State-by-State Listing of Data Loss and Freedom of Information Legislation

In order to request data breach notification reports from governments, several critieria need to exist. The state must have Freedom of Information or Open Records legislation. The state must have Breach Notification legislation, and the state must require notifications to a centralized authority (like an Attorney General, or a Consumer Protection division).

At this time, only 12 states meet the requirements for gathering Primary Sources. 35 states have data loss notification legislation, but no centralized reporting. 4 states have no data loss notification legislation.

See our Federal Data Breach Notification Legislation page for our analysis of federal legislation.

States with FOI and Centralized Data Loss Incident Reporting Laws

Hawaii

We have 70 primary sources, and 4 primary sources journal entries for Hawaii.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Hawaii has all the necessary requirements needed for FOI requests of data loss incident notices. They have a comprehensive Open Records Law, as well as centralized breach notification collection, dictated via their Act 135, Notification of Security Breaches Legislation.
FOI Contact info: Hawaii has an Open Records law. The law doesn't outline a specific agency charged with handling these requests, instead the requests should go to the agency holding the data, in this case, the Department of Commerce and Consumer Affairs

Maine

We have 435 primary sources, and 5 primary sources journal entries for Maine.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Maine has all the necessary requirements for requesting breach notifications through FOI. They have a comprehensive Freedom of Information Law, and a somewhat centralized data breach notification law. The law requires notifications be made to the Attorney General's Office in most cases, and the Department of Professional and Financial Regulation when the organization is a bank or financial institution.
FOI Contact info: Maine does not maintain a centralized records department for information requests. Instead, they maintain a comprehensive list of contacts in each department that can assist and process information requests. The departments in question in ME are the Attorney General's office, and the Department of Professional and Financial Regulation.

Maryland

We have 424 primary sources, and no primary sources journal entries for Maryland.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Per the law: "...a business shall provide notice of a breach of the security of a system to the Office of the Attorney General...". Maryland also posts their notifications online.
FOI Contact info:

Massachusetts

We have 492 primary sources, and 9 primary sources journal entries for Massachusetts.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Per the law, "...The notice to be provided to the attorney general and said director.." They've also instituted these standards that are supposed to be in effect at some point in 2009.
FOI Contact info: Seems to require routing through the Supervisor of Public Records.

Missouri

We have no primary sources, and no primary sources journal entries for Missouri.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Effective August 28, 2009, victims who are residents of Missouri must be notified of a data breach. If 1,000 or more are notified, then the attorney general must also be notified.
FOI Contact info: The Sunshine law suggests we contact the custodian of the records, in this case, the Attorney General. Also, "A public body may reduce or waive costs when it determines the request is made in the public interest and is not made for commercial purposes."

New Hampshire

We have 388 primary sources, and no primary sources journal entries for New Hampshire.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: New Hampshire's Attorney General receives notices of data loss incidents, and also posts them online.
FOI Contact info: Contact the department of justice. The right to know act seems comprehensive.

New Jersey

We have no primary sources, and no primary sources journal entries for New Jersey.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Interestingly, New Jersey's law states that organizations experiencing breaches must: "in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling". Apparently, the state has this to say about these records: "are considered criminal investigatory records and are exempt from disclosure", which may make them unattainable.
FOI Contact info: "first page to tenth page, $0.75 per page; eleventh page to twentieth page, $0.50 per page; all pages over twenty, $0.25 per page." No mention of mailing/postage. Contact the custodian.

New York

We have 659 primary sources, and no primary sources journal entries for New York.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: "In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents."
FOI Contact info: Reasonable fees, etc. No central records contact, instead, contact the department that holds the records.

North Carolina

We have 230 primary sources, and no primary sources journal entries for North Carolina.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Notices are sent to the Consumer Protection Division of the Attorney General's Office
FOI Contact info: Per the law, "The public official in charge of an office having public records shall be the custodian thereof.". Therefor contacting the Consumer Protection Division of the Attorney General's Office seems best. The law seems to apply to non-residents as well: "...by any person, and shall, as promptly as possible, furnish copies thereof upon payment of any fees as may be prescribed by law..." No mention of mailing/postage.

South Carolina

We have no primary sources, and no primary sources journal entries for South Carolina.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: An "agency" breach must notify the Consumer Protection Division of the Department of Consumer Affairs if the breach affects more than 1000 residents. Agency defined as: ‘Agency’ means any agency, department, board, commission, committee, or institution of higher learning of the State or a political subdivision of it.

In addition, businesses are also required to notify the Department of Consumer Affairs under the same circumstances as above.
FOI Contact info: Per the law, "...Any person has a right to inspect or copy any public record of a public body...". Reasonable fees apply. No mention of postage. Request must be in writing.

Vermont

We have 23 primary sources, and no primary sources journal entries for Vermont.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Vermont seems to have partial centralized data loss incident reporting. Per the law:

"... If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1."

In addition, the Attorney General has issued a "guidance" which, according to it:

"The Guidance requires businesses and state agencies to take the following steps when they experience a security breach:

Secure the data that has been compromised. Contact law enforcement to determine if a criminal investigation is warranted. Contact the Vermont Attorney General’s Office. Notify consumers affected by the breach within 10 business days of the breach."

Vermont also shares some notifications online.
FOI Contact info: Per the law, "Any person may inspect or copy any public record or document of a public agency..." implying residency is not a requirement. Reasonable fees apply for time, copying, and postage.

Virginia

We have 85 primary sources, and 2 primary sources journal entries for Virginia.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: Yes
Overview: Per the law: "In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile..."
FOI Contact info: Appears that you need to be a resident of VA in order to make FOIA requests to the state (per law). No mention of postage, but detailed mention of "reasonable fees" not to exceed actual costs.

States With Data Loss Incident Reporting Laws, but no Centralized Reporting

Alaska

We have no primary sources, and no primary sources journal entries for Alaska.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: While Alaska has FOI legislation, and a data loss reporting law, it only requires notification to a central agency (the Attorney General) should the organization experiencing the breach want an exclusion from reporting.
FOI Contact info:

Arizona

We have no primary sources, and no primary sources journal entries for Arizona.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Arkansas

We have no primary sources, and no primary sources journal entries for Arkansas.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

California

We have 16 primary sources, and no primary sources journal entries for California.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: While being the 'grandmother of data loss incident reporting', California has no centralized data loss incident reporting.
FOI Contact info:

Colorado

We have 5 primary sources, and 3 primary sources journal entries for Colorado.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Connecticut

We have no primary sources, and no primary sources journal entries for Connecticut.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Delaware

We have no primary sources, and no primary sources journal entries for Delaware.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

District of Columbia

We have no primary sources, and no primary sources journal entries for District of Columbia.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Florida

We have 21 primary sources, and no primary sources journal entries for Florida.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Georgia

We have no primary sources, and no primary sources journal entries for Georgia.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Idaho

We have no primary sources, and no primary sources journal entries for Idaho.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No central reporting of data loss incidents.
FOI Contact info:

Illinois

We have 1 primary sources, and no primary sources journal entries for Illinois.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: Partial for state agencies, as they have to send a report to the General Assembly within 5 days of noticing the breach.

"...(815 ILCS 530/25)

Sec. 25. Annual reporting. Any State agency that collects personal data and has had a breach of security of the system data or written material shall submit a report within 5 business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.

(Source: P.A. 94?947, eff. 6?27?06.)..."
FOI Contact info: "...all persons are entitled to full and complete information regarding the affairs of government... " Reasonable fees apply. "...in person or in writing..."

Indiana

We have no primary sources, and no primary sources journal entries for Indiana.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Iowa

We have no primary sources, and no primary sources journal entries for Iowa.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Kansas

We have no primary sources, and no primary sources journal entries for Kansas.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Louisiana

We have no primary sources, and no primary sources journal entries for Louisiana.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Michigan

We have 4 primary sources, and no primary sources journal entries for Michigan.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: Apparently no Centralized data loss incident reporting.
FOI Contact info:

Minnesota

We have no primary sources, and no primary sources journal entries for Minnesota.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Mississippi

We have no primary sources, and no primary sources journal entries for Mississippi.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: Has a breach notification law, effective July 1, 2010, but no centralized reporting requirement.
FOI Contact info:

Montana

We have no primary sources, and no primary sources journal entries for Montana.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Nebraska

We have 8 primary sources, and 3 primary sources journal entries for Nebraska.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Nevada

We have no primary sources, and no primary sources journal entries for Nevada.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

North Dakota

We have no primary sources, and no primary sources journal entries for North Dakota.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Ohio

We have no primary sources, and no primary sources journal entries for Ohio.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Oklahoma

We have no primary sources, and no primary sources journal entries for Oklahoma.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Oregon

We have no primary sources, and no primary sources journal entries for Oregon.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Pennsylvania

We have no primary sources, and no primary sources journal entries for Pennsylvania.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Rhode Island

We have no primary sources, and no primary sources journal entries for Rhode Island.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Tennessee

We have no primary sources, and no primary sources journal entries for Tennessee.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Texas

We have no primary sources, and no primary sources journal entries for Texas.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Utah

We have no primary sources, and no primary sources journal entries for Utah.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Washington

We have no primary sources, and no primary sources journal entries for Washington.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

West Virginia

We have no primary sources, and no primary sources journal entries for West Virginia.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

Wisconsin

We have 4 primary sources, and 2 primary sources journal entries for Wisconsin.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: Does not appear to have centralized data loss incident reporting per the law, but does appear to post some information online. Am inquiring about why the information is posted online, and how the information is obtained.
FOI Contact info:

Wyoming

We have no primary sources, and no primary sources journal entries for Wyoming.

Has FOI Law?: Yes Has Data Loss Law?: Yes Has Centralized DL Reporting?: No
Overview: No centralized data loss incident reporting.
FOI Contact info:

States Without Data Loss Incident Reporting Laws

Alabama

We have no primary sources, and no primary sources journal entries for Alabama.

Has FOI Law?: Yes Has Data Loss Law?: No Has Centralized DL Reporting?: No
Overview: No data loss incident reporting legislation.
FOI Contact info:

Kentucky

We have no primary sources, and no primary sources journal entries for Kentucky.

Has FOI Law?: Yes Has Data Loss Law?: No Has Centralized DL Reporting?: No
Overview: No data loss incident reporting legislation.
FOI Contact info:

New Mexico

We have no primary sources, and no primary sources journal entries for New Mexico.

Has FOI Law?: Yes Has Data Loss Law?: No Has Centralized DL Reporting?: No
Overview: No data loss incident notification legislation.
FOI Contact info:

South Dakota

We have no primary sources, and no primary sources journal entries for South Dakota.

Has FOI Law?: Yes Has Data Loss Law?: No Has Centralized DL Reporting?: No
Overview: No data loss incident reporting legislation, and as a result, no centralized data loss incident reporting.
FOI Contact info:
Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.