Data Breach Notification Requirements by State
State data breach notification laws form the primary legal framework governing how organizations must respond when personal information is compromised. All 50 US states, the District of Columbia, Puerto Rico, and the US Virgin Islands have enacted breach notification statutes, creating a patchwork of overlapping and sometimes conflicting obligations that affect every sector handling personal data. The specifics — definitions of covered data, triggering thresholds, notification timelines, and required content — vary substantially across jurisdictions. Organizations operating across state lines must navigate this multi-jurisdictional landscape carefully, as a single incident can simultaneously trigger notification obligations under dozens of distinct statutory frameworks.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
A data breach, for notification purposes, is generally defined as unauthorized acquisition of computerized personal information that compromises the security, confidentiality, or integrity of that data. The National Conference of State Legislatures (NCSL) tracks state breach notification statutes and distinguishes between laws covering residents of a given state versus laws covering businesses operating within that state — a distinction that determines which statute governs when an incident occurs.
The scope of "personal information" subject to breach notification varies significantly. Most state laws were modeled on California's original Security Breach Information Act (Cal. Civ. Code § 1798.29 and § 1798.82), enacted in 2002, which defined personal information as a name combined with Social Security number, driver's license number, or financial account credentials. Subsequent amendments and newer state statutes have expanded coverage to include medical information, biometric data, passport numbers, tax identification numbers, usernames with passwords, and in some states, geolocation data.
California's current framework under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) extends breach liability to additional categories. New York's SHIELD Act (NY General Business Law § 899-aa), effective March 2020, broadened the definition of private information and extended obligations to any business holding data on New York residents, regardless of where the business is located.
The data protection providers available through this reference provide jurisdictional breakdowns relevant to specific professional sectors operating under these frameworks.
Core mechanics or structure
Breach notification frameworks operate across three mandatory notification channels in most states: (1) notification to affected individuals, (2) notification to the state attorney general or regulatory agency, and (3) in high-volume incidents, notification to consumer reporting agencies.
Triggering thresholds — Most states require notification only when a breach creates a "reasonable likelihood" or "material risk" of harm to affected individuals. Florida (Fla. Stat. § 501.171) requires notification within 30 days of determining a breach occurred when 500 or more Florida residents are affected and mandates reporting to the Florida Department of Legal Affairs. Several states apply no numeric threshold and require notification based solely on the nature of the data exposed.
Notification timelines — Deadlines range from 30 days (Florida, New Mexico) to 90 days (multiple states) to a more ambiguous "expedient time" or "without unreasonable delay" standard used by states including Texas (Tex. Bus. & Com. Code § 521.053). Ohio (Ohio Rev. Code § 1347.12) specifies 45 days. The most aggressive timeline is Colorado's, under the Colorado Privacy Act and HB 18-1128, which mandates notification within 30 days of discovery.
Regulatory reporting — Approximately 30 states require notification to the state attorney general, a consumer protection office, or a sector-specific regulator in addition to individual notification. New York requires notification to the Attorney General, the Department of Financial Services (NYDFS), and potentially the Division of State Police depending on affected populations (NY General Business Law § 899-aa).
Content requirements — Notification letters must typically include a description of the incident, the type of information compromised, steps taken to remediate, and information about affected individuals' available protective measures such as credit monitoring or fraud alert enrollment.
Causal relationships or drivers
The fragmentation of US breach notification law traces directly to the absence of a single comprehensive federal data protection statute. The Federal Trade Commission (FTC) holds general enforcement authority over unfair or deceptive practices under Section 5 of the FTC Act (15 U.S.C. § 45) but the FTC Act does not contain a specific breach notification mandate for most industries.
Sector-specific federal frameworks create parallel obligations for specific data types. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, administered by the HHS Office for Civil Rights (45 CFR Part 164, Subpart D), requires covered entities to notify affected individuals within 60 days of discovering a breach of protected health information. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, enforced by the FTC and federal banking regulators, requires financial institutions to notify customers of certain breaches. These federal mandates run concurrently with — not in place of — state notification requirements, typically defaulting to whichever standard is more protective for the consumer.
The section of this reference explains the regulatory bodies whose enforcement activities shape compliance obligations across sectors.
Classification boundaries
Breach notification obligations fall into four major classification categories based on the data type and the entity holding it:
1. General consumer data — Governed primarily by state statutes. Applies to any business holding personal information about state residents. No sector restriction.
2. Protected health information (PHI) — Governed by HIPAA's Breach Notification Rule for covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. State health privacy laws may impose additional or different requirements.
3. Financial data — Governed by the GLBA Safeguards Rule for financial institutions. The FTC's revised Safeguards Rule (effective June 2023) added a requirement to notify the FTC within 30 days of discovering a breach affecting 500 or more customers (FTC Safeguards Rule, 16 CFR Part 314).
4. Student education records — Governed by the Family Educational Rights and Privacy Act (FERPA), administered by the US Department of Education. FERPA does not include an explicit breach notification provision, making state statutes the operative framework for educational institutions outside the PHI and financial categories.
The interplay between these four categories determines which notification timeline is most restrictive and which regulators must be contacted in any given incident.
Tradeoffs and tensions
The multi-state compliance environment creates documented operational tensions. A business maintaining records on residents of all 50 states must, following a single breach incident, evaluate 50 sets of statutory definitions, timelines, and reporting pathways — a process the NCSL has acknowledged generates substantial administrative burden without uniformly better consumer outcomes.
Conflict between "harm threshold" and "automatic notification" approaches — States such as Vermont effectively require notification for any unauthorized access to personal information regardless of demonstrated harm, while others require a showing of "material risk" before notification obligations activate. An incident that triggers notification under Vermont law may not meet the threshold in states like Ohio, placing organizations in the position of either notifying broadly (risking notification fatigue among consumers) or notifying narrowly (risking under-compliance in strict jurisdictions).
Encryption safe harbors — Most state statutes exempt organizations from notification obligations when breached data was encrypted and the encryption key was not also compromised. The scope of "encryption" that qualifies for safe harbor treatment is not uniformly defined across states, creating ambiguity for organizations using partial-field encryption or emerging cryptographic methods.
Law enforcement delay provisions — Roughly 40 states permit or require delay in consumer notification when a law enforcement agency determines that notification would impede a criminal investigation. The maximum permissible delay varies from 30 days in some statutes to an indeterminate "active investigation" window in others.
Common misconceptions
Misconception: Federal law preempts state notification statutes.
HIPAA preempts state health privacy laws only where the state law is less protective than HIPAA. State laws that impose stricter or additional requirements are not preempted. For non-health data, no comprehensive federal preemption exists.
Misconception: Notification is only required if data is actually misused.
Triggering under most state statutes requires only unauthorized acquisition or access — not demonstrated misuse. California, for example, does not require proof of harm or actual identity theft to activate notification obligations under Cal. Civ. Code § 1798.82.
Misconception: Encryption always eliminates notification obligations.
Encryption safe harbors are conditioned on the encryption meeting a standard that renders data "unreadable, unusable, or indecipherable." Several states, including Massachusetts (201 CMR 17.00), require that encryption meet specific technical standards. Weak or deprecated encryption algorithms do not qualify.
Misconception: The 60-day HIPAA timeline is the default for all industries.
The 60-day rule applies only to HIPAA-covered entities and business associates. Financial institutions under the revised FTC Safeguards Rule face a 30-day reporting window. Florida's general breach statute sets a 30-day individual notification deadline regardless of sector.
The how-to-use-this-data-protection-resource section describes how practitioners can locate sector-specific compliance resources within this reference.
Checklist or steps (non-advisory)
The following sequence reflects the standard procedural phases in breach notification compliance as described in frameworks published by the FTC, HHS, and the NCSL. This is a structural reference, not legal guidance.
- Incident identification — Determine whether an event constitutes unauthorized acquisition or access to personal information, as defined under applicable state and federal statutes.
- Scope determination — Identify which states' residents are represented in the compromised data set and the volume of affected individuals per jurisdiction.
- Data classification — Classify the compromised data by type (PHI, financial, general PII, student records) to identify which federal frameworks apply alongside state statutes.
- Timeline calculation — Identify the most restrictive notification deadline across all applicable jurisdictions. Log the date of "discovery" as defined by statute in each relevant state.
- Law enforcement consultation — Determine whether a law enforcement agency has requested delay in notification and document the basis and duration of any such delay.
- Encryption safe harbor review — Assess whether breached data qualifies for any state's encryption exception and verify the encryption standard used meets each state's definitional threshold.
- Regulator notification — File required reports with each state attorney general or designated agency, and with federal regulators (HHS OCR, FTC, NYDFS as applicable) by their respective deadlines.
- Individual notification — Prepare and distribute breach notification letters meeting the content requirements of each applicable state statute.
- Consumer reporting agency notification — Notify major consumer reporting agencies when a single state's affected resident count meets or exceeds that state's large-breach threshold (e.g., 1,000 residents in California under Cal. Civ. Code § 1798.82(f)).
- Documentation retention — Retain records of breach discovery, notification timing, and communications in accordance with applicable record retention requirements.
Reference table or matrix
| State | Statute | Notification Deadline | Regulator Notification Required | Encryption Safe Harbor | Notable Feature |
|---|---|---|---|---|---|
| California | Cal. Civ. Code § 1798.82 | "Expedient time" / "without unreasonable delay" | AG (if 500+ residents) | Yes | Expanded data types under CCPA/CPRA |
| New York | NY GBL § 899-aa (SHIELD Act) | "Expedient time" | AG, NYDFS, Division of State Police | Yes | Covers any entity with NY resident data |
| Florida | Fla. Stat. § 501.171 | 30 days (500+ residents) | FL Dept. of Legal Affairs | Yes | 30-day deadline is among strictest |
| Texas | Tex. Bus. & Com. Code § 521.053 | "Expedient time" | AG (if 250+ Texans) | Yes | AG notification added 2023 |
| Colorado | HB 18-1128 / CPA | 30 days | AG | Yes | 30-day deadline; broad data definition |
| Ohio | Ohio Rev. Code § 1347.12 | 45 days | — | Yes | Safe harbor for NIST framework compliance |
| Massachusetts | Mass. Gen. Laws c. 93H | "As expeditiously as possible" | AG, OCABR | Yes (201 CMR 17.00 standards) | Strict technical encryption standards |
| New Mexico | NMSA § 57-12C | 30 days | AG | Yes | Among later-adopting states (2017) |
| Vermont | 9 V.S.A. § 2430 | "In the most expedient time possible" | AG | Yes | No harm threshold required |
| Illinois | 815 ILCS 530 | "Expedient time" | AG | Yes | Biometric data also governed by BIPA |
Statutes and requirements are subject to legislative amendment. Verification against current statutory text is required for compliance determinations.