Updated 2014 Data Breach Notification Costs by State

Generic placeholder image
Carl Niedbala

COO & Co-Founder

Data Breach Notification Costs

Cyber liability costs are soaring these days for all kinds of businesses (startups included).  Most people think of these “costs” as those related directly to the data breach: legal defense fees, settlements with users and 3rd party vendors, and forensic costs.

Loss attributed to data breach notification costs can go under the radar.  When user data is compromised, the company must take steps to notify users that the their personal data has been [potentially] leaked.  Seems simple enough, but the problem is that data breach notification laws differ across all 50 states.  Each state can have it’s own way of thinking about:

  • what constitutes Personally Identifiable Information (“PII”)
  • what constitutes a breach
  • when users must be notified (i.e. a “known” breach vs “reasonable belief a breach has occurred…”)
  • how notification should be made
  • safe harbor provisions that decrease liability under the statute
  • who is subject to the breach notification law (based on company operations, size, location…)

As you can see, navigating the breach notification legal landscape can get expensive pretty quickly.  A good Cyber liability insurance policy can mitigate a ton of this risk by covering data breach notification costs as well as more “traditional” data breach costs.

If you’re curious about the laws in your state, law firm Mintz Levin created a quick cheat sheet of breach notification laws by state that has been updated as recently as August 2014.  You can dive in to look at the laws in your specific state, but here are a couple big picture takeaways from the document:

  • The general definition of “PII” is as follows: “An individual’s first name or first initial and last name plus one or more of following data elements: (i) Social Security number, (ii) driver’s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes PI.
    • NOTE: California has one of the most sweeping definitions varying from the above:  “any user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
  • The only states that don’t have breach notification laws are the following: Alabama, New Mexico, South Dakota.


Take some time to see where your state falls on the breach notification. If you don’t know and you have any questions, reach out! Or give us a call. If you want, you can skip the small talk and go ahead and get a quote.

Related Articles

April 10 • Cyber LiabilityRisk Management Tips

Top 5 Social Media Influencer Lawsuits

A social media influencer often reaches millions of people, raising the stakes for the mid-market companies who hire them. Here’s how these risks unfold.

September 30 • Cyber LiabilityErrors & Omissions

E&O Insurance Guide for Canadian Tech Companies

Canadian tech companies face unique exposures — but tech E&O insurance helps to mitigate risks. Here’s what you should know.

September 23 • Cyber LiabilityErrors & Omissions

Top 5 E&O and Cyber Claims for Canadian Tech Companies

Canadian tech companies face a slew of challenges — but five primary E&O and Cyber claims stick out. Here’s a look at these themes.

protect from a data breach
August 18 • Cyber LiabilityRisk Management Tips

How to Protect Your Fast-Growing Business From a Data Breach

A cyberattack could devastate your fast-growing business quickly. With cybersecurity a real concern, here’s how to protect your mid-market business from a data breach.

April 8 • Cyber LiabilityGeneral Liability

Reducing Risk for E-Scooter Operators: Safety, Security & Hardware

In the context of e-scooter safety, we’ve teamed with ACTON to identify and mitigate the most significant risks operators face today.

April 8 • Cyber Liability

Cyber Liability and PCI DSS Compliance [Why it Matters]

PCI DSS compliance and cyber liability can seem confusing, but we break it down for you so you can keep your business booming.