US Data Breach Notification Requirements by State
State-level data breach notification laws govern when, how, and to whom organizations must report unauthorized access to personal information — creating a patchwork of 50 distinct statutory frameworks that applies to nearly every business operating in the United States. This page documents the structure, variation, and operational mechanics of those requirements across all 50 states and the District of Columbia. Compliance gaps in this area carry material regulatory and financial exposure, particularly for organizations handling data across multiple jurisdictions simultaneously.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
A data breach notification requirement is a statutory obligation imposed on entities that collect, store, or process personal information — mandating disclosure to affected individuals, state attorneys general, or consumer protection agencies when that information is accessed, acquired, or disclosed without authorization. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted breach notification statutes (NCSL State Security Breach Notification Laws).
The scope of these laws extends across private-sector companies, government agencies, nonprofits, and healthcare entities. The personal information covered typically includes Social Security numbers, driver's license numbers, financial account credentials, and medical records — though the exact enumeration of covered data elements varies by state.
Unlike US data protection regulations, which establish affirmative data handling duties, breach notification statutes are reactive — they activate only after a qualifying security incident has occurred. The legal trigger point, notification window, and required content of the notice all vary by jurisdiction, creating complexity for multi-state operations. For organizations with nationally distributed customer bases, meeting the most stringent applicable state standard is a common operational posture.
Core mechanics or structure
Breach notification frameworks share a common structural skeleton across jurisdictions, even where the details differ substantially.
Trigger definition. Each statute defines what constitutes a "breach" — typically unauthorized acquisition of unencrypted personal information. Some states, including California under the California Consumer Privacy Act (Cal. Civ. Code §1798.29) and its predecessor California Data Breach Law, extend coverage to encrypted data if the encryption key was also compromised.
Covered entity. Statutes define who must comply — typically any person or business that owns, licenses, or maintains covered personal information of state residents. Third-party data processors may carry independent notification obligations in states such as Florida (Fla. Stat. §501.171) and New York (NY SHIELD Act, General Business Law §899-aa).
Notification timeline. Timelines range from "expedient" (undefined) to fixed statutory deadlines. Florida mandates notification within 30 days of breach determination. New York's SHIELD Act requires notification "in the most expedient time possible." Colorado's HB 18-1128 (C.R.S. §6-1-716) sets a 30-day window — one of the strictest in the nation at the time of enactment.
Notification recipients. Most statutes require notifying affected individuals. Attorney general notification is mandatory in states including California, New York, and Illinois when breach thresholds are exceeded (e.g., 500 or more state residents). Consumer reporting agency notification applies in most states when more than 1,000 individuals are affected.
Notice content. Required elements commonly include: a description of what occurred, the types of information compromised, contact information for the notifying entity, and steps individuals can take to protect themselves. California mandates specific formatting requirements and minimum content standards under Civil Code §1798.82.
Causal relationships or drivers
The proliferation of state-level notification laws stems directly from the absence of a federal preemptive standard. Congress has introduced federal breach notification legislation repeatedly — including the Data Security and Breach Notification Act — but no single statute has passed to displace state laws. This legislative vacuum pushed states to act independently beginning with California's Security Breach Information Act in 2003, the first such law in the US.
Enforcement intensity correlates with breach frequency and political visibility. States with large financial and technology sectors — California, New York, and Texas — tend to maintain more detailed and frequently updated statutes. The data breach response procedures that organizations must execute are shaped directly by which state laws apply.
Incident volume also shapes statutory evolution. The 2017 Equifax breach, which exposed personal information of approximately 147 million Americans (FTC Equifax Data Breach Settlement), accelerated legislative activity in states that had not yet updated their frameworks to include credit-related data elements.
The growth of third-party data security risks has also driven statutory expansion — specifically the inclusion of service provider and vendor obligations in states such as Massachusetts (201 CMR 17.00) and Oregon.
Classification boundaries
State breach notification statutes can be classified along four axes:
1. Data element scope. Narrow statutes cover only traditional identifiers (SSN, driver's license, financial account numbers). Expanded statutes — including Illinois, California, and Oregon — add biometric data, medical information, passport numbers, and username/password combinations.
2. Trigger threshold. Some states (e.g., Florida, Colorado) apply strict harm-based analysis: a breach triggers notification only if it is reasonably likely to cause harm. Others apply a strict liability model: any unauthorized acquisition of covered data triggers notification regardless of harm likelihood.
3. Regulatory authority. Enforcement may rest with the attorney general (most states), a dedicated agency (e.g., the California Privacy Protection Agency under CPPA), or both. States with sector-specific regulators — such as the New York Department of Financial Services under 23 NYCRR 500 — layer additional notification duties on top of the general breach statute.
4. Exemption structures. Entities already regulated under HIPAA (45 CFR §§164.400–164.414) receive substitute compliance exemptions in most states, meaning HIPAA breach notification satisfies the state requirement. Similar exemptions apply to Gramm-Leach-Bliley Act (GLBA)-covered financial institutions in a minority of states. Understanding sector-specific data security requirements is essential for determining which exemptions apply.
Tradeoffs and tensions
The decentralized structure of US breach notification law creates documented operational friction.
Compliance cost vs. notification speed. Shorter mandatory windows (30 days in Florida and Colorado) reduce the organization's ability to complete forensic investigation before notifying — potentially resulting in inaccurate or incomplete notices that must be amended.
Over-notification vs. under-notification. The absence of a uniform harm threshold means organizations must decide between applying the most conservative state standard uniformly (risking alert fatigue among consumers) or tailoring notifications by state (increasing legal and operational complexity).
Federal preemption debates. Industry stakeholders frequently argue that a single federal standard would reduce compliance costs, while privacy advocates and state attorneys general argue that federal preemption would lower the floor of protection available to consumers. The FTC has published policy positions supporting minimum federal standards (FTC, Protecting Consumer Privacy in an Era of Rapid Change) without those positions becoming binding law.
Encryption safe harbors. Most states exempt encrypted data from notification requirements — but the definition of "encryption" is rarely specified. Organizations relying on data encryption standards must verify that their encryption methods meet the implicit or explicit standards that would qualify for a state's safe harbor.
Common misconceptions
Misconception: HIPAA compliance satisfies all state breach notification duties.
Correction: HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D) covers only protected health information held by covered entities and business associates. State statutes cover a broader population of entities and additional data categories. HIPAA substitution exemptions apply only where states have explicitly written them into statute.
Misconception: Notification is only required when data is confirmed stolen.
Correction: Most statutes require notification upon unauthorized acquisition or access — not confirmed exfiltration or misuse. Florida and California both use acquisition-based triggers, not harm-confirmation-based triggers.
Misconception: Encrypted data is always exempt.
Correction: California Civil Code §1798.82 removes the encryption safe harbor if the encryption key is also compromised. Several states have adopted similar carve-outs. Data at rest security controls must account for key exposure scenarios, not just encryption status.
Misconception: Small businesses are exempt.
Correction: No state statute uniformly exempts businesses based on size alone. Some states offer modified requirements for businesses below employee or revenue thresholds (e.g., Vermont's Act 171), but the threshold structures are narrow and do not constitute blanket exemptions.
Checklist or steps (non-advisory)
The following sequence reflects the standard operational phases applied in multi-state breach notification compliance determinations. This is a structural description of the process, not legal guidance.
-
Incident identification and containment — Documented moment of discovery is recorded; containment measures are initiated to limit further unauthorized access.
-
Covered data inventory review — Legal and security teams map the compromised data set against the categories of personal information defined in each applicable state's statute.
-
Affected resident identification — Individuals are identified by state of residence — not by where the organization is located — to determine which statutes apply.
-
Harm threshold analysis — Where statutes require a likelihood-of-harm assessment (Florida, Iowa, North Carolina), a documented risk analysis is completed.
-
Regulatory notification deadlines mapped — Each applicable state's deadline is identified and logged. The earliest mandatory notification date governs the overall general timeframe.
-
Attorney general pre-notification (where required) — States including New York, California, Illinois, and Massachusetts require simultaneous or advance notice to the AG when breach thresholds are met.
-
Consumer credit reporting agency notification — Triggered in most states when more than 1,000 individuals in that state are affected.
-
Individual notice drafting — Notice language is reviewed against each state's required content elements. California's specific formatting mandates under Civil Code §1798.82 are verified.
-
Notice delivery — Method of delivery (written, electronic, substitute notice via media) is selected based on contact information availability and cost thresholds.
-
Documentation and regulatory response preparation — All notifications, timestamps, and risk assessments are archived for regulatory examination. Many states permit or require post-notification reporting to the AG.
Reference table or matrix
State Breach Notification Law Quick Reference — Selected Jurisdictions
| State | Statute | Notification Window | AG Notification Threshold | Encryption Safe Harbor | Key Expansion |
|---|---|---|---|---|---|
| California | Cal. Civ. Code §1798.29 / §1798.82 | Expedient | 500+ residents | Yes (with key-compromise carve-out) | Biometric, medical, username/password |
| New York | NY SHIELD Act, GBL §899-aa | Most expedient time | 500+ residents | Yes | Biometric, email credentials |
| Florida | Fla. Stat. §501.171 | 30 days | 500+ residents | Yes | Third-party service provider duties |
| Colorado | C.R.S. §6-1-716 | 30 days | 500+ residents | Yes | Harm threshold required |
| Texas | Tex. Bus. & Com. Code §521.053 | Expedient | No statutory threshold | Yes | Covers Texas residents only |
| Illinois | 815 ILCS 530 | Expedient | 500+ residents | Yes | Biometric data covered separately (BIPA) |
| Massachusetts | M.G.L. c. 93H | Expedient | Any breach | Yes | Comprehensive written security program required |
| Oregon | ORS §646A.604 | 45 days | 250+ residents | Yes | Biometric, passport numbers |
| Virginia | Va. Code §18.2-186.6 | 60 days | 1,000+ residents | Yes | AGO notification required |
| Washington | RCW §19.255.010 | 30 days | 500+ residents | Yes (with key exception) | Biometric data added 2020 |
Sources: NCSL State Security Breach Notification Laws; individual state statutes as cited.
Organizations subject to personally identifiable information protection obligations must verify current statutory text at point of use, as state legislatures amend these statutes without uniform notice cycles.
References
- NCSL — State Security Breach Notification Laws
- California Civil Code §1798.29 and §1798.82 (California Legislative Information)
- Florida Statutes §501.171 (Florida Legislature)
- NY SHIELD Act — General Business Law §899-aa (New York State Legislature)
- Colorado HB 18-1128 — C.R.S. §6-1-716 (Colorado General Assembly)
- HIPAA Breach Notification Rule — 45 CFR Part 164, Subpart D (eCFR)
- FTC — Equifax Data Breach Settlement
- FTC — Protecting Consumer Privacy in an Era of Rapid Change
- 23 NYCRR 500 — NY DFS Cybersecurity Regulation (New York DFS)
- Massachusetts 201 CMR 17.00 — Standards for the Protection of Personal Information (Mass.gov)