|
Alabama
|
Ala. Code §8-38-3
|
A person, sole proprietorship, partnership, government entity corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information.
|
Implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security. Security measures must include: designating an employee to protect against a breach of security; identifying internal and external security risks; adoption of appropriate information safeguards; ongoing evaluation and adjustment of security measures; among other elements.
|
|
Alaska
|
Not specified
|
|
|
|
Arizona
|
Not specified
|
|
|
|
Arkansas
|
Not specified
|
|
|
|
California
|
Calif. Civil Code §1798.91.04
Calif. Civil Code §1798.100
Calif. Civil Code §1798.81.5
|
Manufacturers of connected devices sold in California.
A business that collects a consumer’s personal information.
A business that owns, licenses, or maintains personal information about a California resident.
|
Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
Implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with section 1798.81.5.
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
|
|
Colorado
|
Colo. Rev. Stat. §6-1-713 to -713.5
|
Any entity that maintains, owns, or licenses personal identifying information during the person’s business or occupation.
|
Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access.
|
|
Connecticut
|
Not specified
|
|
|
|
Delaware
|
Del. Code §12B-100
|
Any person who conducts business in the state and owns, licenses, or maintains personal information.
|
Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.
|
|
District of Columbia
|
Not specified
|
|
|
|
Florida
|
Fla. Stat. §501.171
|
A sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity that acquires, maintains, stores, or uses personal information.
Governmental entity, or third-party agent.
|
Take reasonable measures to protect and secure data in electronic form containing personal information.
|
|
Georgia
|
Not specified
|
|
|
|
Guam
|
Not specified
|
|
|
|
Hawaii
|
Not specified
|
|
|
|
Idaho
|
Not specified
|
|
|
|
Illinois
|
Ill. Rev. Stat. ch. 818, §530/45
|
A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information.
|
Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures.
|
|
Indiana
|
Not specified
|
|
|
|
Iowa
|
Not specified
|
|
|
|
Kansas
|
Kan. Stat. Ann. §50-6,139b
|
A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person.
|
Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure.
|
|
Kentucky
|
Ky. Rev. Stat §367.3617
[Effective Jan. 1, 2026]
|
“Controller” means the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data
|
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. The data security practices Shall be appropriate to the volume and nature of the personal data at issue.
|
|
Louisiana
|
La. Rev. Stat. §51:3074
|
Any person that conducts business in the state or that owns or licenses computerized data that includes personal information.
|
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
|
|
Maine
|
Not specified
|
|
|
|
Maryland
|
Md. Code Com Law §14-3501 to -3503
|
A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit. Business includes a financial institution. Nonaffiliated third party/service provider
|
Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations.
|
|
Massachusetts
|
Mass. Gen. Laws ch. 93H, §2(a)
|
Any person that owns or licenses personal information.
|
Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person's size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information.
|
|
Michigan
|
Not specified
|
|
|
|
Minnesota
|
Minn. Stat. §325M.05
Minn. Stat. §325M.16
[Effective July 31, 2025]
|
Internet service providers.
“Controller” means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
|
Take reasonable steps to maintain the security and privacy of a consumer's personally identifiable information.
Establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.
|
|
Mississippi
|
Not specified
|
|
|
|
Missouri
|
Not specified
|
|
|
|
Montana
|
Not specified
|
|
|
|
Nebraska
|
Neb. Rev. Stat. §87-801 to 807
|
Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents.
|
Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.
Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained.
|
|
Nevada
|
Nev. Rev. Stat. §603.210
|
Any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.
|
Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.
|
|
New Hampshire
|
N.H. Rev. Stat. Ann. §507-H:6
|
"Controller" means an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
|
Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
|
|
New Jersey
|
N.J. Stat. §56:8-166.12
|
"Controller," which is an individual, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
|
Controllers must establish and maintain reasonable administrative, technical and physical data security practices appropriate to the volume and nature of the personal data. These practices must protect the confidentiality, integrity and accessibility of personal data and secure it from unauthorized acquisition during both storage and use.
|
|
New Mexico
|
N.M. Stat. §57-12C-4 to -5
|
A person that owns or licenses personal identifying information of a New Mexico resident.
|
Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure.
|
|
New York
|
Not specified
|
|
|
|
North Carolina
|
Not specified
|
|
|
|
North Dakota
|
Not specified
|
|
|
|
N. Mariana Islands
|
Not specified
|
|
|
|
Ohio
|
Ohio Rev. Stat. §1354.01 to 1354.05
|
Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information.
|
To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry-recognized cybersecurity framework as listed in the act).
|
|
Oklahoma
|
Not specified
|
|
|
|
Oregon
|
Oregon Rev. Stat. §646A.622
|
A person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information during the person’s business, vocation, occupation or volunteer activities.
|
Develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information, including safeguards that protect the personal information when the covered entity or vendor disposes of the personal information.
|
|
Pennsylvania
|
Pa. Stat. tit. 73, §2305b
|
An entity that maintains, stores or manages computerized data on behalf of the commonwealth that constitutes personal information.
|
Develop a policy to govern reasonably proper storage of the personal information. In developing the policy, an entity shall reasonably consider similar existing federal policies and other policies, best practices identified by other states and relevant studies and other sources as appropriate in accordance with best practices as established by the federal government and the commonwealth. The policy shall be reviewed at least annually and updated as necessary.
|
|
Puerto Rico
|
Not specified
|
|
|
|
Rhode Island
|
R.I. Gen. Laws §6-48.1-4
[Effective Jan. 1, 2026]
R.I. Gen. Laws §6-48.1-7
[Effective Jan. 1, 2026]
|
An individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
|
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities or any illegal activity, preserve the integrity or security of systems or investigate, report or prosecute those responsible for any such action.
|
|
A. Samoa
|
Statutes unavailable
|
|
|
|
South Carolina
|
Not specified
|
|
|
|
South Dakota
|
Not specified
|
|
|
|
Tennessee
|
Tenn. Code Ann. §47-18-3305
[Effective July 1, 2025]
Tenn. Code Ann. §47-18-3314
[Effective July 1, 2025]
|
“Controller” which is a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal information
|
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices, as described in § 47-18-3314, to protect the confidentiality, integrity, and accessibility of personal information. The data security practices must be appropriate to the volume and nature of the personal information at issue.
A controller or processor has an affirmative defense to a cause of action for a violation of this part if the controller or processor creates, maintains, and complies with a written privacy policy that:
Reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy; is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or comparable privacy framework; and provides a person with the substantive rights required by this part.
The scale and scope of a controller or processor's privacy program under is appropriate if it is based on multiple factors, as specified/detailed in statute.
|
|
Texas
|
Tex. Bus. & Com. Code §541.101
Tex. Bus. & Com. Code §541.104
|
"Controller," an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data.
"Processor," a person that processes personal data on behalf of a controller
|
Implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.
A processor shall adhere to the instructions of a controller and shall assist the controller in meeting or complying with the controller's duties or requirements under this chapter, including assisting the controller with regard to complying with the requirement relating to the security of processing personal data.
|
|
Utah
|
Utah Code Ann. §13-61-302
|
A person doing business in the state who determines the purposes for which and how personal data are processed, regardless of whether the person makes the determination alone or with others.
|
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to: protect the confidentiality and integrity of personal data; and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data. Considering the controller's business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.
|
|
Vermont
|
Vt. Stat. Ann. tit. 9, § 2446 to 2447
|
“Data brokers,” businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship.
|
Register annually with the secretary of state. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information.
|
|
Virginia
|
Va. Code §59.1-578
|
"Controller," the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
|
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. Data security practices shall be appropriate to the volume and nature of the personal data at issue.
|
|
U.S. Virgin Islands
|
Not specified
|
|
|
|
Washington
|
Not specified
|
|
|
|
West Virginia
|
Not specified
|
|
|
|
Wisconsin
|
Not specified
|
|
|
|
Wyoming
|
Not specified
|
|
|