In order to request data breach notification reports from governments, several critieria need to exist. The state must have Freedom of Information or Open Records legislation. The state must have Breach Notification legislation, and the state must require notifications to a centralized authority (like an Attorney General, or a Consumer Protection division).
At this time, only 12 states meet the requirements for gathering Primary Sources. 35 states have data loss notification legislation, but no centralized reporting. 4 states have no data loss notification legislation.
See our Federal Data Breach Notification Legislation page for our analysis of federal legislation.
Maine
We have
435 primary sources,
and
5 primary sources journal entries
for Maine.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Maine has all the necessary requirements for requesting breach notifications through FOI. They have a comprehensive Freedom of Information Law, and a somewhat centralized data breach notification law. The law requires notifications be made to the Attorney General's Office in most cases, and the Department of Professional and Financial Regulation when the organization is a bank or financial institution. |
| FOI Contact info: |
Maine does not maintain a centralized records department for information requests. Instead, they maintain a comprehensive list of contacts in each department that can assist and process information requests.
The departments in question in ME are the Attorney General's office, and the Department of Professional and Financial Regulation. |
Maryland
We have
424 primary sources,
and
no primary sources journal entries
for Maryland.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Per the law: "...a business shall provide notice of a breach of the security of a system to the Office of the Attorney General...".
Maryland also posts their notifications online. |
| FOI Contact info: |
|
Missouri
We have
no primary sources,
and
no primary sources journal entries
for Missouri.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Effective August 28, 2009, victims who are residents of Missouri must be notified of a data breach. If 1,000 or more are notified, then the attorney general must also be notified. |
| FOI Contact info: |
The Sunshine law suggests we contact the custodian of the records, in this case, the Attorney General. Also, "A public body may reduce or waive costs when it determines the request is made in the public interest and is not made for commercial purposes." |
New Hampshire
We have
388 primary sources,
and
no primary sources journal entries
for New Hampshire.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
New Hampshire's Attorney General receives notices of data loss incidents, and also posts them online. |
| FOI Contact info: |
Contact the department of justice. The right to know act seems comprehensive. |
New Jersey
We have
no primary sources,
and
no primary sources journal entries
for New Jersey.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Interestingly, New Jersey's law states that organizations experiencing breaches must: "in advance of the disclosure to the customer, report the breach of security and any information pertaining to the breach to the Division of State Police in the Department of Law and Public Safety for investigation or handling". Apparently, the state has this to say about these records: "are considered criminal investigatory records and are exempt from disclosure", which may make them unattainable. |
| FOI Contact info: |
"first page to tenth page, $0.75 per page; eleventh page to twentieth page, $0.50 per page; all pages over twenty, $0.25 per page." No mention of mailing/postage.
Contact the custodian. |
New York
We have
659 primary sources,
and
no primary sources journal entries
for New York.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
"In the event that any New York residents are to be notified,
the person or business shall notify the state attorney general, the
consumer protection board, and the state office of cyber security and
critical infrastructure coordination as to the timing, content and
distribution of the notices and approximate number of affected persons.
Such notice shall be made without delaying notice to affected New York
residents." |
| FOI Contact info: |
Reasonable fees, etc. No central records contact, instead, contact the department that holds the records. |
North Carolina
We have
230 primary sources,
and
no primary sources journal entries
for North Carolina.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
South Carolina
We have
no primary sources,
and
no primary sources journal entries
for South Carolina.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
An "agency" breach must notify the Consumer Protection Division of the Department of Consumer Affairs if the breach affects more than 1000 residents. Agency defined as: ‘Agency’ means any agency, department, board, commission, committee, or institution of higher learning of the State or a political subdivision of it.
In addition, businesses are also required to notify the Department of Consumer Affairs under the same circumstances as above. |
| FOI Contact info: |
Per the law, "...Any person has a right to inspect or copy any public record of a public body...". Reasonable fees apply. No mention of postage. Request must be in writing. |
Vermont
We have
23 primary sources,
and
no primary sources journal entries
for Vermont.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Vermont seems to have partial centralized data loss incident reporting. Per the law:
"... If the data collector establishes that misuse of the personal information is not reasonably possible, the data collector shall provide notice of its determination that misuse of the personal information is not reasonably possible and a detailed explanation for said determination to the Vermont attorney general or to the department of banking, insurance, securities, and health care administration in the event that the data collector is a person or entity licensed or registered with the department under Title 8 or this title. The data collector may designate its notice and detailed explanation to the Vermont attorney general or the department of banking, insurance, securities, and health care administration as "trade secret" if the notice and detailed explanation meet the definition of trade secret contained in subdivision 317(c)(9) of Title 1."
In addition, the Attorney General has issued a "guidance" which, according to it:
"The Guidance requires businesses and state agencies to take the following steps when they experience a security breach:
Secure the data that has been compromised.
Contact law enforcement to determine if a criminal investigation is warranted.
Contact the Vermont Attorney General’s Office.
Notify consumers affected by the breach within 10 business days of the breach."
Vermont also shares some notifications online. |
| FOI Contact info: |
Per the law, "Any person may inspect or copy any public record or document of a public agency..." implying residency is not a requirement. Reasonable fees apply for time, copying, and postage. |
Virginia
We have
85 primary sources,
and
2 primary sources journal entries
for Virginia.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
Yes
|
| Overview: |
Per the law: "In the event an individual or entity provides notice to more than 1,000 persons at one time pursuant to this section, the individual or entity shall notify, without unreasonable delay, the Office of the Attorney General and all consumer reporting agencies that compile..." |
| FOI Contact info: |
Appears that you need to be a resident of VA in order to make FOIA requests to the state (per law). No mention of postage, but detailed mention of "reasonable fees" not to exceed actual costs. |
Alaska
We have
no primary sources,
and
no primary sources journal entries
for Alaska.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
While Alaska has FOI legislation, and a data loss reporting law, it only requires notification to a central agency (the Attorney General) should the organization experiencing the breach want an exclusion from reporting. |
| FOI Contact info: |
|
Arizona
We have
no primary sources,
and
no primary sources journal entries
for Arizona.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Arkansas
We have
no primary sources,
and
no primary sources journal entries
for Arkansas.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
California
We have
16 primary sources,
and
no primary sources journal entries
for California.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
While being the 'grandmother of data loss incident reporting', California has no centralized data loss incident reporting. |
| FOI Contact info: |
|
Connecticut
We have
no primary sources,
and
no primary sources journal entries
for Connecticut.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Delaware
We have
no primary sources,
and
no primary sources journal entries
for Delaware.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
District of Columbia
We have
no primary sources,
and
no primary sources journal entries
for District of Columbia.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Florida
We have
21 primary sources,
and
no primary sources journal entries
for Florida.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Georgia
We have
no primary sources,
and
no primary sources journal entries
for Georgia.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Idaho
We have
no primary sources,
and
no primary sources journal entries
for Idaho.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No central reporting of data loss incidents. |
| FOI Contact info: |
|
Illinois
We have
1 primary sources,
and
no primary sources journal entries
for Illinois.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
Partial for state agencies, as they have to send a report to the General Assembly within 5 days of noticing the breach.
"...(815 ILCS 530/25)
Sec. 25. Annual reporting. Any State agency that collects personal data and has had a breach of security of the system data or written material shall submit a report within 5 business days of the discovery or notification of the breach to the General Assembly listing the breaches and outlining any corrective measures that have been taken to prevent future breaches of the security of the system data or written material. Any State agency that has submitted a report under this Section shall submit an annual report listing all breaches of security of the system data or written materials and the corrective measures that have been taken to prevent future breaches.
(Source: P.A. 94?947, eff. 6?27?06.)..." |
| FOI Contact info: |
"...all persons are entitled to full and complete information regarding the affairs of government... "
Reasonable fees apply.
"...in person or in writing..." |
Indiana
We have
no primary sources,
and
no primary sources journal entries
for Indiana.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Iowa
We have
no primary sources,
and
no primary sources journal entries
for Iowa.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Kansas
We have
no primary sources,
and
no primary sources journal entries
for Kansas.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Louisiana
We have
no primary sources,
and
no primary sources journal entries
for Louisiana.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Michigan
We have
4 primary sources,
and
no primary sources journal entries
for Michigan.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
Apparently no Centralized data loss incident reporting. |
| FOI Contact info: |
|
Minnesota
We have
no primary sources,
and
no primary sources journal entries
for Minnesota.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Mississippi
We have
no primary sources,
and
no primary sources journal entries
for Mississippi.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
Has a breach notification law, effective July 1, 2010, but no centralized reporting requirement. |
| FOI Contact info: |
|
Montana
We have
no primary sources,
and
no primary sources journal entries
for Montana.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Nevada
We have
no primary sources,
and
no primary sources journal entries
for Nevada.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
North Dakota
We have
no primary sources,
and
no primary sources journal entries
for North Dakota.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Ohio
We have
no primary sources,
and
no primary sources journal entries
for Ohio.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Oklahoma
We have
no primary sources,
and
no primary sources journal entries
for Oklahoma.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Oregon
We have
no primary sources,
and
no primary sources journal entries
for Oregon.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Pennsylvania
We have
no primary sources,
and
no primary sources journal entries
for Pennsylvania.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Rhode Island
We have
no primary sources,
and
no primary sources journal entries
for Rhode Island.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Tennessee
We have
no primary sources,
and
no primary sources journal entries
for Tennessee.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Texas
We have
no primary sources,
and
no primary sources journal entries
for Texas.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Utah
We have
no primary sources,
and
no primary sources journal entries
for Utah.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Washington
We have
no primary sources,
and
no primary sources journal entries
for Washington.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
West Virginia
We have
no primary sources,
and
no primary sources journal entries
for West Virginia.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Wisconsin
We have
4 primary sources,
and
2 primary sources journal entries
for Wisconsin.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
Does not appear to have centralized data loss incident reporting per the law, but does appear to post some information online. Am inquiring about why the information is posted online, and how the information is obtained. |
| FOI Contact info: |
|
Wyoming
We have
no primary sources,
and
no primary sources journal entries
for Wyoming.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
Yes
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No centralized data loss incident reporting. |
| FOI Contact info: |
|
Alabama
We have
no primary sources,
and
no primary sources journal entries
for Alabama.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
No
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No data loss incident reporting legislation. |
| FOI Contact info: |
|
Kentucky
We have
no primary sources,
and
no primary sources journal entries
for Kentucky.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
No
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No data loss incident reporting legislation. |
| FOI Contact info: |
|
New Mexico
We have
no primary sources,
and
no primary sources journal entries
for New Mexico.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
No
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No data loss incident notification legislation. |
| FOI Contact info: |
|
South Dakota
We have
no primary sources,
and
no primary sources journal entries
for South Dakota.
| Has FOI Law?: |
Yes
|
Has Data Loss Law?: |
No
|
Has Centralized DL Reporting?: |
No
|
| Overview: |
No data loss incident reporting legislation, and as a result, no centralized data loss incident reporting. |
| FOI Contact info: |
|
