Forty-seven states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have enacted a “data breach notification” statute. Although statutes vary, data breach notifications generally require businesses that have personal information about residents within a state to notify those residents if someone who is not authorized acquires that information.

Current state data breach notification laws also vary in the requirements regarding data encryption, information that is within the scope of the law, notifications required in case of data loss, proper destruction of data, as well as penalties for non-compliance with the law.

States with no security breach law: Alabama, New Mexico, and South Dakota.

Although you should ultimately consult an attorney to determine which state data breach notification statutes apply to your business, Risk Based Security can help you understand the specific security requirements imposed.

See Full State List Here: National Conference of State Legislatures


Call 855-RBS-RISK or email: [email protected] to arrange your security program review.

Our products
Vulnerability Intelligence
Learn more
Cyber Risk Analytics
Threat Intelligence
Learn more
Risk Management
Learn more
Request Demo