States That Provide Incentives for Compliance with Data Security Programs
A few states have enacted laws that provide an affirmative defense to certain data breach-related claims or other incentives for organizations that implement specific standards-based information security measures and programs.
Connecticut
Connecticut incentivizes organizations to adopt written cybersecurity programs that conform to industry recognized security standards or other applicable laws. Specifically, covered organizations may avoid punitive damages in a tort action alleging a failure to implement reasonable cybersecurity controls if they:
- Created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for personal or restricted information.
- Conformed their written cybersecurity program to the current version of certain industry recognized standards or applicable laws.
- Designed their cybersecurity program to protect personal or restricted information and scaled it based on specified factors.
(Conn. Gen. Stat. Ann. § 42-901(b).)
An organization’s cybersecurity program conforms to an industry recognized framework if:
- It conforms to the current version of:
(See Guidance and Resources, above.)
- The state or federal government regulates the organization, or it is otherwise subject to, and its program conforms with the current version of:
- HIPAA;
- the GLBA;
- the Federal Information Security Modernization Act of 2014 (FISMA); or
- the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- Its program complies with the current PCI DSS (see Guidance and Resources, above) and another specified industry recognized standard.
(Conn. Gen. Stat. Ann. § 42-901(c).)
Organizations must also design their cybersecurity programs to:
- Protect the security and confidentiality of personal or restricted information against:
- threats or hazards to the information; and
- unauthorized access to and use of the information that results in a material risk of identity theft or other fraud.
- Reflect a scope and scale based on:
- their size and complexity;
- the nature and scope of their activities;
- the information’s sensitivity; and
- the cost and availability of information security tools.
(Conn. Gen. Stat. Ann. § 42-901(d).)
Iowa
Iowa provides an affirmative defense against certain data breach-related tort claims to organizations that create, maintain, and comply with a written cybersecurity program that reasonably conforms to an industry-recognized framework, or is otherwise designed to:
- Continually evaluate and mitigate reasonably anticipated threats that could lead to a data breach.
- Communicate the risks of a data breach and actions they could take to reduce damages if one occurs.
- Operate at a cost no less than the maximum probable loss that a data breach could cause, calculated by multiplying the total value of reasonably possible damage by the probability of damage occurring, and reevaluate and adapt to this value annually.
(Iowa Code Ann. § 554G.2.)
An organization meets the statute’s requirements if its cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework, specifically if:
- The program reasonably conforms to the current version of any one or combination of the following industry standards, with up to one year to reasonably comply after revisions:
- The organization is regulated by the state or federal government, or is otherwise subject to and its program reasonably conforms to the current version of any of the following, with one year to reasonably comply after amendment:
- the HIPAA Security Rule;
- the HITECH Act;
- the GLBA;
- FISMA;
- the Iowa Insurance Data Security Act (Iowa Code Ann. §§ 507F.1 to 507F.16); or
- critical infrastructure rules, regulations, or guidelines adopted by the Environmental Protection Agency, Cybersecurity and Infrastructure Security Agency, or North American Reliability Corporation.
(Iowa Code Ann. §§ 554G.2(4)(b) and 554G.3.)
The statute requires that the cybersecurity program protect both:
- Personal information, defined as any information that could directly or indirectly identify an individual or identify their genetic, cultural, or social identity, or other identity, in particular with an identifier such as Social Security or driver’s license number, other identification number, financial account or card number, location data, or biometric data.
- Restricted information, meaning information related to an individual or business, other than personal information, that can be linked or used to identify an individual or business and is likely to result in a material risk of identity theft or other fraud if exposed in a breach.
(Iowa Code Ann. §§ 554G.1 and 554G.2.)
Ohio
Ohio’s data security law does not require organizations to implement specific data security measures. It instead provides a safe harbor from certain data breach-related tort actions for those that create, maintain, and comply with a written cybersecurity program that:
- Protects:
- personal information as defined in Ohio R.C. 1349.19; or
- a combination of personal information and restricted information, which includes any unencrypted information that alone or in combination with other information identifies or links to an individual, if its breach creates a material risk of identity theft or other fraud.
- Contains administrative, technical, and procedural safeguards to protect personal information and, if applicable, restricted information.
- Reasonably conforms to an industry recognized cybersecurity framework, specifically:
(See Guidance and Resources, above.)
- Alternatively, for regulated entities, complies with security requirements under:
- HIPAA and the HITECH Act;
- the GLBA; or
- FISMA.
- Follows a scale and scope that is appropriate according to:
- the organization’s size and complexity;
- the nature and scope of its activities;
- the sensitivity of the information it protects;
- the cost and availability of applicable tools; and
- the organization’s available resources.
(Ohio R.C. 1354.01 to 1354.05.)
Tennessee
Effective July 1, 2025, Tennessee’s consumer data privacy law, the Tennessee Information Protection Act (TIPA), includes an affirmative defense against claims brought under the Act.
TIPA applies to persons conducting business in Tennessee producing products or services targeted to Tennessee residents (controllers), generating revenue exceeding $25 million, and either:
- Controlling or processing at least 175,000 consumers’ personal information during a calendar year.
- Deriving over 50% of gross revenue from the sale of personal data and controlling or processing at least 25,000 consumers’ personal data.
(Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025).)
The affirmative defense against TIPA claims is available to controllers and processors that create, maintain, and comply with a written privacy policy that:
- Reasonably conforms to the NIST Privacy Framework, or other documented privacy safeguard policies, standards, and procedures, with 2 years to reasonably conform to subsequent revisions.
- Provides consumers with the substantive rights provided by TIPA.
The size and scope of the privacy program is appropriate if it is based on the size and complexity of the controller or processor’s business, the scope and nature of their activities, the sensitivity of the personal data processed, the cost and availability of privacy and data protection tools, and compliance with a comparable federal and state law.
Certification under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system, or for processors, the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system can also be considered.
(Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025).)
Utah
Utah’s safe harbor law provides an affirmative defense against certain claims arising out of a data breach for those who implement and comply with a qualified written cybersecurity program (Utah Code § 78B-4-702).
Organizations may assert the affirmative defense against claims that they failed to:
- Implement reasonable information security controls resulting in a system security breach, as defined in the state’s data breach notification law.
- Appropriately respond to a system security breach.
- Appropriately notify an affected individual.
(Utah Code § 78B-4-702(1) to (4).)
The defense is available if the organization:
- Creates, maintains, and reasonably complies with a qualified written cybersecurity program.
- Followed the protocols included in the program at the time of the security breach.
(Utah Code § 78B-4-702(2) and (3).)
Qualified written cybersecurity programs must:
- Be designed to protect the personal information’s security, confidentiality, and integrity against anticipated threats or a breach of system security.
- Reflect an appropriate scale and scope, given:
- the organization’s size and complexity;
- the nature and scope of its activities;
- the sensitivity of the protected information;
- the cost and availability of tools to improve information security and reduce vulnerabilities; and
- the organization’s available resources.
- Reasonably conform to a recognized cybersecurity framework.
(Utah Code § 78B-4-702(4).)
Under the law, an organization reasonably conforms to a recognized cybersecurity framework if it designs its written cybersecurity program to protect the type of personal information the breach compromised, and the program meets one of the following:
- It is a reasonable cybersecurity program under the law, meaning the organization:
- designates an employee to coordinate a program that provides the required safeguards;
- adopts practices and procedures to detect, prevent, and respond to system security breaches;
- trains and manages employees on the program;
- conducts specified risk assessments to test and monitor the program; and
- updates the program as circumstances change.
- It reasonably conforms to the current version of any of the following industry standards, with one year to reasonably comply after a revision:
(See Guidance and Resources, above).
- It reasonably complies with federal or state law that regulates the compromised information, with a reasonable time to reasonably comply after amendment, specifically:
- the HIPAA Security Rule and the HITECH Act;
- the GLBA;
- FISMA;
- the Utah Protection of Personal Information Act; or
- other applicable state or federal law.
(Utah Code §§ 78B-4-702(4)(b) and 78B-4-703.)
The affirmative defense is not available to organizations with actual notice of security threats or hazards that fail to adopt responsive remedial measures in a reasonable time (Utah Code § 78B-4-702(5)(a)).
State Comprehensive Consumer Data Privacy Laws with Data Security Requirements
Since California enacted the California Consumer Privacy Act (CCPA), other states have followed, enacting their own comprehensive consumer data privacy laws. The laws, which typically include a data security requirement as listed, often have limited applicability based on varying factors, including different numbers of affected consumers and revenue thresholds and entity and data type exclusions.
- California: California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (collectively CCPA), Cal. Civ. Code Ann. § 1798.100(e)
- Colorado: Colorado Privacy Act, Colo. Rev. Stat. Ann. § 6-1-1308(5)
- Connecticut: Connecticut Personal Data Privacy and Online Monitoring Act, Conn. Gen. Stat. Ann. § 42-520(a)(3)
- Florida (effective July 1, 2024): Florida Digital Bill of Rights, § 501.71(1)(b), Fla. Stat. (eff. July 1, 2024)
- Indiana (effective January 1, 2026): An Act to amend the Indiana Code concerning trade regulation; Article 15. Consumer Data Protection, Ind. Code § 24-15-4-1(3) (under SB 5, eff. Jan. 1, 2026)
- Iowa (effective January 1, 2025): Iowa Consumer Data Protection Act, Iowa Code Ann. § 715D.4(1) (under SF 262, eff. Jan. 1, 2025)
- Montana (effective October 1, 2024): Montana Consumer Data Privacy Act, 2023 Montana Laws Ch. 681 (S.B. 384), § 7(1)(b) (eff. Oct. 1, 2024)
- Oregon (effective July 1, 2024): Oregon Consumer Privacy Act, § (5)(c), SB 619 (eff. July 1, 2024)
- Tennessee (effective July 1, 2025): Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025)
- Texas (effective July 1, 2024): Texas Data Privacy and Security Act, 2023 Tex. Sess. Law Serv. Ch. 995 (H.B. 4) (eff. July 1, 2024)
- Utah (effective December 31, 2023): Utah Consumer Privacy Act, Utah Code § 13-61-302(2)
- Virginia: Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-578(A)(3)
Interaction with Federal and Other State Laws
This Note does not address sector-specific obligations that some states apply to particular industries or businesses, such as financial services, health care, insurance, educational service providers, and state contractors. However, state data security laws often carve out compliance exemptions for organizations subject to data security requirements imposed by other federal or state regulations, such as:
- The GLBA.
- HIPAA.
- Other federal or state laws that require greater protection than the state’s general data security statute.
Little guidance exists regarding what constitutes “greater protection” in data security laws. Commonly cited examples include regulatory regimes that, like the GLBA or HIPAA, specify particular administrative, physical, and technical safeguards or other information security program elements. Industry standards for data security typically include similar elements, for more details, see Guidance and Resources, above.
State compliance exemptions include:
Alabama
(Ala. Code §§ 8-38-11 and 8-38-12)
Exemption applies to those regulated or subject to any federal or state law, rule, regulation, procedure, or guidance on data breach notification requirements at least as thorough as Alabama’s law that a federal or state government enforces so long as the organization:
- Maintains the required procedures.
- Provides notice to affected Alabama residents pursuant to the notice requirements of those laws, rules, regulations, procedures, or guidance.
- Timely provides a copy of notice to the attorney general when the required number of notifications to Alabama residents exceeds 1,000.
Arkansas
(Ark. Code Ann. § 4-110-106(a))
Exemption applies to those regulated by any federal or state law that provides both:
- Greater protection to personal information.
- At least as thorough data breach disclosure requirements.
Arkansas deems compliance with the federal or state law to be compliance with its data security requirements.
California
(Cal. Civ. Code § 1798.81.5(e))
California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (collectively CCPA) (Cal. Civ. Code § 1798.145)
California’s general data security law (Cal. Civ. Code § 1798.81.5) provides exceptions to its general data for covered entities subject to:
- HIPAA.
- California’s Confidentiality of Medical Information Act.
- The California Financial Information Privacy Act.
- The confidentiality requirements of the California Vehicle Code when obtaining information under an applicable agreement.
- Other state or federal laws that provide greater protection to personal information.
California deems compliance with the federal or state law to be compliance with the data security requirements.
The California Consumer Privacy of 2018 as amended by the California Privacy Rights Act of 2020 (collectively CCPA) includes a variety of exemptions based on various entities and the relevant personal information.
Colorado
(Colo. Rev. Stat. Ann. § 6-1-713.5(4))
Colorado Privacy Act (CPA) (Colo. Rev. Stat. Ann. § 6-1-1304(2))
Colorado’s general data security law (Colo. Rev. Stat. Ann. § 6-1-713.5) deems a covered entity in compliance with its data security requirements if the covered entity both:
- Is regulated by state or federal law.
- Maintains procedures for protecting personal information pursuant to the laws, rules, regulations, guidance, or guidelines established by its state or federal regulator.
The Colorado Privacy Act (Colo. Rev. Stat. Ann. § 6-1-1304(2)) provides exemptions for:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain data processed for public health and safety research.
- A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
- Air carriers as defined in 49 U.S.C. § 40102.
- Financial institutions or data subject to the GLBA.
- Certain activities regulated under the Fair Credit Reporting Act (FCRA).
- Data regulated under:
- the Driver’s Privacy Protection Act (18 U.S.C. § 2721) (DPPA);
- the Family Educational Rights and Privacy Act (FERPA); or
- the Children’s Online Privacy Protection Act of 1998 (COPPA).
- Data maintained:
- for employment purposes; or
- by a public utility, with some restrictions.
Connecticut
(Conn. Gen. Stat. Ann. § 42-471(g))
Connecticut Data Privacy Act (Conn. Gen. Stat. Ann. § 42-517)
Connecticut’s general data security law (Conn. Gen. Stat. Ann. 42-471(g)) exempts state entities and deems a financial institution’s compliance with the GLBA’s security requirements to be compliance with its data security requirements.
The Connecticut Data Privacy Act (Conn. Gen. Stat. Ann. §§ 42-515 to 42-525) provides exemptions for:
- HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
- Certain data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
- Financial institutions or data subject to the GLBA.
- Certain activities regulated under the FCRA.
- Air carriers as regulated under the Federal Aviation Act of 1958 and the Airline Deregulation Act of 1978 and certain data they collect, process, or disclose (effective Oct. 1, 2023).
- Data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act (12 U.S.C. §§ 2001-2279cc).
- Certain data maintained in the employment context.
District of Columbia
(D.C. Code § 28-3852a)
District of Columbia law deems a person or entity in compliance with its data security requirements if they are subject to and comply with:
- The GLBA.
- HIPAA.
- The HITECH Act.
Florida
Florida’s general data security law does not include exemptions to the data security requirement (§ 501.171(2)).
Florida Digital Bill of Rights
(§§ 501.703 and 501.704, Fla. Stat.) (effective July 1, 2024)
Effective July 1, 2024, the Florida Digital Bill of Rights does not apply to:
- HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
- Certain data processed for public health and safety research.
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
- Nonprofit organizations.
- Higher education institutions.
- Personal data processing only for:
- purely personal or household activities; or
- measuring or reporting advertising performance, reach, or frequency.
- Certain activities regulated under the FCRA.
- Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
- Data collected and transmitted to financial providers for the sole purpose of customer payment processing.
- Data shared between physical product manufacturers and authorized third-party distributors or vendors if solely for the purpose of advertising, marketing, or servicing the product.
Illinois
(815 ILCS 530/45)
Illinois deems an organization to be in compliance with its data security requirements if it is subject to and in compliance with:
- A federal or state law that requires greater protection for records that contain personal information.
- The GLBA.
Indiana
(Ind. Code § 24-4.9-3-3.5)
Indiana SB 5 (effective Jan. 1, 2026)
Indiana’s general data security law provides exemptions for those maintaining and complying with an information privacy or security policy or compliance plan under:
- The GLBA.
- HIPAA.
- FCRA.
- The Driver’s Privacy Protection Act.
- The Financial Modernization Act of 1999.
- The USA PATRIOT Act (P.L. 107-56).
- Executive Order 13224, which freezes property of and blocks transactions with terrorism supporters.
The applicable policy or plan must require the organization to maintain reasonable security measures to protect Indiana residents’ personal information.
The general data security statute also applies to current and former health care providers who are, or were, database owners exempt from the law if the database owner does not have or implement a plan to safeguard personal information after ceasing to be a covered entity under HIPAA.
Effective January 1, 2026 under SB 5, Indiana’s consumer data protection law exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- Public utilities and associates.
- Financial institutions, affiliates, or data subject to the GLBA.
- Certain activities regulated under the FCRA.
- Data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
Iowa
No general data security law.
Iowa Consumer Data Protection Act (Iowa SF 262) (Iowa Code Ann. § 715D.2) (effective Jan. 1, 2025)
Effective January 1, 2025 under SF 262, the Iowa Consumer Data Protection Act exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information and certain related data, and certain personal data as defined under substance use disorder, clinical research, and other specified health care-related laws and regulations.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- Financial institutions, affiliates, or data subject to the GLBA.
- Certain activities regulated under the FCRA.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
- Data used in accordance with COPPA.
- Data used by a person in the course of purely personal or household activity.
Kansas
(K.S.A. 50-6,139b)
Kansas deems an organization to be in compliance with its data security requirements if the organization’s personal information protection procedures and practices are subject to and it complies with other state or federal law.
Maryland
(Md. Code Ann., Com. Law § 14-3507)
Maryland deems a business to be in compliance with its statute, if:
- It complies with data security obligations to protect personal information established by its primary or functional federal or state regulator.
- It is subject to and in compliance with:
- HIPAA;
- the GLBA;
- the Fair and Accurate Credit Transactions Act (FACTA); and
- the federal Interagency Guidelines Establishing Information Security Standards.
Montana
Montana Consumer Data Privacy Act
(2023 MT S.B. 384, § 4) (effective Oct. 1, 2024)
Effective October 1, 2024, the Montana Consumer Data Privacy Act exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
- Nonprofit organizations.
- Higher education institutions.
- Financial institutions and personal data regulated under the GLBA.
- Certain activities regulated under the FCRA.
- Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
Nebraska
(Neb. Rev. St. § 87-808(3))
Exemption applies to those subject to and in compliance with:
- A federal or state law that provides greater protection to personal information.
- The GLBA.
- HIPAA.
Nevada
(NRS 603A.210(3))
Nevada deems an organization to be in compliance with its data security requirements if it is subject to and complies with a federal or state law that requires greater protection for personal information.
New Mexico
(NMSA 1978, § 57-12C-8)
Exemption applies to those subject to:
New York
(N.Y. Gen. Bus. Law § 899-bb)
Exemption applies to those subject to and in compliance with:
- The GLBA.
- HIPAA.
- The NYDFS Cybersecurity Regulations.
- Other federal or New York administered data security regulations.
Oregon
(Or. Rev. Stat. § 646A.622(2))
Oregon Consumer Privacy Act (§ 2, SB 619) (effective July 1, 2024)
Oregon’s general data security law provides exceptions for those subject to and in compliance with:
- Any federal or state law that provides greater protection to personal information.
- The GLBA.
- HIPAA.
Effective July 1, 2024, the Oregon Consumer Privacy Act (SB 619) exempts the following:
- HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Public corporations and bodies as defined at Or. Rev. Stat. § 174.109.
- Nonprofits established to detect and prevent fraudulent acts in connection with insurance.
- Insurers, insurance producers, insurance consultants, and others regulated under Oregon insurance law.
- Financial institutions and personal data regulated under the GLBA.
- Financial institutions as defined by Oregon’s Bank Act at Or. Rev. Stat. § 706.008 and certain affiliates.
- Certain activities regulated under the FCRA.
- Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
- Noncommercial activity of:
- reporters, publishers, or other persons connected with a newspaper or magazine,
- press associations or wire services;
- radio or tv stations licensed by the Federal Communications Commission, or nonprofits that provides their programming.
- Personal data regulated under:
- the Driver’s Privacy Protection Act; or
- FERPA.
- Certain data processed in the employment context.
Rhode Island
(R.I. Gen. Laws § 11-49.3-6)
Exemption applies to those:
- Subject to, examined for, and found to be in compliance with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
- Governed by HIPAA.
Tennessee
Tennessee Information Protection Act
(2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2) (eff. July 1, 2025)
Effective July 1, 2025, the Tennessee Information Protection Act exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- Entities that are licensed in Tennessee as insurance companies that transact insurance business and state-licensed insurance producers.
- Financial institutions and personal information regulated under the GLBA.
- Certain activities regulated under the FCRA.
- Information maintained for purposes of complying with the Controlled Substances Act.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
Texas
(Tex. Bus. & Com. Code Ann. § 521.052(c))
Texas Data Privacy and Security Act
(Texas Bus. & Com. Code Ann. §§ 541.002 and 541.003) (effective July 1, 2024)
The Texas general data security law (Tex. Bus. & Com. Code Ann. § 521.052(c)) exempts financial institutions that are subject to the GLBA.
Effective July 1, 2024, under HB 4 the Texas Data Privacy and Security Act (Texas Bus. & Com. Code Ann. § 541.101(2)) exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- Electric utilities, power generation companies, and retail electric providers, as defined by the Texas Utilities Code (V.T.C.A., Utilities Code § 31.002).
- Financial institutions and personal data regulated under the GLBA.
- Certain activities regulated under the FCRA.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; and
- the Farm Credit Act.
- Emergency contact information, if maintained or processed solely for emergency contact purposes.
- Information processed or maintained to administer benefits.
- Certain data maintained in the employment context.
Utah
(Utah Code § 13-44-103)
Utah Consumer Privacy Act
(Utah Code § 13-61-102(2)) (effective December 31, 2023)
Utah’s general data security law (Utah Code § 13-44-103) exempts financial institutions that are subject to the GLBA.
Effective December 31, 2023, the Utah Consumer Privacy Act (Utah Code § 13-61-102(2)) exempts:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Air carriers.
- Financial institutions and personal data regulated under the GLBA.
- Certain activities regulated under the FCRA.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
Virginia
No general data security law.
Virginia Consumer Data Protection Act
(Va. Code Ann. § 59.1-576(B))
The Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 to 59.1-584) does not apply to:
- HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
- Certain personal data processed for public health and safety research.
- Nonprofit organizations.
- Higher education institutions.
- Financial institutions and personal data regulated under the GLBA.
- Certain activities regulated under the FCRA.
- Personal data regulated under:
- the Driver’s Privacy Protection Act;
- FERPA; or
- the Farm Credit Act.
- Certain data maintained in the employment context.
Enforcement and Penalties
Most states authorize their attorney general to enforce data security obligations. Oregon specifically tasks its Director of the Department of Consumer and Business Services with enforcing its data security law (Or. Rev. Stat. § 646A.624).
California provides a private cause of action for individuals to seek damages arising from a failure to properly protect personal information (Cal. Civ. Code § 1798.84). The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) also grants a private right of action with statutory damages for unauthorized or illegal access, destruction, use, modification, or disclosure of a California resident’s unencrypted and unredacted personal information due to a business’s failure to implement and maintain reasonable security measures (Cal. Civ. Code § 1798.150).
States that do not explicitly empower their attorney general to enforce data security laws typically deem violations to be unlawful or deceptive business practices under their consumer protection laws.
Remedies generally available for violations of state data security laws include:
- Injunctions to prevent further violations.
- Monetary penalties, including consumer compensation.
- Reasonable costs.
States’ monetary penalties range from a few hundred to a few thousand dollars per violation and may increase based on culpability. Some states cap total penalties at the consumer or aggregate level. For example, Utah caps its civil penalties at $2,500 for violations related to a specific consumer and $100,000 in aggregate. However, penalties can exceed $100,000 when violations affect 10,000 or more residents, or when the violator accepts a settlement agreement. (Utah Code § 13-44-301.) Oregon sets an upper limit at $500,000 for a particular occurrence (Or. Rev. Stat. § 646A.624).
Organizations must also consider the other potential costs that may accompany a data security enforcement action, such as:
- Negative publicity.
- Loss of customer confidence.
- Diminished market credibility.
- Current or future contract obligations regarding data security practices.
- Cyber insurance rates and availability.
- Litigation risks in states, such as California, that provide a private cause of action or other states under consumer protection laws or privacy-related torts.
Choosing to Develop, Implement, and Maintain a WISP
Organizations should consider developing, implementing, and maintaining a WISP as a best practice, even if they are not strictly required to do so or their legal obligations extend only to certain jurisdictions.
A well-developed and maintained WISP can provide benefits, such as:
- Prompting the organization to proactively assess its cybersecurity risks and implement measures to protect personal and other sensitive information.
- Educating employees and other stakeholders about the actions they need to take to protect personal and other sensitive information.
- Helping to communicate data security expectations and practices to leadership, customers, and other interested parties, including regulators.
- Establishing that the organization takes reasonable steps to protect personal and other sensitive information, especially if a security incident occurs and results in litigation or enforcement action.
When choosing whether to implement a WISP, an organization should consider:
- The size, scope, and type of its business or other activities.
- Its information collection and use practices, including the amount and types of personal and other sensitive information it maintains.
- The need to secure both customer and employee personal information.
- Specific applicable legal requirements, which may depend on, among other things:
- the nature and industry of the business or organization;
- the type of information collected and maintained; and
- the geographic footprint of the business, including the states where the organization’s customers and employees reside.
- The resources available to implement and maintain an information security program.