US Data Breach Notification Requirements by State

State data breach notification laws collectively govern how organizations operating in the United States must respond when personal information is exposed, accessed, or acquired without authorization. All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted distinct statutory frameworks, producing a patchwork of conflicting timelines, definitions, and covered data categories. This page maps the structural mechanics of those frameworks, identifies where they diverge, and provides classification and comparison tools for compliance and legal professionals navigating multi-state obligations.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix

Definition and scope

A data breach notification requirement is a statutory obligation compelling covered entities to inform affected individuals — and in most cases regulators — when defined categories of personal information have been compromised through unauthorized acquisition or access. The National Conference of State Legislatures (NCSL) tracks these statutes across all U.S. jurisdictions; as of 2024, no single federal omnibus data breach notification law has been enacted, leaving state statutes as the primary operative framework (NCSL Security Breach Notification Laws).

Scope of coverage typically has two axes:

1. Subject matter — what categories of data trigger notification obligations
2. Entity coverage — which types of organizations are bound by the statute

Most state laws define personal information as a combination of an individual's first name (or initial) and last name together with one or more sensitive identifiers: Social Security number, driver's license number, financial account credentials, or medical/health insurance information. California's Consumer Privacy Act (Cal. Civ. Code § 1798.82) extends triggering categories to include biometric data, passport numbers, tax identification numbers, and unique device identifiers — a broader scope than the majority of state statutes.

Entity coverage similarly varies. Most statutes apply to any business that owns, licenses, or maintains personal information of residents of that state, regardless of where the business is physically located. Several states — including New York under the SHIELD Act (N.Y. General Business Law § 899-aa) — explicitly extend obligations to entities that merely "maintain" data on behalf of others, bringing data processors and service providers within scope alongside data owners.

The interplay between state breach laws and sector-specific federal frameworks — particularly the HIPAA Breach Notification Rule at 45 CFR Part 164, Subpart D and the Gramm-Leach-Bliley Act's Safeguards Rule administered by the FTC — creates layered obligations for organizations in healthcare and financial services. Meeting a federal notification timeline does not automatically satisfy the stricter requirements of a given state statute, and vice versa. For practitioners navigating these overlapping regulatory structures, the data security providers section provides a cross-referenced entry point organized by statutory framework.

Core mechanics or structure

Every state breach notification statute operates through a common structural logic, even where individual provisions differ substantially.

Trigger event: Notification obligations activate upon a qualifying breach — typically defined as unauthorized acquisition of unencrypted personal information. Encrypted data is generally exempt unless decryption keys were also compromised. California introduced a formal definition of "breach of the security of the system" that distinguishes unauthorized acquisition from unauthorized access, a nuance adopted by fewer than 12 other states.

Risk of harm threshold: A substantial number of states condition the notification obligation on a determination that the breach creates a "material risk of harm" or "significant risk of identity theft or fraud" to affected individuals. This risk-of-harm threshold allows entities to conduct an internal assessment before mandatory notification. California, by contrast, imposes strict-liability notification for specified data categories with no harm-threshold exception.

Notification recipients: State statutes typically require notification to three categories:
- Affected individuals — residents of that state whose information was compromised
- State regulators — typically the attorney general, sometimes a specific agency (e.g., the Department of Financial Services under NYDFS 23 NYCRR 500 for covered financial entities)
- Consumer reporting agencies — when the breach affects more than a threshold number of residents (500 in many states, 1,000 in others)

Notification content: Statutes specify minimum content requirements for breach notices: description of the incident, categories of data affected, steps taken to secure systems, contact information for inquiries, and guidance on protective steps available to individuals. The FTC's Health Breach Notification Rule, enforceable under 16 CFR Part 318, specifies parallel content requirements for covered health applications not subject to HIPAA.

Notification method: Substitute notice provisions — typically permitting email, website posting, or statewide media notice — apply when direct contact is cost-prohibitive, with thresholds set variously at 100,000 or 500,000 affected individuals depending on the state.

Causal relationships or drivers

The 50-state notification patchwork was not planned but emerged from a sequence of legislative responses to specific, high-profile incidents. California enacted the first modern breach notification statute, Cal. Civ. Code § 1798.82, in 2002 — a direct legislative response to the 2002 exposure of California state employee data. Every other state subsequently adopted analogous legislation, with the last holdout (Alabama) passing its Breach Notification Act (Code of Alabama § 8-38-1 et seq.) in 2018.

Three structural forces drive ongoing statutory divergence:

1. State sovereignty and legislative competition: State attorneys general have an institutional interest in maintaining independent enforcement authority over breach events affecting their residents. Preemptive federal legislation would reduce that jurisdiction, creating durable political resistance.

2. Industry lobbying for uniformity: Large multi-state operators — financial institutions, retailers, and healthcare systems — consistently advocate for a single federal standard to reduce compliance overhead. The IBM Cost of a Data Breach Report 2023 (IBM, 2023) placed the average total cost of a data breach at $4.45 million, a figure that includes notification compliance costs across jurisdictions as a contributing component.

3. Consumer protection advocacy for broader coverage: Privacy advocacy organizations and state attorneys general have pushed for expanding covered data categories beyond the original Social Security/financial account construct to include geolocation, biometric, and health data not covered by HIPAA.

These forces produce a dynamic where state laws are continuously amended, with legislatures in Connecticut, Colorado, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas all passing significant updates or new comprehensive privacy statutes between 2022 and 2024.

Classification boundaries

State breach notification statutes can be classified along four principal dimensions:

1. Notification deadline
- 30 days: Florida (Fla. Stat. § 501.171), Ohio (72 hours for certain entities under HB 104)
- 45 days: Delaware, Colorado
- 60 days: Most remaining states, including New York (under SHIELD Act) and Texas
- "Expedient/reasonable" time: Approximately 20 states use this formulation without a hard deadline

2. Risk-of-harm threshold
- Required assessment (harm threshold must be crossed): The majority of states
- Strict liability (no harm threshold): California, Florida (for certain data categories)

3. Covered data categories
- Narrow (SSN + financial account): Alabama, Montana (pre-2024 amendments), Mississippi
- Moderate (adds medical, health insurance, login credentials): New York, Pennsylvania
- Broad (adds biometric, geolocation, tax ID, passport, device identifiers): California, Colorado, Connecticut

4. Regulatory filing obligation
- Attorney general notification required: 34+ states
- Sector-specific regulator (e.g., NYDFS, state insurance commissioner): New York, South Carolina, Nevada
- No state-level regulatory filing below a resident threshold: Fewer than 10 states

Tradeoffs and tensions

Uniformity vs. consumer protection baseline: A single federal breach notification standard could reduce compliance costs for multi-state organizations but risks establishing a floor below the more protective provisions of California and New York law. Industry coalitions including the U.S. Chamber of Commerce have periodically supported federal preemption bills; privacy advocates consistently oppose them absent provisions preserving state authority to exceed federal minimums.

Speed vs. accuracy: Short mandatory timelines — particularly Florida's 30-day window — create pressure to notify before forensic investigations are complete. Premature notification can misdescribe affected data categories, generate unnecessary consumer alarm, and in some cases expose the reporting entity to additional legal risk. Longer timelines (60 days or "reasonable time") allow for more accurate scope determination but may delay protective action by affected individuals.

Harm threshold vs. strict liability: Harm-threshold models reduce notification volume and associated costs, but place the risk-assessment burden on the entity whose systems were breached — a structural conflict of interest. Strict-liability models eliminate that conflict at the cost of potentially over-notifying consumers about low-risk incidents.

Encryption safe harbors: Encryption exemptions incentivize data-at-rest encryption as a breach mitigation strategy, which aligns with NIST SP 800-111 guidance on storage encryption. However, these exemptions do not apply uniformly across states, and the definition of "encryption" sufficient to trigger the safe harbor varies in technical specificity. The page provides background on how encryption control standards are organized within the broader compliance landscape.

Common misconceptions

Misconception 1: Federal law governs data breach notification
No enacted federal omnibus data breach notification law exists as of 2024. The HIPAA Breach Notification Rule (45 CFR §§ 164.400–164.414) applies only to covered entities and their business associates under HIPAA. The FTC's Health Breach Notification Rule applies only to vendors of personal health records and related applications not covered by HIPAA. General commercial entities not in healthcare or finance have no operative federal notification obligation.

Misconception 2: Encrypted data is always exempt
Most state statutes provide a safe harbor for encrypted data, but this exemption is conditional. If the encryption key was also compromised, the safe harbor typically does not apply. Additionally, California's statute explicitly excludes from its encryption exemption scenarios where the entity's conduct was negligent — a provision that narrows the safe harbor in litigation contexts.

Misconception 3: Notification is only owed to residents of the breached entity's home state
Breach notification obligations are triggered by the residency of the affected individuals, not the location of the breached entity. A business incorporated in Delaware that maintains records on Texas and New York residents must comply with Texas Business and Commerce Code § 521 and New York General Business Law § 899-aa regardless of where its servers are located.

Misconception 4: Meeting the HIPAA 60-day deadline satisfies all state requirements
HIPAA's Breach Notification Rule requires covered entities to notify affected individuals within 60 days of discovery (45 CFR § 164.404). Florida's state law requires notification within 30 days for covered entities, a deadline that is stricter than HIPAA's and controls for Florida residents regardless of whether HIPAA also applies.

Misconception 5: A "small breach" below a threshold exempts an entity from all notification
Thresholds for substitute notice, media notification, and consumer reporting agency notification exist in most statutes — but these thresholds govern method of notification, not the obligation to notify affected individuals. In most states, even a breach affecting a single resident triggers individual notification obligations.

For a structured entry into the professional service providers operating in this compliance space, the how to use this data security resource page describes how the provider network is organized across regulatory and technical categories.

Checklist or steps (non-advisory)

The following discrete steps reflect the standard structural sequence of a state-law breach notification process. This is a reference sequence, not legal guidance.

1. Breach discovery confirmation — Document the date of discovery and distinguish between unauthorized access and unauthorized acquisition, as the distinction affects trigger analysis in states following the California definitional model.

2. Affected data inventory — Identify which specific data categories were exposed. Map against the covered data categories of each state in which affected residents reside to determine which statutes are triggered.

3. Residency identification — Extract the state of residence for each affected individual from available records to determine which state notification obligations apply.

4. Harm threshold assessment — For each triggered statute that includes a harm threshold, conduct and document a risk-of-harm determination. Document the methodology and outcome.

5. Notification deadline calculation — For each triggered state, identify the applicable deadline (30, 45, 60 days, or "expedient time" from discovery). Apply the strictest deadline across all triggered jurisdictions as the governing operational deadline.

6. Regulatory filing determination — Identify which triggered statutes require attorney general or sector-specific regulator notification. Confirm applicable resident-count thresholds and filing formats.

7. Notice content drafting — Confirm compliance of draft notice language against the content requirements of each triggered statute. Minimum content typically includes: incident description, data categories affected, timeline, remediation steps taken, and contact information.

8. Notification delivery — Execute individual notifications by the required method (written, electronic, or substitute notice if threshold conditions are met). Document delivery dates.

9. Consumer reporting agency notification — Where breach volume exceeds state thresholds (commonly 500 or 1,000 residents), file timely notice with consumer reporting agencies as required.

10. Regulatory filing submission — Submit attorney general and sector-specific filings (e.g., NYDFS under 23 NYCRR 500.17) within applicable deadlines, which in some states differ from the individual notification deadline.

11. Documentation and retention — Preserve records of the breach investigation, harm assessment, notification content and delivery, and regulatory filings in accordance with applicable records retention requirements.

Reference table or matrix

State Data Breach Notification Law Comparison — Selected Jurisdictions