Updated: April 19, 2019

Alabama

Statute - 2018 - Alabama Statute - SB 318
Businesses and Government agencies in Alabama need to protect private data in their possession.

Penalty
If there is a breach and they fail to notify the affected then the Alabama Attorney General can pursue penalties of $5,000 per day up to $500,000 per breach.

Alaska

Statute - 2017 - Alaska Statute - AS 45.48.500
“(a) When disposing of records that contain personal information, a business and a governmental agency shall take all reasonable measures necessary to protect against unauthorized access to or use of the records.”

Penalty
Businesses and Government agencies in Alaska need to meet a standard of care for personal data. This standard of care ends when the data is delivered to a 3rd party vendor or to the record pertainee. WipeDrive can be implemented by businesses and government agencies to ensure data is removed prior to leaving their organization. Civil Penalty up to $3,000.00.

Arizona

Statute - 2018 - Arizona Statute - A.R.S. §§ 18-551 and 18-552
Businesses and Government agencies in Arizona are responsible to protect private data in their possession.

Penalty
If there is a breach and they fail to notify the affected then the Arizona Attorney General can pursue penalties of $5,000 per day up to $500,000 per breach. The Arizona Attorney General can also pursue civil penalties up to $10,000 for each affected.

Arkansas

Statute - Arkansas Statute - § 4-110-103 & 104
“(a) A person or business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer to be retained by the person or business by shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.
(b) A person or business that acquires, owns, or licenses personal information about anArkansas resident shall implement and maintain reasonable security procedures andpractices appropriate to the nature of the information to protect the personal informationfrom unauthorized access, destruction, use, modification, or disclosure.”

Penalty
Businesses and Government agencies in Arkansas must have personal data destroyed internally or by a 3rd party. This data must not be recoverable after disposal. Arkansas Attorney General can seek civil penalties for violations.

California

Statute - 2018 - California Civil Code - §§ 1798.81
“A business shall take all reasonable steps to dispose, or arrange for the disposal, of customer records within its custody or control containing personal information when the records are no longer to be retained by the business by (a) shredding, (b) erasing, or (c) otherwise modifying the personal information in those records to make it unreadable or undecipherable through any means.”

Penalty
All California businesses are regulated by this law and any data breach violations could result in a $500 - $3,000 fine per violation.

Colorado

Statute - 2016 - Colorado Revised Statutes - Title 6 Article 1 Part 7 § 6-1-713
“(1) Each public and private entity in the state that uses documents during the course of business that contain personal identifying information shall develop a policy for the destruction or proper disposal of paper documents containing personal identifying information.”

Penalty
The Colorado Attorney General may bring an action in law or equity to address violations of this section and for other relief that may be appropriate to ensure compliance with this section or to recover direct economic damages resulting from a violation, or both.

Connecticut

Statute - 2011 - Connecticut Code – 42-471
“(a) Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.”

Penalty
Businesses that intentionally violate this statute can be fined $500 for each violation and a maximum of $5,000 for any single event.

Delaware

Statute - Delaware Code – Title 6 Chapter 50C § 5001C
“In the event that a commercial entity seeks permanently to dispose of records containing consumers' personal identifying information within its custody or control, such commercial entity shall take reasonable steps to destroy or arrange for the destruction of each such record by shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it unreadable or indecipherable.”

Penalty
A consumer who incurs actual damages due to a reckless or intentional violation of this chapter may bring a civil action against the commercial entity.

Florida

Statute - 2018 – Florida – Title XXXIII Statute § 501.171
“(8) REQUIREMENTS FOR DISPOSAL OF CUSTOMER RECORDS. - Each covered entity or third-party agent shall take all reasonable measures to dispose, or arrange for the disposal, of customer records containing personal information within its custody or control when the records are no longer to be retained. Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”

Penalty
Florida Attorney General may fine the government agency or business for failure of providing notice of a data breach. The penalties are from $1,000 to $500,000 depending on the number of days from breach to notification.

Georgia

Statute - 2010 - Georgia Code - Section§ 10-15-2
“A business may not discard a record containing personal information unless it:
(1) Shreds the customer's record before discarding the record;
(2) Erases the personal information contained in the customer's record before discardingthe record;
(3) Modifies the customer's record to make the personal information unreadable beforediscarding the record; or
(4) Takes actions that it reasonably believes will ensure that no unauthorized person willhave access to the personal information contained in the customer's record for the periodbetween the record's disposal and the record's destruction.”

Penalty
The Georgia Attorney General can penalize businesses up to $500 for each customer's record violation, with a maximum of $10,000.

Hawaii

Statute - Hawaii Revised Statute - §§ 487R-1-3
“(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, recycling, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed;
(2) Implementing and monitoring compliance with policies and procedures that require thedestruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed; and
(3) Describing procedures relating to the adequate destruction or proper disposal ofpersonal records as official policy in the writings of the business entity.”

Penalty
Any business that violates this statute can be penalized up to $2,500 for each violation. The businesses are also liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation.

Illinois

Statute - Illinois Statute - ILCS 815 ILCS 530/45 - Sec. 45. Data security
“(a) A data collector that owns or licenses, or maintains or stores but does not own or license, records that contain personal information concerning an Illinois resident shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”

Penalty
The business can be penalized up to $100 for each individual record with a maximum fine of $50,000 for each instance of improper disposal.

Indiana

Statute - Indiana Statute - IC 24-4.9-2-2
“Sec. 2. (a) "Breach of the security of data" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a person. The term includes the unauthorized acquisition of computerized data that have been transferred to another medium, including paper, microfilm, or a similar medium, even if the transferred data are no longer in a computerized format.”

Penalty
The business must notify affected parties regarding the data breach. If the business does not and purposely deceives the affected parties, then the Indiana Attorney General may pursue a fine of up to $150,000 per deceptive act.

Kansas

Statute - Kansas Statute - § 50-7a03
“Unless otherwise required by federal law or regulation, a person or business shall take reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the person or business by shredding, erasing or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”

Penalty
The organization must notify affected parties and the Attorney General of Kansas can pursue damages.

Kentucky

Statute - 2006 - Kentucky Rev. Statute - § 365.725
“Destruction of customer’s records containing personally identifiable information.
When a business disposes of, other than by storage, any customer’s records that are not required to be retained, the business shall take reasonable steps to destroy, or arrange for the destruction of, that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.”

Penalty
Businesses must notify individuals of a data breach. Individuals may pursue civil action against businesses that lose their personal data.

Massachusetts

Statute - Massuchesetts General Laws - Chapter 93I, § 2
“Section 2. When disposing of records, each agency or person shall meet the following minimum standards for proper disposal of records containing personal information:
(a) paper documents containing personal information shall be either redacted, burned, pulverized or shredded so that personal data cannot practicably be read or reconstructed;
(b) electronic media and other non-paper media containing personal information shall bedestroyed or erased so that personal information cannot practicably be read orreconstructed.”

Penalty
Individuals may pursue civil action for $100 per violation. The Massachusetts Attorney General can also pursue civil action against the organization.

Maryland

Statute - 2018 - Maryland Personal Information Protection Act - §14- 3501
“Under the revised regulation, it now includes:
• State identification card number
• Passport number or other identification number issued by the federal government
• Health information, meaning any information created by an entity covered by HIPAA regarding an individual’s medical history, medical condition, or medical treatment or diagnosis
• Health insurance policy or certificate number or health insurance subscriber identification number, in combination with a unique identifier used by an insurer or an employer that is self-insured, that permits access to an individual’s medical health information
• Biometric data
• Username or email address in combination with a password or security question that permits access to an individual’s email account”

Penalty
Businesses have 45 days to notify affected parties of a data breach. Violations will be penalized according to Title 13.

Michigan

Statute - 2007 - Act 452445.72a Sec. 12a
“(1) Subject to subsection (3), a person or agency that maintains a database that includes personal information regarding multiple individuals shall destroy any data that contain personal information concerning an individual when that data is removed from the database and the person or agency
is not retaining the data elsewhere for another purpose not prohibited by state or federal law. This subsection does not prohibit a person or agency from retaining data that contain personal information for purposes of an investigation, audit, or internal review.”

Penalty
Violators can be charged with a misdemeanor and a $250.00 fine for each violation.

Montana

Statute - 2017 - Montana Code Annotated - § 30-14- 1703
“A business shall take all reasonable steps to destroy or arrange for the destruction of a customer’s records within its custody or control containing personal information that is no longer necessary to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or undecipherable.”

Penalty
Businesses are liable for a civil fine up to $10,000 for each violation.

Nevada

Statute - 2005 - Nevada Revised Statute - § 603A.200
“1. A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records.”
“(1) Shredding of the record containing the personal information; or
(2) Erasing of the personal information from the records.”

Penalty
Businesses must notify all affected parties of a data breach.

New Jersey

Statute - 1997 - New Jersey Statute - § 56:8-162
“A business or public entity shall destroy, or arrange for the destruction of, a customer’s records within its custody or control containing personal information, which is no longer to be retained by the business or public entity, by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable, undecipherable or nonreconstructable through generally available means.”

Penalty
Businesses must notify all affected parties of a data breach.

New Mexico

Statute - 2017 - Data Breach Notification Act – Section 3
“A person that owns or licenses records containing personal identifying information of a New Mexico resident shall arrange for proper disposal of the records when they are no longer reasonably needed for business purposes. As used in this section, ‘proper disposal’ means shredding, erasing or otherwise modifying the personal identifying information contained in the records to make the personal identifying information unreadable or undecipherable.”

Penalty
Businesses must notify all affected parties of a data breach in 45 days. Delaying notification or purposeful violation can receive a civil penalty up to $25,000 or $10 per violation up to $150,000.

New York

Statute - New York General Business Law - § 399-H
“Disposal of records containing personal identifying information. No person, business, firm, partnership, association, or corporation, not including the state or its political subdivisions, shall dispose of a record containing personal identifying information unless the person, business, firm, partnership, association, or corporation, or other person under contract with the business, firm, partnership, association, or corporation does any of the following:
a) shreds the record before the disposal of the record; or
b) destroys the personal identifying information contained in the record; or
c) modifies the record to make the personal identifying information unreadable; or
d) takes actions consistent with commonly accepted industry practices that it reasonably believes will ensure that no unauthorized person will have access to the personal identifying information contained in the record.
Provided, however, that an individual person shall not be required to comply with this subdivision unless he or she is conducting business for profit.”

Penalty
Businesses can be fined up to $5,000 by the New York Attorney General

North Carolina

Statute - 2005 – North Carolina General Statute § 75-64
a) “Any business that conducts business in North Carolina and any business that maintains or otherwise possesses personal information of a resident of North Carolina must take reasonable measures to protect against unauthorized access to or use of the information in connection with or after its disposal.
b) The reasonable measures must include:
    (1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing personal information so that information cannot be practicably read or reconstructed.
    (2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media and other nonpaper media containing personal information so that the information cannot practicably be read or reconstructed.
    (3) Describing procedures relating to the adequate destruction or proper disposal of personal records as official policy in the writings of the business entity.”

Penalty
Businesses are liable for any damage caused by the data breach which is awarded by the jury.

Oregon

Statute - 2018 - Oregon Revised Statute § 646A.622
“(iv) Disposing of personal information after the person no longer needs the personal information for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.”

Penalty
The Oregon Attorney General can pursue civil penalties from the organization.

Rhode Island

Statute - 2009 - Rhode Island General Laws - § 6-52-2
“A business shall take reasonable steps to destroy or arrange for the destruction of a customer’s personal information within its custody and control that is no longer to be retained by the business by shredding, erasing, or otherwise destroying and/or modifying the personal information in those records to make it unreadable or indecipherable through any means for the purpose of:
(1) Ensuring the security and confidentiality of customer personal information;
(2) Protecting against any reasonably foreseeable threats or hazards to the security orintegrity of customer personal information; and
(3) Protecting against unauthorized access to, or use of, customer personal information that could result in substantial harm or inconvenience to any customer.”

Penalty
An affected party may bring a civil action against the business and the Rhode Island Attorney General can pursue $500 per violation up to $50,000.

South Carolina

Statute - 2012 - South Carolina Code - § 37-20-190
“(A) When a business disposes of a business record that contains personal identifying information of a customer of a business, the business shall modify, by shredding, erasing, or other means, the personal identifying information to make it unreadable or undecipherable.”

Penalty
An affected party may bring a civil action against the business.

Tennessee

Statute - 2017 - Tennessee Code - § 47-18-2107
“Following discovery or notification of a breach of system security by an information holder, the information holder shall disclose the breach of system security to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Penalty
Affected parties may institute a civil action to recover damages from the business.

Texas

Statute - 2007 - Texas Business and Commercial Code - § 72.004
“Following discovery or notification of a breach of system security by an information holder, the information holder shall disclose the breach of system security to any resident of this state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”

Penalty
The business is liable for a civil penalty of $500 for each business record. The Texas Attorney General may recover additional civil penalties.

Utah

Statute - 2006 - Utah Code - § 13-44-201
“1) Any person who conducts business in the state and maintains personal information shall implement and maintain reasonable procedures to:
(a) prevent unlawful use or disclosure of personal information collected or maintained in the regular course of business; and
(b) destroy, or arrange for the destruction of, records containing personal information that are not to be retained by the person.
2) The destruction of records under Subsection (1)(b) shall be by:
(a) shredding;
(b) erasing; or
(c) otherwise modifying the personal information to make the information indecipherable.”

Penalty
The business must notify affected parties of a breach

Vermont

Statute - Vermont Statutes Amended - § 2445
“(b) A business shall take all reasonable steps to destroy or arrange for the destruction of a customer's records within its custody or control containing personal information which is no longer to be retained by the business by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable...”

Penalty
The Vermont Attorney General will investigate all violations.

Virginia

Statute - 2018 - Code of Virginia - § 18.2-186.6
Businesses and Government agencies in Virginia are responsible to protect private data in their possession.

Penalty
Each violation could be punished up to $100 per instance. The Virginia Attorney General can also pursue damages.

Washington

Statute - Washington Revised - § 19.215.020
“(1) An entity must take all reasonable steps to destroy, or arrange for the destruction of, personal financial and health information and personal identification numbers issued by government entities in an individual's records within its custody or control when the entity is disposing of records that it will no longer retain.”

Penalty
Affected individuals may be awarded from $200-$600 or higher, depending on the actual damages. The Washington Attorney General may bring civil penalties as well.

Wisconsin

Statute - Wisconsin Statute - § 134.97
“(2) Disposal of records containing personal information. A financial institution, medical business or tax preparation business may not dispose of a record containing personal information unless the financial institution, medical business, tax preparation business or other person under contract with the financial institution, medical business or tax preparation business does any of the following:
(a) Shreds the record before the disposal of the record.
(b) Erases the personal information contained in the record before the disposal of therecord.
(c) Modifies the record to make the personal information unreadable before thedisposal of the record.
(d) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the record for the period between the record's disposal and the record's destruction.”

Penalty
A single violation can cost up to $1,000.

WhiteCanyon's WipeDrive solution meets your state's data disposal requirements and will assist you with complying with all statutory and regulatory requirements

Please contact our enterprise sales team at 801.224.8900