Data Security Laws | Private Sector

5/29/2019

Overview

As security risks to citizens' personal identifying information have increased in recent years, some state legislatures are taking a more active role to require that businesses protect personal information.

At least 25 states have laws that address data security practices of private sector entities. Most of these data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain "reasonable security procedures and practices" appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. In addition to the laws listed here, states also have other data security laws that apply to state agencies or other governmental entities.

The number of states with these types of data security laws has doubled since 2016, reflecting growing concerns about computer crimes and breaches of personal information.

Map of data security laws 2016 compared to 2018

In a related area, more than half the states also have enacted data disposal laws that require entities to destroy or dispose of personal information so that it is unreadable or indecipherable. In addition, other state and federal statutes (not included here) also address the security of health care data, financial or credit information, social security numbers or other specific types of data collected or maintained by businesses. In addition, there may be other administrative rules and regulations also not covered here (see, e.g., Colorado (3 CCR 704-1), Massachusetts (201 Mass. Code of Regs. 17.00-17.04) and New York (23 NYCRR Part 500)) that require businesses to follow specific data security practices.

PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice. 

Data Security Laws–Private Sector

State

Statutory Citation / Link

Applies to:

Security Measures Required

Alabama 2018 S.B. 318 A person, sole proprietorship, partnership, government entitym corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. Implement and maintain reasonable security measures

(as specified/ detailed in statute)

to protect sensitive personally identifying information against a breach of security.

Arkansas

 

Ark. Code § 4-110-104(b)

A person or business that acquires, owns or licenses personal information

Implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

California

 

Cal Civ. Code § 1798.81.5

A business that owns, licenses, or maintains personal information.

 

Third party contractors

Implement and maintain reasonable security procedures and practices appropriate to the nature of the information.

California Calif. Civil Code § 1798.91.04 Manufacturers of connected devices sold in California.

Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.

Colorado

Colo. Rev. Stat. § 6-1-713.5  (2018 H.B. 1128)

Any entity that maintains, owns, or licenses personal identifying information in the course of the person’s business or occupation.

Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access.

Connecticut

 

Conn. Gen. Stat. § 38a-999b

Any health insurer, health care center or other entity licensed to do health insurance business in the state.

Implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company.

Connecticut

Conn. Gen. Stat. § 4e-70

Contractors: an individual, business or other entity that is receiving confidential information from a state contracting agency or agent of the state pursuant to a written agreement to provide goods or services to the state.

Implement and maintain a comprehensive data-security program (as specified/detailed in statute) including encryption of all sensitive personal data transmitted wirelessly or via a public Internet connection, or contained on portable electronic devices has to be encrypted as well.

Delaware Del. Code § 12B-100

Any person who conducts business in the state and owns, licenses, or maintains personal information.

 

Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.

Florida

 

Fla. Stat. § 501.171(2)

Covered entities (sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity) and

 

Third-party agent (entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity).

Reasonable measures to protect and secure data in electronic form containing personal information.

Illinois 815 ILCS 530/45 A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information. Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures.

Indiana

 

Ind. Code § 24-4.9-3-3.5

A data base owner: a person that owns or licenses computerized data that includes personal information.

Implement and maintain reasonable procedures, including taking any appropriate corrective action.

Kansas K.S. § 50-6,139b
A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.

Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. 

Louisiana

La. Rev. Stat. § 3074

(2018 S.B. 361)

Any person that conducts business in the state or that owns or licenses computerized data that includes personal information. Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

Maryland

Md. Code Com Law §§ 14-3501 to -3503

A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit.

Business includes a financial institution…

 

Nonaffiliated third party/service provider

Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.

Massachusetts

Mass. Gen. Laws Ch. 93H § 2(a)

Any person that owns or licenses personal information.

Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person's size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. See also 201 Mass. Code of Regs. 17.00-17.04

Minnesota

Minn. Stat. § 325M.05

Internet service providers.

Take reasonable steps to maintain the security and privacy of a consumer's personally identifiable information.

Nebraska

Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)

Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents.

Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.

Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.

Nevada

 

Nev. Rev. Stat. §§ 603A.210, 603A.215(2)

A data collector that maintains records which contain personal information.

 

A person to whom a data collector discloses personal information.

Implement and maintain reasonable security measures (as specified /detailed in statute).

New Mexico

N.M. Stat. § 57-12C-4, 57-12C-5 (2017 H.B. 15, Chap. 36)

 

A person that owns or licenses personal identifying information of a New Mexico resident. Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
Ohio

Ohio Rev. Stat. § 1354.01 to 1354.05

(2018 S.B. 220)

Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information.

To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry recognized cybersecurity framework as listed in the act).

Oregon

 

Or. Rev. Stat § 646A.622

Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities.

Develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data (as specified /detailed in statute).

 

Rhode Island

R.I. Gen. Laws § 11-49.3-2

A business that owns or licenses computerized unencrypted personal information.

 

A nonaffiliated third-party contractor.

Implement and maintain a risk-based information security program with reasonable security procedures and practices appropriate to the nature of the information.

 

South Carolina

S.C. Code § 38-99-10 to -100.

(2018 H.B. 4655)

A person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the state (does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction).

Requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee’s risk assessment. Establishes requirements for the security program, such as implementing an incident response plan and other details (as specified /detailed in statute).

Texas

Tex. Bus. & Com. Code § 521.052

 

A business or nonprofit athletic or sports association that collects or maintains sensitive personal information. (Does not apply to financial institutions)

Reasonable procedures, including taking any appropriate corrective action.

Utah

 

Utah Code §§ 13-44-101, -201, 301

Any person who conducts business in the state and maintains personal information.

Implement and maintain reasonable procedures.

Vermont

9 V.S.A § 2446-2447

(2018 H.B. 764)

Data brokers--businesses that  knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship.

Register annually with the Secretary of State. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.

 

Additional Resources