chevron-down Created with Sketch Beta.

GPSolo eReport

GPSolo eReport August 2023

State Data Security Laws: An Overview

Summary

  • This article provides an overview of state laws, including in the District of Columbia, that require those collecting, using, or managing personal information to take proactive data security measures.
  • This article addresses laws that call for reasonable data security measures and those that include more specific information security requirements, such as developing, implementing, and maintaining a written information security program (WISP).
  • This article also addresses laws that impose specific requirements on connected devices and the Internet of things (IoT), those that provide incentives for complying with security programs, and state comprehensive consumer data privacy laws.
State Data Security Laws: An Overview
golubovy via Getty Images

Jump to:

This article provides an overview of state laws, including those in the District of Columbia, that require those collecting, using, or managing personal information to take proactive data security measures. This article addresses laws that call for reasonable data security measures; those that include more specific information security requirements, such as developing, implementing, and maintaining a written information security program (WISP); those that impose specific requirements on connected devices and the Internet of things (IoT); those that provide incentives for organizations that comply with a reasonable, written information security program; and those that are included in state comprehensive consumer data privacy laws.

Introduction

All states have enacted laws that require those collecting, using, or managing personal information to notify affected individuals and, in some cases, regulators, the media, and others, if a data breach occurs. A smaller but growing group of states requires organizations to take proactive data security measures to protect personal information from unauthorized acquisition, use, or disclosure.

State data security laws typically fall into one or more of several categories:

  • General laws that require organizations to take broadly stated reasonable data security measures to protect personal information (see States that Require Reasonable Data Security Measures, below).
  • Prescriptive laws that require organizations to develop, implement, and maintain specific data security measures and, in some cases, a comprehensive information security program (see States with Specific Data Security Requirements, below).
  • Connected devices laws that impose specific data security requirements on certain Internet-connected devices and the Internet of things (IoT) (see States with Data Security Requirements for Connected Devices and the IoT, below).
  • Incentives laws that provide an affirmative defense against certain claims or other relief to organizations that implement and comply with a reasonable, written information security program (see States That Provide Incentives for Compliance with Data Security Programs, below).
  • Comprehensive consumer data privacy laws that impose data security obligations on covered entities (see State Comprehensive Consumer Data Privacy Laws with Data Security Requirements, below).

Most states have enacted laws dictating data disposal requirements that apply when an organization no longer retains personal information or media containing it. Many states also impose specific restrictions to protect Social Security numbers.

Some states have additional laws that impose data security requirements on specific industries or businesses, such as financial services, health care, insurance, Internet service providers, educational service providers, and state contractors. Those sector-specific obligations and laws specific to state agencies are beyond this article’s scope.

States That Require Reasonable Data Security Measures

Reasonableness in data security is fluid by necessity, given the rapid pace of change in information technology and cyber threats. Context also determines whether an organization’s practices are reasonable, according to the sensitivity of the data it collects and the costs of securing the data against particular threats. Industry standards and regulatory guidance explain core program elements and typical safeguards. For details on industry standards and reasonable measures, see Guidance and Resources, below.

State laws imposing reasonable data security measures generally require organizations, often including state agencies, to take steps to protect personal information from unauthorized:

  • Access.
  • Acquisition.
  • Destruction.
  • Disclosure.
  • Modification.
  • Use.

States with generally applicable laws requiring reasonable data security measures include:

  • Alabama: Ala. Code § 8-38-3
  • Arkansas: Ark. Code Ann. § 4-110-104(b)
  • California: Cal. Civ. Code § 1798.81.5
  • Colorado: Colo. Rev. Stat. Ann. § 6-1-713.5
  • Connecticut: Conn. Gen. Stat. Ann. § 42-471(a)
  • Delaware: 6 Del. C. § 12B-100
  • District of Columbia: D.C. Code § 28-3852a
  • Florida: § 501.171(2), Fla. Stat.
  • Illinois: 815 ILCS 530/45
  • Indiana: Ind. Code § 24-4.9-3-3.5
  • Kansas: K.S.A. 50-6,139b
  • Louisiana: La. R.S. 51:3074(A)
  • Maryland: Md. Code Ann., Com. Law § 14-3503
  • Nebraska: Neb. Rev. St. §§ 87-801 through 87-808
  • Nevada: NRS 603A.210 and 603A.215
  • New Mexico: NMSA 1978, §§ 57-12C-4, 57-12C-5
  • New York: N.Y. Gen. Bus. Law § 899-bb(2)
  • Oregon: Or. Rev. Stat. § 646A.622
  • Rhode Island: R.I. Gen. Laws § 11-49.3-2
  • Texas: Tex. Bus. & Com. Code Ann. § 521.052(a)
  • Utah: Utah Code § 13-44-201(1)(a)

The definition of personal information varies by state. Some states combine proactive data security laws with their data breach notification statutes, using the same definition for personal information. Others, like California, use overlapping definitions. At a minimum, state laws typically protect information that:

  • May create significant risk of identity theft, fraud, or other consumer harm if compromised.
  • Includes an individual’s first name or initial and last name, when one or more additional data elements is present, such as:
    • Social Security number;
    • driver’s license or state identification card number; or
    • financial account, credit card, or debit card number in combination with any required security code, access code, or password that permits access to an individual’s account.

Many state-level comprehensive consumer data privacy laws include data security requirements (see State Comprehensive Consumer Data Privacy Laws with Data Security Requirements, below).

Some states also explicitly require organizations that disclose personal information to third parties, such as service providers, to require the third parties to maintain reasonable security procedures. For example:

  • Ala. Code 1975, § 8-38-3.
  • Cal. Civ. Code § 1798.81.5.
  • Colo. Rev. Stat. Ann. § 6-1-713.5.
  • D.C. Code § 28-3852a.
  • Md. Code Ann., Com. Law § 14-3503.
  • NMSA 1978, § 57-12C-5.
  • Neb. Rev. St. § 87-808(2)(a).
  • N.Y. Gen. Bus. Law § 899-bb(2)(b)(ii)(A)(5).
  • Or. Rev. Stat. § 646.622(2)(d).

Reasonableness Standard: Pros and Cons

Adopting a flexible reasonableness standard for data security offers advantages to regulators and regulated parties, including:

  • Maintaining a consistent level of expectations under the law, even as technologies and risks change.
  • Clarifying that no single cybersecurity strategy or set of controls works effectively in all situations.
  • Avoiding static requirements that may become outdated or create additional risks as technologies and threats change.
  • Encouraging organizations to take a broad, risk-based approach to dynamic cybersecurity issues rather than focusing narrowly on compliance.
  • Providing organizations with options based on their size, complexity, and the nature of their activities and the data they collect and use.

However, the reasonableness standard also presents challenges for many organizations and their counsel. For example, those with less cybersecurity awareness or expertise may require more specific guidance. Federal and state regulators and industry groups help bridge these gaps with a variety of guidance and resources.

Guidance and Resources

Federal and state regulators and industry groups provide various resources to help organizations understand and maintain reasonable data security practices. Some notable examples include:

  • Federal Trade Commission (FTC) publications and enforcement actions. The FTC uses a reasonableness standard to assess companies’ data security measures under its FTC Act, Section 5 enforcement authority over unfair or deceptive trade practices (15 U.S.C. § 45). Decades of FTC complaints and consent decrees provide insights into general expectations. FTC publications, such as Protecting Personal Information: A Guide for Business, explain basic information security program elements. The FTC has also issued guidance on securing connected devices, such as Careful Connections: Keeping the Internet of Things Secure.
  • California Attorney General (CAG) publications. The CAG established a floor of expectations for reasonable data security practices in 2016’s Data Breach Report 2012–2015. Specifically, the CAG deems organizations that fail to implement minimum information security measures, as defined by the Center for Internet Security’s CIS Controls, to lack reasonable security.
  • The National Institute of Standards and Technology (NIST) Cybersecurity Framework. NIST’s increasingly recognized and widely adopted Cybersecurity Framework:
    • provides a risk-based approach that organizations of any size can use to develop a comprehensive information security program; and
    • collects and cross-references other commonly accepted information security standards, including the CIS Controls, ISO/IEC 27001, and others.
  • The Payment Card Industry Data Security Standard (PCI DSS). These standards include a minimum set of information security controls that apply to merchants and others that store, transmit, or process payment card data.
  • Sector-specific data security standards and regulations. Federal and state sector-specific laws and regulations include obligations to protect various forms of sensitive personal information. Organizations can use these standards to guide their data security programs, adjusted accordingly for their particular risks. Some examples include:
    • federal regulations under the Gramm-Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA); and
    • the New York Department of Financial Services (NYDFS) Cybersecurity Regulations for Financial Services Companies (23 NYCRR 500.0 through 500.23).

Organizations should also consider developing, implementing, and maintaining a comprehensive written information security program (WISP), even if applicable laws do not strictly require them to do so or their legal obligations extend only to certain jurisdictions. A WISP can:

  • Help demonstrate the organization’s commitment to reasonable data security measures.
  • Document and drive the organization’s ongoing information security program.

For more information on creating a WISP and its potential value, see Choosing to Develop, Implement, and Maintain a WISP, below.

States with Specific Data Security Requirements

Some states impose additional data security requirements or prescribe specific program approaches for organizations that collect, use, or manage their residents’ personal information. These states’ requirements are often like those found in the federal Safeguards Rule, promulgated under the GLBA. States with these more specifically stated data security obligations include:

  • Alabama, which requires organizations to consider specific factors when implementing and maintaining reasonable security measures, according to their characteristics and activities (see section on Alabama, below).
  • California, which requires connected device manufacturers to take steps to ensure the security of devices and the information they contain (see section on California, below).
  • Massachusetts, which mandates some of the most stringent information security program requirements, including development, implementation, and maintenance of a comprehensive WISP (see section on Massachusetts, below).
  • Nevada, which:
    • imposes additional requirements, including data encryption, under certain circumstances based on whether an organization accepts payment card transactions; and
    • requires government agencies that maintain personally identifying information about residents of the state to comply with specific security best practices (see section on Nevada, below).
  • New York, which requires reasonable safeguards that either:
    • comply with another recognized data security regime; or
    • include specific program elements.

(see section on New York, below.)

  • Oregon, which requires:
    • reasonable data security measures, including specific administrative, physical, and technical safeguards (see section on Oregon, below); and
    • connected device manufacturers to equip devices with reasonable security features (see section on Oregon, below).
  • Rhode Island, which calls on organizations to implement and maintain a risk-based information security program, according to their characteristics and activities (see section on Rhode Island, below).

Alabama

Alabama’s data security law requires organizations to:

  • Implement and maintain reasonable security measures that protect personal information and are appropriate to:
    • their size;
    • the amount of personal information they store;
    • their activities; and
    • the cost to implement and maintain security measures relative to their resources.
  • Organizations should consider:
    • designating one or more employees or a manager or owner to coordinate their information security measures;
    • identifying internal and external security risks;
    • adopting appropriate safeguards and assessing their effectiveness;
    • contractually requiring service providers to maintain appropriate safeguards;
    • evaluating and adjusting their security measures to account for changes in circumstances; and
    • keeping their management informed of their security measures’ overall status.

(Ala. Code § 8-38-3.)

Massachusetts

Massachusetts was the first state to implement heightened data security standards. The law applies to anyone that owns or licenses its residents’ personal information. Under the Massachusetts data security regulations, covered entities must:

  • Adopt a comprehensive WISP that is appropriate to:
    • the size, scope, and type of their business;
    • their available resources;
    • the amount of personal data they store; and
    • the need for security and confidentiality of both consumer and employee information.
  • Address core program elements in their WISPs, including their approach for:
    • designating one or more employees to maintain the program;
    • assessing and managing risks;
    • developing information security policies;
    • implementing and maintaining administrative, physical, and technical safeguards;
    • overseeing service providers;
    • monitoring the program’s effectiveness;
    • managing and documenting their response to cyber incidents;
    • establishing sanctions for program violations; and
    • reviewing the program at least annually or whenever there is a material change in business practices that may affect the program.
  • Include minimum safeguards, to the extent technical feasible, such as:
    • secure user authentication protocols;
    • secure access control measures;
    • encryption for data transmitted wirelessly or across public networks or stored on mobile devices;
    • reasonable system monitoring; and
    • current firewall protection and system patches for Internet-connected systems.

(M.G.L. c. 93H, § 2; 201 Code Mass. Regs. 17.01-05.)

Nevada

Nevada requires organizations that handle personal information to adopt reasonable data security measures (NRS 603A.210). It applies additional requirements based on whether the data collector accepts payment card transactions, such as credit card payments for goods or services.

Specifically:

  • If the organization accepts payment card transactions, it must comply with PCI DSS (see Guidance and Resources, above).
  • If the organization does not accept payment card transactions, it must encrypt any personal data that it:
    • transmits outside its secure environment; or
    • moves outside its secure environment or that of its service providers on a mobile or other storage device.
  • The extended requirements do not apply to:
    • telecommunications service providers acting as a data conduit; or
    • private channel communications related to payment processing and some forms of fraud and account management reporting.

(NRS 603A.215.)

Nevada provides liability relief for organizations that experience a data breach, if:

  • they comply with its data security requirements; and
  • the breach did not result from the organization’s gross negligence or intentional misconduct of the organization or its officers, employees, or agents.

(NRS 603A.215.)

Nevada law requires government agencies that collect residents’ personal information to comply with the CIS Controls or NIST standards regarding:

  • Collection.
  • Disclosure.
  • Maintenance.

(NRS 603A.210(2); see Guidance and Resources, above.)

New York

New York requires organizations that handle personal information to adopt reasonable security measures to protect data security, confidentiality, and integrity (N.Y. Gen. Bus. Law § 899-bb(2)). New York also requires organizations to either:

  • Comply with another recognized data security regime, such as:
    • the GLBA or HIPAA regulations;
    • the NYDFS Cybersecurity Regulations; or
    • other federal or New York administered regulations.

(See Guidance and Resources, above.)

  • Implement reasonable safeguards, specifically:
    • administrative safeguards, including designating a security coordinator, assessing risks and safeguards, training employees, performing service provider due diligence and imposing contract obligations, and adjusting their programs as circumstances change;
    • physical safeguards, including assessing information storage and disposal risks, detecting, preventing, and responding to intrusions, and supporting reasonable data retention and secure data collection, transportation, and disposal practices; and
    • technical safeguards, including assessing risks in various technical areas, detecting, preventing, and responding to attacks or system failures, and regularly testing key controls, systems, and procedures.

New York’s approach offers some relief for small businesses. Specifically, New York:

  • Defines small businesses as those with:
    • less than 50 employees;
    • less than $3 million in gross annual revenue each of the last three fiscal years; or
    • less than $5 million in year-end total assets.
  • Allows them to implement safeguards and other measures that are appropriate for:
    • their size and complexity;
    • the nature and scope of their business activities; and
    • the sensitivity of the personal information they collect from or about consumers.

Oregon

Oregon requires organizations that handle personal information to adopt reasonable data security measures to protect the data’s security, confidentiality, and integrity (Or. Rev. Stat. § 646A.622). Oregon also lists particular safeguards required to comply with its statute. Organizations must implement an information security program that specifically includes:

  • Administrative safeguards, such as:
    • designating one or more employees to coordinate the security program;
    • identifying reasonably foreseeable internal and external risks with reasonable regularity;
    • assessing whether existing safeguards adequately control identified risks;
    • training and managing employees in security program practices and procedures with reasonable regularity;
    • selecting service providers capable of maintaining appropriate safeguards and practices, and contractually requiring the service providers to maintain them;
    • adjusting the security program in light of business changes, potential threats, or new circumstances; and
    • reviewing user access privileges with reasonable regularity.
  • Technical safeguards, such as:
    • assessing risks and vulnerabilities in network and software design and taking reasonably timely action to address them;
    • applying security updates and a reasonable security patch management program to vulnerable software;
    • monitoring, detecting, preventing, and responding to attacks or system failures; and
    • regularly testing, monitoring, and taking action to address the effectiveness of key controls, systems, and procedures.
  • Physical safeguards, such as:
    • assessing, in light of current technology, risks of information collection, storage, usage, retention, access, and disposal, and implementing reasonable methods to remedy or mitigate identified risks;
    • monitoring, detecting, preventing, isolating, and responding to intrusions timely and with reasonable regularity;
    • protecting against unauthorized access to or use of personal information during or after collecting, using, storing, transporting, retaining, destroying, or disposing of it; and
    • disposing of personal information, whether the organization disposes of the personal information on or off its premises or property, that the organization no longer needs for business purposes or as required by local, state, or federal law by burning, pulverizing, shredding, or modifying physical records and by destroying or erasing electronic media so that the information cannot be read or reconstructed.

(Or. Rev. Stat. § 646A.622(2).)

Oregon offers relief for small businesses with 100 or fewer employees by allowing them to implement safeguards and other measures that are appropriate for:

  • Their size and complexity.
  • The nature and scope of their business activities.
  • The sensitivity of the personal information they collect from or about consumers.

(Or. Rev. Stat. § 646A.622(5).)

Oregon provides organizations that comply with GLBA or HIPAA data security safeguards an affirmative defense in actions alleging that the organization failed to implement reasonable data security measures (Or. Rev. Stat. § 646A.622(4)).

Oregon also imposes specific data security obligations on connected devices and the Internet of things (IoT) (see States with Data Security Requirements for Connected Devices and the IoT, below, under Oregon).

Rhode Island

Rhode Island’s data security law focuses on risk management and requires organizations to:

  • Implement and maintain a risk-based information security program with reasonable security procedures and practices that protect personal information and are appropriate to:
    • the organization’s size and scope;
    • the nature of the personal information; and
    • the purposes for which the organization collected the personal information.
  • Retain personal information for no longer than the organization reasonably requires:
    • to provide requested services;
    • to meet the purposes for which the personal information was collected;
    • under a written retention policy; or
    • by law.
  • Use secure methods to destroy personal information.
  • Contractually require any nonaffiliated third party to which an organization discloses personal information to implement and maintain similar reasonable security procedures and practices.

(R.I. Gen. Laws § 11-49.3-2.)

States with Data Security Requirements for Connected Devices and the IoT

Some states impose specific data security requirements on Internet-connected devices and the Internet of things (IoT), including California (Cal. Civ. Code § 1798.91.04) and Oregon (Or. Rev. Stat. § 646A.813). Other states are considering similar legislation.

California

Under Cal. Civ. Code § 1798.91.04, connected device manufacturers must:

  • Equip devices that they sell or offer for sale in California with reasonable security features that are:
    • appropriate to the device’s nature and function and the information it collects, contains, or transmits; and
    • designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
  • If the device supports authentication from outside a local area network, either:
    • provide a preset password unique to each device; or
    • require the user to generate a new authenticator before first accessing the device.

(Cal. Civ. Code § 1798.91.04.)

The statute allows connected device manufacturers to elect to comply with the reasonable security features requirement by ensuring that their connected device:

(Cal. Civ. Code § 1798.91.04.)

NIST issued its recommended criteria in response to President Biden’s Executive Order 14028, Improving the Nation’s Cybersecurity, which directed it to develop IoT device cybersecurity criteria and labeling approaches.

The law broadly defines “connected device” to include any device or object that is both:

  • Capable of directly or indirectly connecting to the Internet.
  • Assigned an IP or Bluetooth address.

(Cal. Civ. Code § 1798.91.05(c).)

Device manufacturers have no duty regarding unaffiliated third-party software or applications that users choose to add to their devices, and sellers have no duty to review or enforce compliance. However, manufacturers also need not prevent users from having full control over their devices.

The law specifically excludes:

  • Devices subject to security requirements under federal law, regulations, or agency guidance.
  • Activities subject to HIPAA or California’s Confidentiality of Medical Information Act.

(Cal. Civ. Code § 1798.91.06.)

Oregon

Oregon law requires connected device manufacturers to equip devices with reasonable security features that:

  • Protect the device, and any information that it stores, from unauthorized access, destruction, use, modification, or disclosure.
  • Are appropriate to both:
    • the nature and function of the device; and
    • the type of information the device collects, stores, or transmits.

(Or. Rev. Stat. § 646A.813(1)(c).)

Reasonable security features may include:

  • Authentication controls, such as:
    • a preprogrammed password unique to each device; or
    • forcing users to generate a new password or other authenticator when first accessing a device.
  • Compliance with applicable federal laws or regulations.

(Or. Rev. Stat. § 646A.813(2).)

The law broadly defines “connected device” to include any device or object that is:

  • Capable of directly or indirectly connecting to the Internet.
  • Used primarily for personal, family, or household purposes.
  • Assigned an IP or other address or identifier for connecting to another device.

(Or. Rev. Stat. § 646A.813(1)(a).)

Device manufacturers have no duty regarding unaffiliated third-party software or applications that users choose to add to their devices, and sellers have no duty to review or enforce compliance. However, organizations also need not prevent users from having full control over their devices. (Or. Rev. Stat. § 646A.813(3).)

The law specifically excludes those subject to HIPAA or medical device regulations and guidance from the Food and Drug Administration (Or. Rev. Stat. § 646A.813(4)(c)).

States That Provide Incentives for Compliance with Data Security Programs

A few states have enacted laws that provide an affirmative defense to certain data breach-related claims or other incentives for organizations that implement specific standards-based information security measures and programs.

Connecticut

Connecticut incentivizes organizations to adopt written cybersecurity programs that conform to industry recognized security standards or other applicable laws. Specifically, covered organizations may avoid punitive damages in a tort action alleging a failure to implement reasonable cybersecurity controls if they:

  • Created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for personal or restricted information.
  • Conformed their written cybersecurity program to the current version of certain industry recognized standards or applicable laws.
  • Designed their cybersecurity program to protect personal or restricted information and scaled it based on specified factors.

(Conn. Gen. Stat. Ann. § 42-901(b).)

An organization’s cybersecurity program conforms to an industry recognized framework if:

(See Guidance and Resources, above.)

  • The state or federal government regulates the organization, or it is otherwise subject to, and its program conforms with the current version of:
    • HIPAA;
    • the GLBA;
    • the Federal Information Security Modernization Act of 2014 (FISMA); or
    • the Health Information Technology for Economic and Clinical Health (HITECH) Act.
  • Its program complies with the current PCI DSS (see Guidance and Resources, above) and another specified industry recognized standard.

(Conn. Gen. Stat. Ann. § 42-901(c).)

Organizations must also design their cybersecurity programs to:

  • Protect the security and confidentiality of personal or restricted information against:
    • threats or hazards to the information; and
    • unauthorized access to and use of the information that results in a material risk of identity theft or other fraud.
  • Reflect a scope and scale based on:
    • their size and complexity;
    • the nature and scope of their activities;
    • the information’s sensitivity; and
    • the cost and availability of information security tools.

(Conn. Gen. Stat. Ann. § 42-901(d).)

Iowa

Iowa provides an affirmative defense against certain data breach-related tort claims to organizations that create, maintain, and comply with a written cybersecurity program that reasonably conforms to an industry-recognized framework, or is otherwise designed to:

  • Continually evaluate and mitigate reasonably anticipated threats that could lead to a data breach.
  • Communicate the risks of a data breach and actions they could take to reduce damages if one occurs.
  • Operate at a cost no less than the maximum probable loss that a data breach could cause, calculated by multiplying the total value of reasonably possible damage by the probability of damage occurring, and reevaluate and adapt to this value annually.

(Iowa Code Ann. § 554G.2.)

An organization meets the statute’s requirements if its cybersecurity program reasonably conforms to an industry-recognized cybersecurity framework, specifically if:

  • The program reasonably conforms to the current version of any one or combination of the following industry standards, with up to one year to reasonably comply after revisions:
  • The organization is regulated by the state or federal government, or is otherwise subject to and its program reasonably conforms to the current version of any of the following, with one year to reasonably comply after amendment:
    • the HIPAA Security Rule;
    • the HITECH Act;
    • the GLBA;
    • FISMA;
    • the Iowa Insurance Data Security Act (Iowa Code Ann. §§ 507F.1 to 507F.16); or
    • critical infrastructure rules, regulations, or guidelines adopted by the Environmental Protection Agency, Cybersecurity and Infrastructure Security Agency, or North American Reliability Corporation.

(Iowa Code Ann. §§ 554G.2(4)(b) and 554G.3.)

The statute requires that the cybersecurity program protect both:

  • Personal information, defined as any information that could directly or indirectly identify an individual or identify their genetic, cultural, or social identity, or other identity, in particular with an identifier such as Social Security or driver’s license number, other identification number, financial account or card number, location data, or biometric data.
  • Restricted information, meaning information related to an individual or business, other than personal information, that can be linked or used to identify an individual or business and is likely to result in a material risk of identity theft or other fraud if exposed in a breach.

(Iowa Code Ann. §§ 554G.1 and 554G.2.)

Ohio

Ohio’s data security law does not require organizations to implement specific data security measures. It instead provides a safe harbor from certain data breach-related tort actions for those that create, maintain, and comply with a written cybersecurity program that:

  • Protects:
    • personal information as defined in Ohio R.C. 1349.19; or
    • a combination of personal information and restricted information, which includes any unencrypted information that alone or in combination with other information identifies or links to an individual, if its breach creates a material risk of identity theft or other fraud.
  • Contains administrative, technical, and procedural safeguards to protect personal information and, if applicable, restricted information.
  • Reasonably conforms to an industry recognized cybersecurity framework, specifically:

(See Guidance and Resources, above.)

  • Alternatively, for regulated entities, complies with security requirements under:
    • HIPAA and the HITECH Act;
    • the GLBA; or
    • FISMA.
  • Follows a scale and scope that is appropriate according to:
    • the organization’s size and complexity;
    • the nature and scope of its activities;
    • the sensitivity of the information it protects;
    • the cost and availability of applicable tools; and
    • the organization’s available resources.

(Ohio R.C. 1354.01 to 1354.05.)

Tennessee

Effective July 1, 2025, Tennessee’s consumer data privacy law, the Tennessee Information Protection Act (TIPA), includes an affirmative defense against claims brought under the Act.

TIPA applies to persons conducting business in Tennessee producing products or services targeted to Tennessee residents (controllers), generating revenue exceeding $25 million, and either:

  • Controlling or processing at least 175,000 consumers’ personal information during a calendar year.
  • Deriving over 50% of gross revenue from the sale of personal data and controlling or processing at least 25,000 consumers’ personal data.

(Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025).)

The affirmative defense against TIPA claims is available to controllers and processors that create, maintain, and comply with a written privacy policy that:

  • Reasonably conforms to the NIST Privacy Framework, or other documented privacy safeguard policies, standards, and procedures, with 2 years to reasonably conform to subsequent revisions.
  • Provides consumers with the substantive rights provided by TIPA.

The size and scope of the privacy program is appropriate if it is based on the size and complexity of the controller or processor’s business, the scope and nature of their activities, the sensitivity of the personal data processed, the cost and availability of privacy and data protection tools, and compliance with a comparable federal and state law.

Certification under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system, or for processors, the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system can also be considered.

(Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025).)

Utah

Utah’s safe harbor law provides an affirmative defense against certain claims arising out of a data breach for those who implement and comply with a qualified written cybersecurity program (Utah Code § 78B-4-702).

Organizations may assert the affirmative defense against claims that they failed to:

  • Implement reasonable information security controls resulting in a system security breach, as defined in the state’s data breach notification law.
  • Appropriately respond to a system security breach.
  • Appropriately notify an affected individual.

(Utah Code § 78B-4-702(1) to (4).)

The defense is available if the organization:

  • Creates, maintains, and reasonably complies with a qualified written cybersecurity program.
  • Followed the protocols included in the program at the time of the security breach.

(Utah Code § 78B-4-702(2) and (3).)

Qualified written cybersecurity programs must:

  • Be designed to protect the personal information’s security, confidentiality, and integrity against anticipated threats or a breach of system security.
  • Reflect an appropriate scale and scope, given:
    • the organization’s size and complexity;
    • the nature and scope of its activities;
    • the sensitivity of the protected information;
    • the cost and availability of tools to improve information security and reduce vulnerabilities; and
    • the organization’s available resources.
  • Reasonably conform to a recognized cybersecurity framework.

(Utah Code § 78B-4-702(4).)

Under the law, an organization reasonably conforms to a recognized cybersecurity framework if it designs its written cybersecurity program to protect the type of personal information the breach compromised, and the program meets one of the following:

  • It is a reasonable cybersecurity program under the law, meaning the organization:
    • designates an employee to coordinate a program that provides the required safeguards;
    • adopts practices and procedures to detect, prevent, and respond to system security breaches;
    • trains and manages employees on the program;
    • conducts specified risk assessments to test and monitor the program; and
    • updates the program as circumstances change.
  • It reasonably conforms to the current version of any of the following industry standards, with one year to reasonably comply after a revision:

(See Guidance and Resources, above).

  • It reasonably complies with federal or state law that regulates the compromised information, with a reasonable time to reasonably comply after amendment, specifically:
    • the HIPAA Security Rule and the HITECH Act;
    • the GLBA;
    • FISMA;
    • the Utah Protection of Personal Information Act; or
    • other applicable state or federal law.

(Utah Code §§ 78B-4-702(4)(b) and 78B-4-703.)

The affirmative defense is not available to organizations with actual notice of security threats or hazards that fail to adopt responsive remedial measures in a reasonable time (Utah Code § 78B-4-702(5)(a)).

State Comprehensive Consumer Data Privacy Laws with Data Security Requirements

Since California enacted the California Consumer Privacy Act (CCPA), other states have followed, enacting their own comprehensive consumer data privacy laws. The laws, which typically include a data security requirement as listed, often have limited applicability based on varying factors, including different numbers of affected consumers and revenue thresholds and entity and data type exclusions.

  • California: California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act of 2020 (collectively CCPA), Cal. Civ. Code Ann. § 1798.100(e)
  • Colorado: Colorado Privacy Act, Colo. Rev. Stat. Ann. § 6-1-1308(5)
  • Connecticut: Connecticut Personal Data Privacy and Online Monitoring Act, Conn. Gen. Stat. Ann. § 42-520(a)(3)
  • Florida (effective July 1, 2024): Florida Digital Bill of Rights, § 501.71(1)(b), Fla. Stat. (eff. July 1, 2024)
  • Indiana (effective January 1, 2026): An Act to amend the Indiana Code concerning trade regulation; Article 15. Consumer Data Protection, Ind. Code § 24-15-4-1(3) (under SB 5, eff. Jan. 1, 2026)
  • Iowa (effective January 1, 2025): Iowa Consumer Data Protection Act, Iowa Code Ann. § 715D.4(1) (under SF 262, eff. Jan. 1, 2025)
  • Montana (effective October 1, 2024): Montana Consumer Data Privacy Act, 2023 Montana Laws Ch. 681 (S.B. 384), § 7(1)(b) (eff. Oct. 1, 2024)
  • Oregon (effective July 1, 2024): Oregon Consumer Privacy Act, § (5)(c), SB 619 (eff. July 1, 2024)
  • Tennessee (effective July 1, 2025): Tennessee Information Protection Act, 2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2 (eff. July 1, 2025)
  • Texas (effective July 1, 2024): Texas Data Privacy and Security Act, 2023 Tex. Sess. Law Serv. Ch. 995 (H.B. 4) (eff. July 1, 2024)
  • Utah (effective December 31, 2023): Utah Consumer Privacy Act, Utah Code § 13-61-302(2)
  • Virginia: Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-578(A)(3)

Interaction with Federal and Other State Laws

This Note does not address sector-specific obligations that some states apply to particular industries or businesses, such as financial services, health care, insurance, educational service providers, and state contractors. However, state data security laws often carve out compliance exemptions for organizations subject to data security requirements imposed by other federal or state regulations, such as:

  • The GLBA.
  • HIPAA.
  • Other federal or state laws that require greater protection than the state’s general data security statute.

Little guidance exists regarding what constitutes “greater protection” in data security laws. Commonly cited examples include regulatory regimes that, like the GLBA or HIPAA, specify particular administrative, physical, and technical safeguards or other information security program elements. Industry standards for data security typically include similar elements, for more details, see Guidance and Resources, above.

State compliance exemptions include:

Alabama

(Ala. Code §§ 8-38-11 and 8-38-12)

Exemption applies to those regulated or subject to any federal or state law, rule, regulation, procedure, or guidance on data breach notification requirements at least as thorough as Alabama’s law that a federal or state government enforces so long as the organization:

  • Maintains the required procedures.
  • Provides notice to affected Alabama residents pursuant to the notice requirements of those laws, rules, regulations, procedures, or guidance.
  •  Timely provides a copy of notice to the attorney general when the required number of notifications to Alabama residents exceeds 1,000. 

Arkansas

(Ark. Code Ann. § 4-110-106(a))

Exemption applies to those regulated by any federal or state law that provides both:

  • Greater protection to personal information.
  • At least as thorough data breach disclosure requirements.

Arkansas deems compliance with the federal or state law to be compliance with its data security requirements.

California

(Cal. Civ. Code § 1798.81.5(e))

California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (collectively CCPA) (Cal. Civ. Code § 1798.145)

California’s general data security law (Cal. Civ. Code § 1798.81.5) provides exceptions to its general data for covered entities subject to:

  • HIPAA.
  • California’s Confidentiality of Medical Information Act.
  • The California Financial Information Privacy Act.
  • The confidentiality requirements of the California Vehicle Code when obtaining information under an applicable agreement.
  • Other state or federal laws that provide greater protection to personal information.

California deems compliance with the federal or state law to be compliance with the data security requirements.

The California Consumer Privacy of 2018 as amended by the California Privacy Rights Act of 2020 (collectively CCPA) includes a variety of exemptions based on various entities and the relevant personal information.

Colorado

(Colo. Rev. Stat. Ann. § 6-1-713.5(4))

Colorado Privacy Act (CPA) (Colo. Rev. Stat. Ann. § 6-1-1304(2)) 

Colorado’s general data security law (Colo. Rev. Stat. Ann. § 6-1-713.5) deems a covered entity in compliance with its data security requirements if the covered entity both:

  • Is regulated by state or federal law.
  • Maintains procedures for protecting personal information pursuant to the laws, rules, regulations, guidance, or guidelines established by its state or federal regulator.

The Colorado Privacy Act (Colo. Rev. Stat. Ann. § 6-1-1304(2)) provides exemptions for:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain data processed for public health and safety research.
  • A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
  • Air carriers as defined in 49 U.S.C. § 40102.
  • Financial institutions or data subject to the GLBA.
  • Certain activities regulated under the Fair Credit Reporting Act (FCRA).
  • Data regulated under:
    • the Driver’s Privacy Protection Act (18 U.S.C. § 2721) (DPPA);
    • the Family Educational Rights and Privacy Act (FERPA); or
    • the Children’s Online Privacy Protection Act of 1998 (COPPA).
  • Data maintained:
    • for employment purposes; or
    • by a public utility, with some restrictions.

Connecticut

(Conn. Gen. Stat. Ann. § 42-471(g))

Connecticut Data Privacy Act (Conn. Gen. Stat. Ann. § 42-517)

Connecticut’s general data security law (Conn. Gen. Stat. Ann. 42-471(g)) exempts state entities and deems a financial institution’s compliance with the GLBA’s security requirements to be compliance with its data security requirements.

The Connecticut Data Privacy Act (Conn. Gen. Stat. Ann. §§ 42-515 to 42-525) provides exemptions for:

  • HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
  • Certain data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
  • Financial institutions or data subject to the GLBA.
  • Certain activities regulated under the FCRA.
  • Air carriers as regulated under the Federal Aviation Act of 1958 and the Airline Deregulation Act of 1978 and certain data they collect, process, or disclose (effective Oct. 1, 2023).
  • Data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act (12 U.S.C. §§ 2001-2279cc).
  • Certain data maintained in the employment context.

District of Columbia

(D.C. Code § 28-3852a)

District of Columbia law deems a person or entity in compliance with its data security requirements if they are subject to and comply with:

  • The GLBA.
  • HIPAA.
  • The HITECH Act.

Florida

Florida’s general data security law does not include exemptions to the data security requirement (§ 501.171(2)).

Florida Digital Bill of Rights

(§§ 501.703 and 501.704, Fla. Stat.) (effective July 1, 2024)

Effective July 1, 2024, the Florida Digital Bill of Rights does not apply to:

  • HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
  • Certain data processed for public health and safety research.
  • Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).
  • Nonprofit organizations.
  • Higher education institutions.
  • Personal data processing only for:
    • purely personal or household activities; or
    • measuring or reporting advertising performance, reach, or frequency.
  • Certain activities regulated under the FCRA.
  • Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.
  • Data collected and transmitted to financial providers for the sole purpose of customer payment processing.
  • Data shared between physical product manufacturers and authorized third-party distributors or vendors if solely for the purpose of advertising, marketing, or servicing the product.

Illinois

(815 ILCS 530/45)

Illinois deems an organization to be in compliance with its data security requirements if it is subject to and in compliance with:

  • A federal or state law that requires greater protection for records that contain personal information.
  • The GLBA.

Indiana

(Ind. Code § 24-4.9-3-3.5)

Indiana SB 5 (effective Jan. 1, 2026)

Indiana’s general data security law provides exemptions for those maintaining and complying with an information privacy or security policy or compliance plan under:

  • The GLBA.
  • HIPAA.
  • FCRA.
  • The Driver’s Privacy Protection Act.
  • The Financial Modernization Act of 1999.
  • The USA PATRIOT Act (P.L. 107-56).
  • Executive Order 13224, which freezes property of and blocks transactions with terrorism supporters.

The applicable policy or plan must require the organization to maintain reasonable security measures to protect Indiana residents’ personal information.

The general data security statute also applies to current and former health care providers who are, or were, database owners exempt from the law if the database owner does not have or implement a plan to safeguard personal information after ceasing to be a covered entity under HIPAA.

Effective January 1, 2026 under SB 5, Indiana’s consumer data protection law exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • Public utilities and associates.
  • Financial institutions, affiliates, or data subject to the GLBA.
  • Certain activities regulated under the FCRA.
  • Data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.

Iowa

No general data security law.

Iowa Consumer Data Protection Act (Iowa SF 262) (Iowa Code Ann. § 715D.2) (effective Jan. 1, 2025)

Effective January 1, 2025 under SF 262, the Iowa Consumer Data Protection Act exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information and certain related data, and certain personal data as defined under substance use disorder, clinical research, and other specified health care-related laws and regulations.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • Financial institutions, affiliates, or data subject to the GLBA.
  • Certain activities regulated under the FCRA.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.
  • Data used in accordance with COPPA.
  • Data used by a person in the course of purely personal or household activity.

Kansas

(K.S.A. 50-6,139b)

Kansas deems an organization to be in compliance with its data security requirements if the organization’s personal information protection procedures and practices are subject to and it complies with other state or federal law. 

Maryland

(Md. Code Ann., Com. Law § 14-3507)

Maryland deems a business to be in compliance with its statute, if:

  • It complies with data security obligations to protect personal information established by its primary or functional federal or state regulator.
  • It is subject to and in compliance with:
    • HIPAA;
    • the GLBA;
    • the Fair and Accurate Credit Transactions Act (FACTA); and
    • the federal Interagency Guidelines Establishing Information Security Standards.

Montana

Montana Consumer Data Privacy Act

(2023 MT S.B. 384, § 4) (effective Oct. 1, 2024)

Effective October 1, 2024, the Montana Consumer Data Privacy Act exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • A national securities association registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act.
  • Nonprofit organizations.
  • Higher education institutions.
  • Financial institutions and personal data regulated under the GLBA.
  • Certain activities regulated under the FCRA.
  • Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.

Nebraska

(Neb. Rev. St. § 87-808(3))

Exemption applies to those subject to and in compliance with:

  • A federal or state law that provides greater protection to personal information.
  • The GLBA.
  • HIPAA.

Nevada

(NRS 603A.210(3))

Nevada deems an organization to be in compliance with its data security requirements if it is subject to and complies with a federal or state law that requires greater protection for personal information.

New Mexico

(NMSA 1978, § 57-12C-8)

Exemption applies to those subject to:

  • The GLBA.
  • HIPAA.

New York

(N.Y. Gen. Bus. Law § 899-bb)

Exemption applies to those subject to and in compliance with:

  • The GLBA.
  • HIPAA.
  • The NYDFS Cybersecurity Regulations.
  • Other federal or New York administered data security regulations.

Oregon

(Or. Rev. Stat. § 646A.622(2))

Oregon Consumer Privacy Act (§ 2, SB 619) (effective July 1, 2024)

Oregon’s general data security law provides exceptions for those subject to and in compliance with:

  • Any federal or state law that provides greater protection to personal information.
  • The GLBA.
  • HIPAA.

Effective July 1, 2024, the Oregon Consumer Privacy Act (SB 619) exempts the following:

  • HIPAA covered entities and business associates, HIPAA-defined personal health data, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Public corporations and bodies as defined at Or. Rev. Stat. § 174.109.
  • Nonprofits established to detect and prevent fraudulent acts in connection with insurance.
  • Insurers, insurance producers, insurance consultants, and others regulated under Oregon insurance law.
  • Financial institutions and personal data regulated under the GLBA.
  • Financial institutions as defined by Oregon’s Bank Act at Or. Rev. Stat. § 706.008 and certain affiliates.
  • Certain activities regulated under the FCRA.
  • Certain personal data collected, processed, or disclosed by air carriers subject to the Airline Deregulation Act of 1978.
  • Noncommercial activity of:
    • reporters, publishers, or other persons connected with a newspaper or magazine,
    • press associations or wire services;
    • radio or tv stations licensed by the Federal Communications Commission, or nonprofits that provides their programming.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act; or
    • FERPA.
  • Certain data processed in the employment context.

Rhode Island

(R.I. Gen. Laws § 11-49.3-6)

Exemption applies to those:

  • Subject to, examined for, and found to be in compliance with the Federal Interagency Guidelines on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
  • Governed by HIPAA.

Tennessee

Tennessee Information Protection Act

(2023 Tennessee Laws Pub. Ch. 408 (H.B. 1181), § 2) (eff. July 1, 2025)

Effective July 1, 2025, the Tennessee Information Protection Act exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • Entities that are licensed in Tennessee as insurance companies that transact insurance business and state-licensed insurance producers.
  • Financial institutions and personal information regulated under the GLBA.
  • Certain activities regulated under the FCRA.
  • Information maintained for purposes of complying with the Controlled Substances Act.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.

Texas

(Tex. Bus. & Com. Code Ann. § 521.052(c))

Texas Data Privacy and Security Act

(Texas Bus. & Com. Code Ann. §§ 541.002 and 541.003) (effective July 1, 2024)

The Texas general data security law (Tex. Bus. & Com. Code Ann. § 521.052(c)) exempts financial institutions that are subject to the GLBA.

Effective July 1, 2024, under HB 4 the Texas Data Privacy and Security Act (Texas Bus. & Com. Code Ann. § 541.101(2)) exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • Electric utilities, power generation companies, and retail electric providers, as defined by the Texas Utilities Code (V.T.C.A., Utilities Code § 31.002).
  • Financial institutions and personal data regulated under the GLBA.
  • Certain activities regulated under the FCRA.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; and
    • the Farm Credit Act.
  • Emergency contact information, if maintained or processed solely for emergency contact purposes.
  • Information processed or maintained to administer benefits.
  • Certain data maintained in the employment context.

Utah

(Utah Code § 13-44-103)

Utah Consumer Privacy Act

(Utah Code § 13-61-102(2)) (effective December 31, 2023)

Utah’s general data security law (Utah Code § 13-44-103) exempts financial institutions that are subject to the GLBA.

Effective December 31, 2023, the Utah Consumer Privacy Act (Utah Code § 13-61-102(2)) exempts:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Air carriers.
  • Financial institutions and personal data regulated under the GLBA.
  • Certain activities regulated under the FCRA.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.

Virginia

No general data security law.

Virginia Consumer Data Protection Act

(Va. Code Ann. § 59.1-576(B)) 

The Virginia Consumer Data Protection Act (Va. Code Ann. §§ 59.1-575 to 59.1-584) does not apply to:

  • HIPAA covered entities and business associates, HIPAA-defined protected health information, and other specified health data and derivatives.
  • Certain personal data processed for public health and safety research.
  • Nonprofit organizations.
  • Higher education institutions.
  • Financial institutions and personal data regulated under the GLBA.
  • Certain activities regulated under the FCRA.
  • Personal data regulated under:
    • the Driver’s Privacy Protection Act;
    • FERPA; or
    • the Farm Credit Act.
  • Certain data maintained in the employment context.

Enforcement and Penalties

Most states authorize their attorney general to enforce data security obligations. Oregon specifically tasks its Director of the Department of Consumer and Business Services with enforcing its data security law (Or. Rev. Stat. § 646A.624).

California provides a private cause of action for individuals to seek damages arising from a failure to properly protect personal information (Cal. Civ. Code § 1798.84). The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA/CPRA) also grants a private right of action with statutory damages for unauthorized or illegal access, destruction, use, modification, or disclosure of a California resident’s unencrypted and unredacted personal information due to a business’s failure to implement and maintain reasonable security measures (Cal. Civ. Code § 1798.150).

States that do not explicitly empower their attorney general to enforce data security laws typically deem violations to be unlawful or deceptive business practices under their consumer protection laws.

Remedies generally available for violations of state data security laws include:

  • Injunctions to prevent further violations.
  • Monetary penalties, including consumer compensation.
  • Reasonable costs.

States’ monetary penalties range from a few hundred to a few thousand dollars per violation and may increase based on culpability. Some states cap total penalties at the consumer or aggregate level. For example, Utah caps its civil penalties at $2,500 for violations related to a specific consumer and $100,000 in aggregate. However, penalties can exceed $100,000 when violations affect 10,000 or more residents, or when the violator accepts a settlement agreement. (Utah Code § 13-44-301.) Oregon sets an upper limit at $500,000 for a particular occurrence (Or. Rev. Stat. § 646A.624).

Organizations must also consider the other potential costs that may accompany a data security enforcement action, such as:

  • Negative publicity.
  • Loss of customer confidence.
  • Diminished market credibility.
  • Current or future contract obligations regarding data security practices.
  • Cyber insurance rates and availability.
  • Litigation risks in states, such as California, that provide a private cause of action or other states under consumer protection laws or privacy-related torts.

Choosing to Develop, Implement, and Maintain a WISP

Organizations should consider developing, implementing, and maintaining a WISP as a best practice, even if they are not strictly required to do so or their legal obligations extend only to certain jurisdictions.

A well-developed and maintained WISP can provide benefits, such as:

  • Prompting the organization to proactively assess its cybersecurity risks and implement measures to protect personal and other sensitive information.
  • Educating employees and other stakeholders about the actions they need to take to protect personal and other sensitive information.
  • Helping to communicate data security expectations and practices to leadership, customers, and other interested parties, including regulators.
  • Establishing that the organization takes reasonable steps to protect personal and other sensitive information, especially if a security incident occurs and results in litigation or enforcement action.

When choosing whether to implement a WISP, an organization should consider:

  • The size, scope, and type of its business or other activities.
  • Its information collection and use practices, including the amount and types of personal and other sensitive information it maintains.
  • The need to secure both customer and employee personal information.
  • Specific applicable legal requirements, which may depend on, among other things:
    • the nature and industry of the business or organization;
    • the type of information collected and maintained; and
    • the geographic footprint of the business, including the states where the organization’s customers and employees reside.
  • The resources available to implement and maintain an information security program.

Reprinted with permission from Thomson Reuters Practical Law. © 2023 by Thomson Reuters. All rights reserved. Practical Law is an online legal solution that provides access to how-to guides, templates, checklists, comparison charts, and more, all written and maintained by experienced attorneys. Quickly get up to speed and practice efficiently with Practical Law.

Thomson Reuters is a Sponsor of the GPSolo Division, and this article appears pursuant to the Division’s agreement with them. This article is not an endorsement by the ABA or the Division of any Thomson Reuters product or service.