2019 State-by-state data protection laws for the private sector
| State | Regulation | Applies to: | Security Measures Required |
| Alabama | 2018 S.B. 318 | A person, sole proprietorship, partnership, government entity, corporation, nonprofit, trust, estate, cooperative association, or other business entity that acquires or uses sensitive personally identifying information. | Implement and maintain reasonable security measures (as specified/ detailed in statute) to protect sensitive personally identifying information against a breach of security. |
| Arkansas | Ark. Code § 4-110-104(b) | A person or business that acquires, owns or licenses personal information | Implement and maintain reasonable security procedures and practices appropriate to the nature of the information. |
| California | Cal Civ. Code § 1798.81.5 | A business that owns, licenses, or maintains personal information. Third party contractors | Implement and maintain reasonable security procedures and practices appropriate to the nature of the information. |
| California | Calif. Civil Code § 1798.91.04 | Manufacturers of connected devices sold in California. | Equip the device with reasonable security features that are appropriate to the nature and function of the device and the information it may collect, contain, or transmit, and that are designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure. |
| Colorado | Colo. Rev. Stat. § 6-1-713.5 (2018 H.B. 1128) | Any entity that maintains, owns, or licenses personal identifying information in the course of the person’s business or occupation. | Develop written policies for the proper disposal of personal information once such information is no longer needed. Implement and maintain reasonable security practices and procedures to protect personal identifying information from unauthorized access. |
| Connecticut | Conn. Gen. Stat. § 38a-999b | Any health insurer, health care center or other entity licensed to do health insurance business in the state. | Implement and maintain a comprehensive information security program to safeguard the personal information of insureds and enrollees that is compiled or maintained by such company. |
| Connecticut | Conn. Gen. Stat. § 4e-70 | Contractors: an individual, business or other entity that is receiving confidential information from a state contracting agency or agent of the state pursuant to a written agreement to provide goods or services to the state. | Implement and maintain a comprehensive data-security program (as specified/detailed in statute) including encryption of all sensitive personal data transmitted wirelessly or via a public Internet connection, or contained on portable electronic devices has to be encrypted as well. |
| Delaware | Del. Code § 12B-100 | Any person who conducts business in the state and owns, licenses, or maintains personal information. | Implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. |
| Florida | Fla. Stat. § 501.171(2) | Covered entities (sole proprietorship, partnership, corporation, trust, estate, cooperative, association, or other commercial entity) and Third-party agent (entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity or governmental entity). | Reasonable measures to protect and secure data in electronic form containing personal information. |
| Illinois | https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67 | A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information. | Implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure. A contract for the disclosure of personal information must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures. |
| Indiana | Ind. Code § 24-4.9-3-3.5 | A database owner: a person that owns or licenses computerized data that includes personal information. | Implement and maintain reasonable procedures, including taking any appropriate corrective action. |
| Kansas | K.S. § 50-6,139b | A holder of personal information: a person who, in the ordinary course of business, collects, maintains or possesses, or causes to be collected, maintained or possessed, the personal information of any other person. | Implement and maintain reasonable procedures and practices appropriate to the nature of the information, and exercise reasonable care to protect the personal information from unauthorized access, use, modification or disclosure. |
| Louisiana | La. Rev. Stat. § 3074 (2018 S.B. 361) | Any person that conducts business in the state or that owns or licenses computerized data that includes personal information. | Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. |
| Maryland | Md. Code Com Law §§ 14-3501 to -3503 | A business: a sole proprietorship, partnership, corporation, association, or any other business entity, whether or not organized to operate at a profit. Business includes a financial institution… Non affiliated third party/service provider | Implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information owned or licensed and the nature and size of the business and its operations. |
| Massachusetts | Mass. Gen. Laws Ch. 93H § 2(a) | Any person that owns or licenses personal information. | Authorizes regulations to ensure the security and confidentiality of customer information in a manner fully consistent with industry standards. The regulations shall take into account the person’s size, scope and type of business, resources available, amount of stored data, and the need for security and confidentiality of both consumer and employee information. See also 201 Mass. Code of Regs. 17.00-17.04 |
| Minnesota | Minn. Stat. § 325M.05 | Internet service providers. | Take reasonable steps to maintain the security and privacy of a consumer’s personally identifiable information. |
| Nebraska | Neb. Rev. Stat. §§ 87-801-807 (2018 L.B. 757) | Any individual or commercial entity that conducts business in Nebraska and maintains personal information about Nebraska residents. | Establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. Ensure that all third parties to whom the entity provides sensitive personal information establish and maintain reasonable security processes and practices appropriate to the nature of the personal information maintained. |
| Nevada | Nev. Rev. Stat. §§ 603A.210, 603A.215(2) | A data collector that maintains records which contain personal information. A person to whom a data collector discloses personal information. | Implement and maintain reasonable security measures |
| New Mexico | N.M. Stat. § 57-12C-4, 57-12C-5 (2017 H.B. 15, Chap. 36) | A person that owns or licenses personal identifying information of a New Mexico resident. | Implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal identifying information from unauthorized access, destruction, use, modification or disclosure. |
| Ohio | Ohio Rev. Stat. § 1354.01 to 1354.05 (2018 S.B. 220) | Business or nonprofit entity, including a financial institution, that accesses, maintains, communicates, or handles personal information or restricted information. | To qualify for an affirmative defense to a cause of action alleging a failure to implement reasonable information security controls resulting in a data breach, an entity must create, maintain, and comply with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information as specified (e.g., conforming to an industry recognized cybersecurity framework as listed in the act). |
| Oregon | Or. Rev. Stat § 646A.622 | Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities. | Develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data |
| Rhode Island | R.I. Gen. Laws § 11-49.3-2 | A business that owns or licenses computerized unencrypted personal information. A non affiliated third-party contractor. | Implement and maintain a risk-based information security program with reasonable security procedures and practices appropriate to the nature of the information. |
| South Carolina | S.C. Code § 38-99-10 to -100. (2018 H.B. 4655) | A person licensed, authorized to operate, or registered, or required to be licensed, authorized, or registered pursuant to the insurance laws of the state (does not include a purchasing group or a risk retention group chartered and licensed in another state or a licensee that is acting as an assuming insurer that is domiciled in another state or jurisdiction). | Requires a licensee to develop, implement and maintain a comprehensive information security program based on the licensee’s risk assessment. Establishes requirements for the security program, such as implementing an incident response plan and other details. |
| Texas | Tex. Bus. & Com. Code § 521.052 | A business or nonprofit athletic or sports association that collects or maintains sensitive personal information. (Does not apply to financial institutions) | Reasonable procedures, including taking any appropriate corrective action. |
| Utah | Utah Code §§ 13-44-101, -201, 301 | Any person who conducts business in the state and maintains personal information. | Implement and maintain reasonable procedures. |
| Vermont | 9 V.S.A § 2446-2447 (2018 H.B. 764) | Data brokers-businesses that knowingly collect and license the personal information of consumers with whom such businesses do not have a direct relationship. | Register annually with the Secretary of State. Implement and maintain a written information security program containing administrative, technical, and physical safeguards to protect personally identifiable information. |
(as of Nov 2019)
(reported by the National Conference of State Legislatures)