Data Security Laws | Private Sector

Technology

Overview

As security risks to citizens' personal identifying information have increased in recent years, some state legislatures are taking a more active role to require that businesses protect personal information.

At least 25 states have laws that address data security practices of private sector entities. Most of these data security laws require businesses that own, license, or maintain personal information about a resident of that state to implement and maintain "reasonable security procedures and practices" appropriate to the nature of the information and to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. In addition to the laws listed here, states also have other data security laws that apply to state agencies or other governmental entities.

The number of states with these types of data security laws has doubled since 2016, reflecting growing concerns about computer crimes and breaches of personal information.

In a related area, more than half the states also have enacted data disposal laws that require entities to destroy or dispose of personal information so that it is unreadable or indecipherable. In addition, other state and federal statutes (not included here) also address the security of health care data, financial or credit information, social security numbers or other specific types of data collected or maintained by businesses. In addition, there may be other states with administrative rules and regulations also not covered here (see, e.g., Colorado (3 CCR 704-1), Massachusetts (201 Mass. Code of Regs. 17.00-17.04) and New York (23 NYCRR Part 500)) that require businesses to follow specific data security practices.

PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed as legal advice.

Data Security Laws–Private Sector
State	Statutory Citation/Link	Applies to:	Security Measures Required
Alabama	2018 SB 318	A person, sole proprietorship, partnership, government entitym corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.	Implement and maintain reasonable security measures (as specified/ detailed in statute) to protect sensitive personally identifying information against a breach of security.
California	Calif. Civil Code § 1798.91.04	Manufacturers of connected devices sold in California.	Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
Colorado	Colo. Rev. Stat. § 6-1-713 to -713.5	Any entity that maintains, owns, or licenses personal identifying information in the course of the person’s business or occupation.	Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access.
Delaware	Del. Code § 12B-100	Any person who conducts business in the state and owns, licenses, or maintains personal information.	Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
Illinois	815 ILCS 530/45	A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information.	Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures.
Kansas	K.S. § 50-6,139b	A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.	Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure.
Louisiana	La. Rev. Stat. § 3074 (2018 SB 361)	Any person that conducts business in the state or that owns or licenses computerized data that includes personal information.	Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Maryland	Md. Code Com Law §§ 14-3501 to -3503	A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit. Business includes a financial institution… Nonaffiliated third party/service provider	Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.
Massachusetts	Mass. Gen. Laws Ch. 93H § 2(a)	Any person that owns or licenses personal information.	Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person's size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. See also 201 Mass. Code of Regs. 17.00-17.04
Minnesota	Minn. Stat. § 325M.05	Internet service providers.	Take reasonable steps to maintain the security and privacy of a consumer's personally identifiable information.
Nebraska	Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757)	Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents.	Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.
New Mexico	N.M. Stat. § 57-12C-4 to -5	A person that owns or licenses personal identifying information of a New Mexico resident.	Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
Ohio	Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220)	Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information.	To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry-recognized cybersecurity framework as listed in the act).
Vermont	9 V.S.A § 2446-2447 (2018 HB 764)	Data brokers--businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship.	Register annually with the Secretary of State. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.

DO NOT DELETE - NCSL Search Page Data

Related Resources

Updated December 14, 2022

NCSL 50-State Searchable Bill Tracking Databases

Find the most comprehensive and complete 50-state information in NCSL's searchable bill tracking databases.

Technology

Database

Updated March 13, 2023

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

In the case Gonzalez v. Google, plaintiffs argue that social media platforms can be held liable for the speech they publish. But Google claims Section 230 of the Communications Decency Act provide it immunity.

State-Federal Technology

State Legislatures News

Updated February 15, 2023

State 9-1-1 Bill Tracking Database

State 9-1-1 legislation tracking database, including bills related to e9-1-1 and Next Generation 9-1-1

Technology

Database

Contact NCSL
For more information on this topic, use this form to reach NCSL staff.
Email
Full Name
What is your role?
Message
Captcha
Admin Email

Summary Data Security Laws | Private Sector

Overview

DO NOT DELETE - NCSL Search Page Data

Related Resources

NCSL 50-State Searchable Bill Tracking Databases

Supreme Court Voices Hesitation in Case Involving Speech Protections for Big Tech

State 9-1-1 Bill Tracking Database

Contact NCSL

Contact Us

Denver

Washington, D.C.