Skip to main content
It looks like you're using Internet Explorer 11 or older. This website works best with modern browsers such as the latest versions of Chrome, Firefox, Safari, and Edge. If you continue with this browser, you may see unexpected results.

Research Data Management

This guide provides best practices and resources for managing your research data for any discipline.

Data Breach Laws

All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have regulations that require private entities and/or government agencies to notify individuals of security breaches that might compromise their PII.  When doing business (or research) in these localities, you should be aware of the local laws and responsibilities. These are accurate as of January 5, 2020. Subject to change without notice.

DigitalGuardian has a document that summarizes the rules for each locality. They include information on notification requirements, to individuals, to regulators, covered info, penalties, data breaches, and pending legislation. 

  • Alabama: SB 318 Alabama Data Breach Notification Act of 2018 
  • Alaska: Sec. 45.48.010. Disclosure of breach of security
  • Arizona: Chapter 5 Network Security Article 4 Data Security Breaches 18-552  
  • Arkansas: AR 4-110-105 (2016) Title 4, Subtitle 7, Chapter 110 - Personal Information Protection Act 
  • California: 1798.29 Accounting of Disclosures and 1798.82 Customer Records
  • Colorado: Colo. Rev. Stat. 6-1-716 Notification of security breach
  • Connecticut: Conn. Gen Stat. 36a-701b Breach of security re computerized data containing personal information
  • Delaware: Del. code tit. 6, 12B-101 et seq. Title 6, Subtitle II, Chapter 12B Computer Security Breaches 
  • Florida: Flor. Stat. 501.171 Security of confidential personal information, 282.0041 Definitions282.318(2)(i) Security of data and information technology 
  • Georgia: Ga. Code 10-1-910-911-912 and 46-5-214  
  • Hawaii: Haw. Rev. Stat. 487N-1 et seq. 
  • Idaho: Idaho Stat. 28-51-104 to -107 Title 28, Chapter 51 Identity Theft
  • Illinois:815 ILCS 530/1 to 530/25 Personal Information Protection Act
  • Indiana: Ind. Code 4-1-11 et seq. Notice of Security Breach and 24-4.9 et seq. Disclosure of Security Breach
  • Iowa: Iowa Code 715C.1 and -.2 Personal Information Security Breach Protection
  • Kansas: Kan. Stat. 50-7a01 et seq. Chapter 50, Article 7a Consumer information; security breach; definitions   
  • Kentucky: KRS 61.921-61.934 Personal Information Security and Breach Investigations 
  • Louisiana: La. Rev. Stat. 51:3071 et seq. Database Security Breach Notification Law
  • Maine: Me. Rev. Stat. tit. 10 1346 et seq. Title 10, Chapter 210-B Notice of Risk to Personal Data  
  • Maryland: Md. Code Com. Law 14-3501 Definitions and Md. State Govt. Code 10-1301 to -1308 Title 10, Subtitle 13 Protection of Information by Government Agencies  
  • Massachusetts: Mass. Gen. Laws 93H-1 et seq. Part I, Title XV, Chapter 93H Security Breaches 
  • Michigan: Mich. Comp. Laws 445.63 and 445.72 Identity Theft Protection
  • Minnesota: Minn. Stat. 325E.61 Data Warehouses and 325E.64 Access Devices; Breach of Security   
  • Mississippi: Miss. Code 75-24-29 Title 75, Chapter 24 General Provisions ...Breach of security
  • Missouri: Mo. Rev. Stat. 407.1500 Title XXVI Chapter 407 Definitions and 162.1475 Title XI, Chapter 162, Data breach, procedures  
  • Montana: MCA Part 17 30-14-1702-1704 Title 30, Chapter 14, impediment of Identity Theft and 2-6-1501 to -1503 Title 2, Chapter 6 Public Records 
  • Nebraska: Neb. Rev. Stat. 87-801 et seq. (87-801 to -808) Financial Data Protection and Consumer Notification of Data Security Breach Act 
  • Nevada: Nev. Rev. Stat. 603A.010 et seq. Security of Information by Data Collectors and Other Businesses, and NRS 242.183 Investigation, resolution and notification... 
  • New Hampshire: N. H. Rev. Stat. 359-C:19 et seq. Notice of Security Breach 
  • New Jersey: N.J. Stat. 56:8-161 Definitions, -163 Disclosure, -165 Regulations, -166 Unlawful practice, violation Title 56 Security of personal information   
  • New Mexico: N.M. Stat. 57-12C-1 to 57-12C-12 Data Breach Notification Act
  • New York: N.Y. Gen. Bus. Law 899-aa Breach Notification 
  • North Carolina: N.C. Gen. Stat. 75-61 Definitions and 75-65 Protection from security breaches  
  • North Dakota: N.D. Cent. Code 51-20-1--07  Notice of Security Breach for Personal Information
  • Ohio: Ohio Rev. Code 1349.19 Private Disclosure of Security Breach... and 1349.192 Civil action by attorney general for violation of disclosure laws.
  • Oklahoma: Ok. Stat. Tit. 24 24-162 Definitions, -163 Duty to Disclose Breach, -164 Procedures, -165 Enforcement.   
  • Oregon: Or. Rev. Stat. 646A.602 Definitions, 646A.604 Notice of Breach of Security and 646.607 Unlawful business, trade practices.  
  • Pennsylvania: 73 P.S. 201-1 - 201-9.2 Pennsylvania Unfair Trade Practices and Consumer Protection Law
  • Rhode Island: R.I. Gen. Law tit. 11-49.3.1 et seq. Identity Theft Protection Act of 2015 
  • South Carolina: S.C. Code Ann. 39-1-90 Title 39 Chapter 1 Breach of security...  
  • South Dakota: S.D. Codified L 22-40-19 to 22-40-26 Title 22 Chapter 40 Identity Crimes 
  • Tennessee: Tenn. Code 47-18-2101 to -2111. Title 47, Chapter 18, Part 21 Identity Theft Deterrence 
  • Texas: Tex. Bus. & Com. Code 521.002 Definitions and 521.053 Notification Required Following Breach of Security of Computerized Data.
  • Utah: Utah Code 13-44-101 et seq. Protection of Personal Information Act  
  • Vermont: Vt. Stat. tit. 9 2430 and 2435. Title 9, Chapter 62 Protection of Personal Information
  • Virginia: Va. Code 18.2-186.6 Breach of personal information notification and 32.1-127.1:05 Breach of medical information notification 
  • Washington: Washington Rev. Code 19.255.010 Title 19 Personal Information-Notice of Security Breaches.
  • West Virginia: W.V. Code 46A-2A-101 et seq. Breach of Security of Consumer Information 
  • Wisconsin: Wis. Stat. 134.98 Notice of unauthorized acquisition of personal information
  • Wyoming: Wyo. Stat. 63-901 to -902. Chapter 3, Article 9. Unauthorized use of personal identifying information
  • District of Columbia: D.C. Code 28-3851 et seq. Chapter 28 Subtitle II Consumer Security Breach Notification
  • Guam: 9 GCA 48-10 et seq. Notification of Breach of Personal Information
  • Puerto Rico: 10 Laws of Puerto Rico 4051 et seq. Title 10 Subtitle 3 Chapter 310 Citizen Information on Data Banks Security Act