US Data Breach Notification Laws by State

State-level data breach notification laws form the primary legal framework governing how organizations must respond when personal information is exposed, stolen, or unlawfully accessed in the United States. All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted breach notification statutes, creating a patchwork of obligations that vary significantly in scope, timeline, and enforcement. This page maps the structure of that landscape — covering definitions, triggering conditions, classification distinctions, and the regulatory tensions that compliance professionals and legal teams navigate.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Checklist or Steps
• Reference Table or Matrix

Definition and Scope

A data breach notification law is a statute that compels covered entities — businesses, government agencies, nonprofit organizations, or other data holders — to inform affected individuals, state attorneys general, or consumer reporting agencies when a security incident results in unauthorized acquisition of personal information. The notification obligation is triggered not by discovery of a vulnerability but by confirmed or reasonably believed unauthorized access to data.

The National Conference of State Legislatures (NCSL) tracks these statutes across all U.S. jurisdictions. The threshold definition of "personal information" differs materially across state lines. At minimum, all 50 states treat first name or initial combined with Social Security number, driver's license number, or financial account credentials as protected data. States such as California, under the California Consumer Privacy Act (CCPA) and the California Consumer Privacy Rights Act (CPRA), extend the definition to biometric data, precise geolocation, and browsing history tied to an individual.

The scope of "covered entity" also varies. Some states restrict obligations to businesses operating within state borders; others apply their statutes to any entity that handles data belonging to state residents, regardless of where the organization is headquartered. The Federal Trade Commission (FTC) treats breach notification obligations under Section 5 of the FTC Act as an unfair or deceptive practice enforcement matter for entities not covered by sector-specific federal rules.

Sector-specific federal statutes layer onto state laws rather than preempting them in most cases. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule (45 CFR §§ 164.400–414) governs healthcare entities. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, as amended effective June 2023, governs financial institutions under FTC jurisdiction and imposes a 30-day notification window to the FTC for breaches affecting 500 or more customers.

Core Mechanics or Structure

Breach notification laws share a common structural skeleton across jurisdictions, though the specifics diverge in consequential ways.

Trigger condition. Most statutes activate on "unauthorized acquisition" of personal information. A subset of states, including Florida under Florida Statute § 501.171, also trigger on unauthorized access, which is a broader standard — it does not require proof that data was copied or exfiltrated, only that a covered system was accessed without authorization.

Investigation period. Entities typically conduct a forensic investigation to determine whether a breach occurred, what data was affected, and which individuals are impacted. State laws differ on whether the notification clock starts from the date of discovery or the date the breach is confirmed. California's timeline under California Civil Code § 1798.82 requires notification in the "most expedient time possible and without unreasonable delay."

Notification deadlines. Florida mandates notification within 30 days of breach determination. Texas under Texas Business & Commerce Code § 521.053 requires notification "as quickly as possible" without a fixed deadline. New York's SHIELD Act requires notification "in the most expedient time possible." Ohio's Ohio Revised Code § 1349.19 specifies 45 days. Colorado's Colorado Revised Statutes § 6-1-716 sets a 30-day ceiling.

Notification recipients. All state laws require notification to affected individuals. The majority also require notice to the state attorney general when the breach exceeds a defined threshold — commonly 500 or 1,000 residents. California requires notification to the attorney general when more than 500 California residents are affected. The FTC's Health Breach Notification Rule extends federal notification obligations to vendors of personal health records outside HIPAA's scope.

Causal Relationships or Drivers

The proliferation of state breach notification laws originates directly from California's enactment of the first such statute in 2002 (California SB 1386), which created a legislative template that the remaining states adopted iteratively over the following two decades. The absence of a comprehensive federal breach notification law — a recurring legislative effort that has not passed — sustains state-level divergence.

The Identity Theft Resource Center (ITRC), a nonprofit tracking U.S. breach statistics, reported 3,205 publicly disclosed data compromises in 2023, a 72 percent increase over the 2022 figure of 1,862, intensifying legislative pressure to strengthen state notification requirements.

Enforcement capacity is a primary driver of statutory variation. States with larger attorney general offices and dedicated privacy enforcement units — California, New York, and Illinois — have produced stricter statutes and more active enforcement histories. Illinois's Biometric Information Privacy Act (BIPA, 740 ILCS 14) carries a private right of action with statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, creating litigation-based enforcement pressure independent of agency action.

Classification Boundaries

State breach notification laws divide along four axes that determine applicable obligations:

1. Data type coverage. A baseline tier covers financial and government ID data. An expanded tier adds medical, biometric, usernames with passwords, and tax identification numbers. A comprehensive tier — California, Colorado, Connecticut — adds geolocation, race or ethnic origin data, and mental or physical health information.

2. Entity type coverage. Most statutes apply to any legal entity handling state residents' data. A subset carves out exemptions for entities already compliant with HIPAA or GLBA, treating compliance with those federal frameworks as a safe harbor from state-level notification obligations.

3. Harm threshold. Some statutes require notification only when the breach creates a material risk of harm to affected individuals. Montana, Nebraska, and North Carolina apply a risk-of-harm assessment. Others, including California and New York, require notification regardless of whether harm is likely.

4. Encryption safe harbor. The large majority of states provide a safe harbor for encrypted data — meaning breaches of properly encrypted data do not trigger notification unless the encryption key was also compromised. The precise standard for "adequate encryption" is not universally defined; states typically reference "[encryption]" without specifying algorithm or key-length standards, leaving that determination to the reasonable interpretation of the covered entity and its legal counsel.

Tradeoffs and Tensions

The 50-state patchwork creates measurable compliance overhead for organizations operating nationally. A company suffering a breach affecting residents of 35 states must simultaneously manage up to 35 distinct notification timelines, format requirements, and regulatory reporting obligations — an operational burden that disproportionately affects mid-sized organizations without dedicated privacy counsel.

Legislative proposals for a federal preemption statute have repeatedly stalled, in part because advocates for state autonomy argue that state laws have historically provided stronger protections than proposed federal floors. Consumer advocacy organizations including the Electronic Privacy Information Center (EPIC) have opposed preemption proposals that would weaken state standards.

The risk-of-harm threshold creates a tension between administrative efficiency and consumer transparency. Entities subject to risk-of-harm thresholds may internally conclude that notification is unnecessary in ambiguous cases, leaving affected individuals without information to protect themselves. States without a harm threshold resolve that tension in favor of disclosure.

Encryption safe harbors create an incentive for broader adoption of data-at-rest encryption — a security outcome regulators and practitioners broadly endorse — but they also create risk that organizations treat encryption as a universal exemption without confirming that their implementation meets minimum security standards.

Common Misconceptions

Misconception: HIPAA compliance satisfies all state breach notification obligations.
HIPAA's Breach Notification Rule applies only to covered entities and business associates as defined under 45 CFR § 160.103. Healthcare organizations may still face independent state notification obligations, particularly in states that do not grant a HIPAA safe harbor or that define "medical information" more broadly than HIPAA does.

Misconception: Notification is only required when data is confirmed stolen.
Florida, Oregon, and North Dakota use "unauthorized access" as the trigger, not confirmed exfiltration. In those jurisdictions, evidence that an unauthorized party accessed a system containing personal data — even without proof of data removal — activates notification obligations.

Misconception: Encrypted data is always exempt from notification.
Safe harbor provisions require that encryption keys not be compromised. A breach that exposes both encrypted data and the associated decryption key eliminates the safe harbor in virtually all state statutes that provide one.

Misconception: Small businesses are categorically exempt.
Most state statutes do not include size-based exemptions. California's CCPA contains a threshold of businesses with gross revenue exceeding $25 million, 50,000+ consumer records annually, or deriving 50 percent of revenue from selling personal information — but Cal. Civil Code § 1798.82 (the breach notification statute) applies regardless of business size.

Checklist or Steps

The following sequence describes the phase structure of a multi-state breach notification process as documented in frameworks from the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP 800-61 Rev. 2) and state statutory requirements:

1. Incident detection and containment — Identify the compromised systems, isolate affected infrastructure, and preserve forensic evidence.
2. Breach scope determination — Establish which data elements were exposed, the identity of affected individuals, and their state of residence.
3. Jurisdictional mapping — Identify which state statutes apply based on the residency of affected individuals, not the entity's location.
4. Risk-of-harm assessment — For statutes with a harm threshold, document the analysis and retain it; for statutes without a threshold, proceed directly to notification preparation.
5. Encryption safe harbor evaluation — Confirm whether affected data was encrypted and whether encryption keys remained secure.
6. Notification drafting — Prepare consumer-facing notices meeting the content requirements of each applicable jurisdiction; content requirements vary and include description of breach, data types involved, and remediation steps offered.
7. Regulatory reporting — File required notices to state attorneys general and, where applicable, the FTC (for GLBA-regulated entities) or HHS (for HIPAA-covered entities), within each jurisdiction's deadline.
8. Individual notification delivery — Deliver notices by the required method — written mail, email (where permitted), or substitute notice (website posting or media release) when contact information is unavailable for more than 500 affected residents in a given state.
9. Documentation and retention — Retain records of breach determination, notifications sent, and regulatory filings for the period required by applicable law (3 years is common; specific durations vary by state).

Reference Table or Matrix

The table below compares key parameters across 10 representative state breach notification statutes. For comprehensive multi-state compliance, reference the full text of each state statute and the NCSL State Security Breach Notification Laws tracker.

All deadlines run from date of discovery or reasonable determination of breach, except where noted in the underlying statute. Verify current statutory text before use.

The infosec providers maintained on this reference network include service providers with specialization in multi-state breach response, forensic investigation, and regulatory notification management. The outlines the classification criteria applied to verified firms. Practitioners seeking to locate breach counsel or notification vendors may use the resource index to filter by state coverage and service category.