 24-4.9 et seq. Disclosure of Security Breach
  • Iowa: Iowa Code 715C.1 and -.2 Personal Information Security Breach Protection
  • Kansas: Kan. Stat. 50-7a01 et seq. Chapter 50, Article 7a Consumer information; security breach; definitions   
  • Kentucky: KRS 61.921-61.934 Personal Information Security and Breach Investigations 
  • Louisiana: La. Rev. Stat. 51:3071 et seq. Database Security Breach Notification Law
  • Maine: Me. Rev. Stat. tit. 10 1346 et seq. Title 10, Chapter 210-B Notice of Risk to Personal Data  
  • Maryland: Md. Code Com. Law 14-3501 Definitions and Md. State Govt. Code 10-1301 to -1308 Title 10, Subtitle 13 Protection of Information by Government Agencies  
  • Massachusetts: Mass. Gen. Laws 93H-1 et seq. Part I, Title XV, Chapter 93H Security Breaches 
  • Michigan: Mich. Comp. Laws 445.63 and 445.72 Identity Theft Protection
  • Minnesota: Minn. Stat. 325E.61 Data Warehouses and 325E.64 Access Devices; Breach of Security   
  • Mississippi: Miss. Code 75-24-29 Title 75, Chapter 24 General Provisions ...Breach of security
  • Missouri: Mo. Rev. Stat. 407.1500 Title XXVI Chapter 407 Definitions and 162.1475 Title XI, Chapter 162, Data breach, procedures  
  • Montana: MCA Part 17 30-14-1702-1704 Title 30, Chapter 14, impediment of Identity Theft and 2-6-1501 to -1503 Title 2, Chapter 6 Public Records, 33-19-321 Computer Security Breach. 
  • Nebraska: Neb. Rev. Stat. 87-801 et seq. (87-801 to -808) Financial Data Protection and Consumer Notification of Data Security Breach Act 
  • Nevada: Nev. Rev. Stat. 603A.010 et seq. Security of Information by Data Collectors and Other Businesses, and NRS 242.183 Investigation, resolution and notification... 
  • New Hampshire: N. H. Rev. Stat. 359-C:19 et seq. Notice of Security Breach, 359-C20, 359-C:21.  
  • New Jersey: N.J. Stat. 56:8-161 Definitions, -163 Disclosure, -165 Regulations, -166 Unlawful practice, violation Title 56 Security of personal information, -166.1 Person, business, association prohibited from publishing certain information on the internet.    
  • New Mexico: N.M. Stat. 57-12C-1 to 57-12C-12 Data Breach Notification Act
  • New York: N.Y. Gen. Bus. Law 899-aa Breach Notification 
  • North Carolina: N.C. Gen. Stat. 75-61 Definitions and 75-65 Protection from security breaches, Article 19C 14-113.20 Identity Theft.  
  • North Dakota: N.D. Cent. Code 51-20-1--07  Notice of Security Breach for Personal Information, House Bill 1314 Cybersecurity Incident Reporting 
  • Ohio: Ohio Rev. Code 1347.12 Agency disclosure of security breach of computerized personal information data, 1349.19 Private Disclosure of Security Breach, 1349.191 Investigation of noncompliance with disclosure laws, 1349.192 Civil action by attorney general for violation of disclosure laws and 1354 Businesses Maintaining Recognized Cybersecurity Programs. 
  • Oklahoma: Ok. Stat. Tit. 24 24-162 Definitions, -163 Duty to Disclose Breach, -164 Procedures, -165 Enforcement.   
  • Oregon: Or. Rev. Stat. 646A.602 Definitions, 646A.604 Notice of Breach of Security and 646.607 Unlawful business, trade practices.  
  • Pennsylvania: 73 P.S. 2301-2330 Pennsylvania Unfair Trade Practices and Consumer Protection Law
  • Rhode Island: R.I. Gen. Law tit. 11-49.1 Impersonation and Identity Fraud, 11-49.2 Identity Theft protection, and 11-49.3.1 et seq. Identity Theft Protection Act of 2015 
  • South Carolina: S.C. Code Ann. 39-1-90 Title 39 Chapter 1 Breach of security...  
  • South Dakota: S.D. Codified L 22-40-1 to 22-40-26 Title 22 Chapter 40 Identity Crimes and 22-40-19 Definition of terms.
  • Tennessee: Tenn. Code 47-18-2101 to -2111. Title 47, Chapter 18, Part 21 Identity Theft Deterrence 
  • Texas: Tex. Bus. & Com. Code 521.002 Definitions and 521.053 Notification Required Following Breach of Security of Computerized Data.
  • Utah: Utah Code 13-44-101 et seq. Protection of Personal Information Act, H.B. 80 Data Security Amendments.
  • Vermont: Vt. Stat. tit. 9 2430 Definitions, 2435 Notice of security breaches, and Title 9, Chapter 62 Protection of Personal Information
  • Virginia: Va. Code 18.2-186.6 Breach of personal information notification and 32.1-127.1:05 Breach of medical information notification 
  • Washington: Washington Rev. Code 19.255.010 Title 19 Personal Information-Notice of Security Breaches and 42.56.590 Title 42 Personal Information.
  • West Virginia: W.V. Code 46A-2A-101 et seq. Breach of Security of Consumer Information 
  • Wisconsin: Wis. Stat. 134.98 Notice of unauthorized acquisition of personal information
  • Wyoming: Wyo. Stat. 63-901 to -902. Chapter 3, Article 9. Unauthorized use of personal identifying information
  • District of Columbia: D.C. Code 28-3851-3853 Chapter 28 Subtitle II Consumer Security Breach Notification
  • Guam: 9 GCA 48-10 et seq. Notification of Breach of Personal Information
  • Puerto Rico: 10 Laws of Puerto Rico 4051 et seq. Title 10 Subtitle 3 Chapter 310 Citizen Information on Data Banks Security Act
  • Virgin Islands: Title 14 Chapter 110 Theft Subchapter 1 2200-2212 Identity Theft