Updated 2014 Data Breach Notification Costs by State

Generic placeholder image
Carl Niedbala

COO & Co-Founder

Data Breach Notification Costs

Cyber liability costs are soaring these days for all kinds of businesses (startups included).  Most people think of these “costs” as those related directly to the data breach: legal defense fees, settlements with users and 3rd party vendors, and forensic costs.

Loss attributed to data breach notification costs can go under the radar.  When user data is compromised, the company must take steps to notify users that the their personal data has been [potentially] leaked.  Seems simple enough, but the problem is that data breach notification laws differ across all 50 states.  Each state can have it’s own way of thinking about:

  • what constitutes Personally Identifiable Information (“PII”)
  • what constitutes a breach
  • when users must be notified (i.e. a “known” breach vs “reasonable belief a breach has occurred…”)
  • how notification should be made
  • safe harbor provisions that decrease liability under the statute
  • who is subject to the breach notification law (based on company operations, size, location…)

As you can see, navigating the breach notification legal landscape can get expensive pretty quickly.  A good Cyber liability insurance policy can mitigate a ton of this risk by covering data breach notification costs as well as more “traditional” data breach costs.

If you’re curious about the laws in your state, law firm Mintz Levin created a quick cheat sheet of breach notification laws by state that has been updated as recently as August 2014.  You can dive in to look at the laws in your specific state, but here are a couple big picture takeaways from the document:

  • The general definition of “PII” is as follows: “An individual’s first name or first initial and last name plus one or more of following data elements: (i) Social Security number, (ii) driver’s license number or state-issued ID card number, (iii) account number, credit card number or debit card number combined with any security code, access code, PIN or password needed to access an account and generally applies to computerized data that includes PI.
    • NOTE: California has one of the most sweeping definitions varying from the above:  “any user name or email address, in combination with a password or security question and answer that would permit access to an online account.”
  • The only states that don’t have breach notification laws are the following: Alabama, New Mexico, South Dakota.


Take some time to see where your state falls on the breach notification. If you don’t know and you have any questions, reach out! Or give us a call. If you want, you can skip the small talk and go ahead and get a quote.

Related Articles

cyber liability_crime_insurance
October 12 • Crime InsuranceCyber Liability

What’s the Difference Between Crime and Cyber Insurance?

Plenty of overlap occurs between crime and cyber liability insurance. Let’s review the similarities and differences in these policies for startups, or even small business or mid-market company.

August 31 • Cyber Liability

Cyber Liability Insurance Guide

Cyber liability insurance can seem confusing — but it doesn’t have to be. Here are several crucial cyber coverage guidelines for startups and technology companies.

August 30 • Cyber LiabilityErrors & OmissionsRisk Management Tips

Managed Service Providers (MSPs) Insurance Guide

With the environment rapidly changing for a small or mid-market business, what risks do MSPs face now? Here’s a practical guide to MSP insurance.

ransomware manufactures
August 3 • Cyber LiabilityRisk Management Tips

Ransomware Insights: Why Hackers Are Targeting Manufacturers

With ransomware attacks on the rise, why are manufacturers taking the brunt of it? Here’s our take on the situation, along with helpful tips.

July 27 • Cyber Liability

Rise of Ransomware: How to Protect Your Business

Ransomware has been on the rise for several years, with 2020 making the biggest impact. Here’s the scoop on this cybercrime and what mid-market and small businesses can expect.

June 29 • Cyber Liability

How Does Your Cybersecurity Measure Up in 2021?

Small businesses and late-stage companies face unique challenges this year. Can your cybersecurity fend off all that 2020 delivered?