Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws
Enforcement: Penalties and Private Rights of Action
All 50 states impose civil penalties; about one-third let the attorney general levy fines, often capped per breach ($750,000 being the highest noted, in Michigan). Nearly 15 states grant a private right of action, usually capped at actual damages plus fees.
Covered entities in all 50 states face civil penalties for violations. In about one-third, the attorney general (or appropriate agency) can impose fines, often with a maximum cap per breach - $750,000 being the highest noted (Michigan). A minority impose a fine per day for noncompliance, and a few include criminal penalties for egregious conduct such as giving notice with intent to defraud.
Nearly 15 states grant a private right of action. Recovery is often capped at actual damages plus attorneys' fees and costs. Businesses harmed by a breach (e.g., banks replacing stolen card numbers) also commonly sue.
Key terms - quick answers
What is “Private right of action”?
A statutory right allowing harmed individuals to sue directly; granted by nearly 15 states' breach laws, with recovery often capped at actual damages plus fees.
What is “Actual damages”?
Damages tied to the losses actually incurred by the consumer as a result of the breach.