IRMI Online Talk With Us
Home Articles Expert Commentary State Breach Notification Laws: Personal Information Definition
Cyber and Privacy Risk and Insurance

State Breach Notification Laws: Personal Information Definition

Melissa Krasnow | January 26, 2018

On This Page
ID cards

Forty-eight states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, have breach notification laws. (Alabama and South Dakota do not have these laws.) These laws can differ in significant ways.

The definition of personal information in these laws continues to expand to include more types of personal information. When taken together, an individual's first name or first initial and last name plus any of the following information is a basic, general definition of personal information under these laws.

  • Social Security number
  • Driver's license number, state identification card number, or other government-issued identification number
  • Account number, credit card number, or debit card number with or without any required security code, access code, or password that would permit access to an individual's financial account 1

Certain state breach notification laws also define personal information as an individual's first name or first initial and last name plus any of the following types of personal information.

  • Medical Information 2
  • Health insurance information 3
  • Biometric data 4
  • DNA profile 5
  • User name or email address, in combination with a password or security question and answer that would permit access to an online account 6
  • Email address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account 7
  • Unique electronic identifier or routing code, together with any required security code, access code, or password that would permit access to an individual's financial account 8
  • Date of birth 9
  • Maiden name of individual's mother 10
  • Birth or marriage certificate 11
  • Identification number assigned to the individual by the individual's employer together with any required security code, access code, or password 12
  • Digitized or other electronic signature 13
  • Account passwords, personal identification numbers, or other access codes 14
  • Other numbers or information that may be used to access a person's financial accounts or numbers or information issued by a governmental or regulatory entity that uniquely will identify an individual account 15
  • Any other number, code, or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account 16
  • Shared secrets or security tokens that are known to be used for data-based authentication 17
  • Tax information 18
  • Work-related evaluations 19
  • Information or data collected through the use or operation of an automated license plate recognition system, as defined in Section 1798.90.5 20

In addition, certain state breach notification laws define personal information to include the following types of personal information.

  • User name or email address, in combination with a password or security question and answer that would permit access to an online account 21
  • Dissociated data that, if linked, would constitute personal information is personal information if the means to link the dissociated data were accessed in connection with access to the dissociated data 22
  • Social Security number that is not encrypted or redacted 23
  • Social Security number, driver's license number, or state identification card number, account number, credit card number, or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords, or account passwords or personal identification numbers or other access codes, when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised 24
  • Any information concerning a natural person that, because of name, number, personal mark, or other identifier, can be used to identify such natural person in combination with any of Social Security number, driver's license number, or nondriver identification card number or account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account 25
  • Any of a consumer's Social Security number, driver's license number, or state identification card number issued by the Department of Transportation, passport number or other identification number issued by the United States, or financial account number, credit card number, or debit card number, together with any required security code, access code, or password that would permit access to a consumer's financial account, data from automatic measurements of a consumer's physical characteristics, such as an image of a fingerprint, retina, or iris, that are used to authenticate the consumer's identity in the course of a financial transaction or other transaction, a consumer's health insurance policy number or health insurance subscriber identification number together with any other unique identifier that a health insurer uses to identify the consumer or any information about a consumer's medical history or mental or physical condition or about a health care professional's medical diagnosis or treatment of the consumer, if encryption, redaction, or other methods have not rendered the data element(s) unusable and the data element(s) would enable a person to commit identity theft against a consumer 26
  • An employer's or payroll service provider's computerized data relating to income tax withheld pursuant to Article 16 (§ 58.1-460 et seq.) of Chapter 3 of Title 58.1 containing a taxpayer identification number in combination with the income tax withheld for that taxpayer and causes, or the employer or payroll provider reasonably believes has caused or will cause, identity theft or other fraud 27
  • An individual's phone number or address and any of Social Security number, driver's license number, or District of Columbia Identification Card number, or credit card number or debit card number or any other number or code or combination of numbers or codes, such as account number, security code, access code, or password, that allows access to or use of an individual's financial or credit account 28

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Footnotes

1 Cal. Civ. Code § 1798.82; Colo. Rev. Stat. § 6–1–716; Conn. Gen Stat. § 36a–701b; Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018); Fla. Stat. § 501.171; Ga. Code § 10–1–911 et seq.; Haw. Rev. Stat. § 487N–1 et seq.; Idaho Stat. § 28–51–104 et seq.; 815 ILCS 530/5 et seq.; Ind. Code § 24–4.9 et seq.; Iowa Code § 715C.1 et seq.; Kan. Stat. § 50–7a01 et seq.; KRS § 365.732; La. Rev. Stat. § 3073 et seq. and La. Admin. Code tit. 16, pt. III, § 701; Me. Rev. Stat. Ann. tit. 10, § 1347 et seq.; MD Code, Com. Law § 14–3501 et seq.; Mass. Gen. Laws ch. 93H; Mich. Comp. Laws § 445.63 and § 445.72; Minn. Stat. § 325E.61; Missouri Rev. Stat. § 407.1500; Miss. Code Ann. § 75–24–29; MCA § 30–14–1704; Neb. Rev. Stat. § 87–802 et seq.; Nev. Rev. Stat. § 603A.010 et seq.; N.H. Rev. Stat. § 359–C:19 et seq.; N.J. Stat. Ann. § 56:8–161 et seq.; N.M. H.B. 15; N.Y. Gen. Bus. Law § 899–aa; N.C. Gen. Stat. § 75–61 and–65 and § 14–113.20; N.D. Cent. Code § 51–30–01 et seq.; Ohio Revised Code 1349.19; Okla. Stat. §24–162 et seq.; Or. Rev. Stat. § 646A.602 et seq.; 73 P.S. § 2302 et seq.; R.I. Gen. Laws § 11–49.3–3 and –4; S.C. Code § 39–1–90; Tennessee Code § 47–18–2107; Tex. Bus. & Comm. Code § 521.002 and § 521.053; Utah Code § 13–44–102 et seq.; Vt. Stat. Ann. tit. 9, § 2430 et seq.; Va. Code § 18.2–186.6; RCW § 19.255.010; W.V. Code § 46A–2A–101 et seq.; Wis. Stat. § 134.98; Wyo. Stat. § 40–12–501 and § 6–3–901; D.C. Code § 28–3851 et seq.; 9 GCA § 48.20 et seq.; 10 L.P.R.A. § 4051 et seq. and 14 V.I.C. § 2209.
2 Cal. Civ. Code § 1798.82; Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018); Fla. Stat. § 501.171; 815 ILCS 530/5 et seq.; MD Code, Com. Law § 14–3501 et seq.; Missouri Rev. Stat. § 407.1500; MCA § 30–14–1704; Nev. Rev. Stat. § 603A.010 et seq.; N.D. Cent. Code § 51-30-01 et seq.; Or. Rev. Stat. § 646A.602 et seq.; R.I. Gen. Laws § 11–49.3–3 and–4; Tex. Bus. & Comm. Code § 521.002 and § 521.053; Wyo. Stat. § 40–12–501 and § 6–3–901; and 10 L.P.R.A. § 4051 et seq.
3 Cal. Civ. Code § 1798.82; Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018); Fla. Stat. § 501.171; 815 ILCS 530/50; MD Code, Com. Law § 14–3501 et seq.; Missouri Rev. Stat. § 407.1500; Nev. Rev. Stat. § 603A.010 et seq.; N.D. Cent. Code § 51–30–01 et seq.; Or. Rev. Stat. § 646A.602 et seq.; R.I. Gen. Laws § 11–49.3–3 and –4; and Wyo. Stat. § 40–12–501 and § 6–3–901.
4 Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018); 815 ILCS 530/50; Iowa Code § 715C.1 et seq.; MD Code, Com. Law § 3501 et seq.; Neb. Rev. Stat. § 87–802 et seq.; N.M. H.B. 15; N.C. Gen. Stat. § 75–61 and –65 and § 14–113.20; Or. Rev. Stat. § 646A.602 et seq.; Wis. Stat. § 134.98; and Wyo. Stat. § 40–12–501 and § 6–3–901.
5 Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018) and Wis. Stat. § 134.98.
6 Del. Code tit. 6, § 12B–101 et seq. (effective date April 14, 2018); Nev. Rev. Stat. § 603A.010 et seq.; Wyo. Stat. § 40–12–501 and § 6–3–901 and 10 L.P.R.A. § 4051 et seq.
7 R.I. Gen. Laws § 11–49.3–3 and –4.
8 Iowa Code § 715C.1 et seq.; Missouri Rev. Stat. § 407.1500; and Neb. Rev. Stat. § 87–802 et seq.
9 N.D. Cent. Code § 51–30–01 et seq.
10 Id.
11 Wyo. Stat. § 40–12–501 and § 6–3–901.
12 N.D. Cent. Code § 51–30–01 et seq.
13 N.C. Gen. Stat. § 75–61 and –65 and § 14–113.20 and N.D. Cent. Code § 51–30–01 et seq.
14 Ga. Code § 10–1–911 et seq.; Me. Rev. Stat. Ann. tit. 10, § 1347 et seq. and N.C. Gen. Stat. § 75–61 and –65 and § 14–113.20.
15 Alaska Stat. § Sec. 45.48.090; Haw. Rev. Stat. § 487N–1 et seq.; N.C. Gen. Stat. § 75–61 and –65 and § 14–113.20; S.C. Code § 39–1–90 and Vt. Stat. Ann. tit. 9, § 2430 et seq.
16 D.C. Code § 28–3851 et seq.
17 Wyo. Stat. § 40–12–501 and § 6–3–901.
18 10 L.P.R.A. § 4051 et seq.
19 Id.
20 Cal. Civ. Code § 1798.82.
21 Cal. Civ. Code § 1798.82; Fla. Stat. § 501.171; 815 ILCS 530/5 et seq.; MD Code, Com. Law § 14–3501 et seq. and Neb. Rev. Stat. § 87–802 et seq.
22 N.J. Stat. Ann. § 56:8–161 et seq.
23 Ind. Code § 24–4.9 et seq.
24 Ga. Code § 10–1–911 et seq. and Me. Rev. Stat. Ann. tit. 10, § 1347 et seq.
25 N.Y. Gen. Bus. Law § 899–aa.
26 Or. Rev. Stat. § 646A.602 et seq.
27 Va. Code § 18.2–186.6.
28 D.C. Code § 28–3851 et seq.
IRMI Online