US Data Breach Notification Laws by State
All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted breach notification statutes, creating a fragmented compliance landscape that affects every organization handling personal information about US residents. This page maps the structural elements, jurisdictional variation, triggering conditions, and classification boundaries that define state-level breach notification obligations. It also identifies where the frameworks conflict with each other and with federal sector-specific requirements such as those under HIPAA and the FTC Act.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps
- Reference table or matrix
Definition and scope
A data breach notification law is a statute that compels entities—typically defined as businesses, government agencies, or nonprofits—to notify affected individuals, state regulators, and in some cases consumer reporting agencies, when unauthorized access or acquisition of personal information occurs. The notification obligation is triggered by a qualifying security incident, not by intent or confirmed misuse of data.
The scope of these statutes is jurisdictional, not entity-based. Coverage is determined by the residency of the affected individuals, not by where the organization is incorporated or headquartered. An organization based in Texas that maintains records on California residents must comply with California's breach notification statute (California Civil Code §1798.29 and §1798.82) for those residents, and simultaneously comply with Texas Business & Commerce Code Chapter 521 for Texas residents.
California was the first state to enact a breach notification law in 2002, establishing the template that most subsequent statutes followed. The National Conference of State Legislatures (NCSL) tracks the full inventory of state statutes and provides a current index of enacted legislation.
Core mechanics or structure
Every state breach notification statute operates through four structural components: a triggering definition, a covered entity definition, a notification timeline, and prescribed content requirements.
Triggering definition. Statutes define what constitutes a "breach" eligible for notification. Across all 50 state frameworks, the common baseline is unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of the data. Most states incorporate a harm threshold or risk-of-harm assessment—if the unauthorized access is unlikely to result in harm to affected individuals, notification may not be required. Alabama, under the Alabama Data Breach Notification Act of 2018 (Ala. Code §8-38-1 et seq.), applies a risk-of-harm analysis before notification is triggered.
Personal information definition. Every statute specifies which data elements qualify as personal information. At minimum, this is an individual's name combined with at least one of: Social Security number, driver's license number, financial account number, or payment card number with security code. States including New York, under the SHIELD Act (N.Y. Gen. Bus. Law §899-aa), have expanded the definition to include biometric data, email credentials, and health-related information.
Notification timelines. Timelines vary significantly. Florida mandates notification within 30 days of discovery (Fla. Stat. §501.171). New York's SHIELD Act specects expedient notification "without unreasonable delay." Colorado requires notification within 30 days (C.R.S. §6-1-716). Ohio sets a 45-day window. The tightest deadline in the country is Maine's 30-day requirement under 26 M.R.S. §1348.
Regulatory notification. 29 states require notification to the state attorney general or a designated consumer protection office either simultaneously with or before individual notification. California, New York, and North Carolina are among those requiring AG notification when the breach affects more than 500 residents.
Causal relationships or drivers
The proliferation of state breach notification laws traces directly to the absence of a comprehensive federal breach notification statute. The Federal Trade Commission (FTC) enforces breach-related requirements through Section 5 of the FTC Act for non-exempt entities, but that authority does not constitute a uniform notification mandate. Sector-specific federal frameworks—HIPAA for covered health entities, the Gramm-Leach-Bliley Act (GLBA) for financial institutions, and FERPA for educational records—create parallel obligations but do not displace state statutes for entities that also handle non-covered data.
The failure of repeated federal preemption proposals in Congress to advance has sustained state legislative activity. Organizations operating across state lines are therefore subject to simultaneous compliance obligations from 50 distinct statutory frameworks, creating the layered burden that makes breach response a specialized legal and operational function closely tied to incident response framework capabilities.
The expansion of covered data categories also reflects causal pressure from documented breach patterns. The compromise of biometric databases and healthcare credential systems in the 2010s directly drove legislative updates in Illinois (under the Biometric Information Privacy Act, 740 ILCS 14), Washington, and Texas to add biometric identifiers to protected categories.
Classification boundaries
State breach notification statutes split into four recognizable clusters based on stringency and scope:
Cluster 1 — Narrow trigger, limited scope. These statutes apply the original 2002 California model: name plus one financial identifier. Covered entities are limited to businesses. Timelines are unspecified ("without unreasonable delay"). Approximately 12 states retain this baseline structure.
Cluster 2 — Expanded personal information definition. States that have added biometric, health, or credential data to the personal information definition. This group includes New York, Washington, Illinois, and Massachusetts.
Cluster 3 — Short mandatory timelines with AG reporting. States with a specified window of 30–45 days and mandatory regulatory notification for breaches above a resident threshold. Florida (30 days), Colorado (30 days), and Ohio (45 days) anchor this cluster.
Cluster 4 — Comprehensive data protection frameworks. California's Consumer Privacy Act regime (CCPA/CPRA) and Virginia's Consumer Data Protection Act (CDPA, Va. Code §59.1-575 et seq.) embed breach notification inside broader data protection obligations, including consumer rights, data minimization requirements, and mandatory security controls.
Entities covered by HIPAA must satisfy both the HHS HIPAA Breach Notification Rule (45 CFR §§164.400–414) and applicable state statutes, applying whichever is more protective of the individual.
Tradeoffs and tensions
The central tension is uniformity versus state sovereignty. A federal breach notification statute would simplify compliance for multi-state operators but would likely reduce protections below the strongest state floors (California, New York, Colorado). Congress has debated the American Data Privacy and Protection Act (ADPPA) without enacting it, leaving state variation intact.
A second tension exists between the harm threshold and automatic notification. States that require a risk-of-harm analysis before notification (Alabama, Florida, Wisconsin) allow organizations to forgo notification when harm is deemed unlikely. Critics of this approach argue that affected individuals lose the ability to take protective action based on an organization's unilateral assessment. States that mandate notification upon unauthorized acquisition regardless of harm (Massachusetts, California for certain data types) place a higher operational burden on organizations but preserve individual autonomy.
A third tension involves the notice quality tradeoff. Statutes that specify detailed content requirements for notification letters—required under New York's SHIELD Act and Colorado's statute—increase consumer utility but extend breach response timelines as legal review of notice language is required.
Cybersecurity risk management programs that address breach notification compliance must account for all three tensions when designing response protocols.
Common misconceptions
Misconception: Federal law preempts state breach notification. No comprehensive federal breach notification statute preempts state law for the general commercial sector. HIPAA preemption is limited: under 45 CFR §160.203, HIPAA preempts state law only where state law is less protective, not where it imposes more stringent requirements. Most state statutes applicable to covered entities are additive, not displaced.
Misconception: Encryption automatically eliminates the notification obligation. Most states provide a safe harbor for encrypted data, but the specific standard matters. California's safe harbor requires that the encryption key was not also compromised. If an attacker acquires both encrypted data and the decryption key, the safe harbor does not apply. The NIST Cybersecurity Framework (CSF) treats key management as a distinct control domain for this reason.
Misconception: Notification is required only when data is confirmed misused. The triggering condition in the majority of state statutes is unauthorized acquisition or access, not confirmed fraud or identity theft. The FTC and state attorneys general have taken enforcement action against organizations that delayed notification pending harm confirmation.
Misconception: Small businesses are exempt. Only a small number of states provide small business accommodations, and those are limited to timeline extensions or simplified AG reporting, not full exemption. A sole proprietor holding California residents' SSNs is subject to California Civil Code §1798.82.
Checklist or steps
The following steps reflect the structural sequence of breach notification compliance across the majority of state frameworks. This is a reference sequence, not legal advice.
-
Confirm the incident qualifies as a breach. Determine whether unauthorized acquisition of personal information occurred. Document the basis for the determination, including any risk-of-harm analysis required by the applicable state statutes.
-
Identify the residency of affected individuals. Compile the states of residence for all individuals whose information was involved. This step determines which statutes apply simultaneously.
-
Identify applicable statutes for each resident population. Cross-reference the state of each affected individual with that state's current breach notification statute. Note differing personal information definitions, timelines, and AG notification thresholds.
-
Engage applicable federal parallel obligations. Determine whether HIPAA, GLBA, or FTC Act requirements also apply. The HIPAA Breach Notification Rule requires HHS notification within 60 days of discovery for breaches affecting 500 or more residents of a state.
-
Draft individual notification letters. Address required content elements: description of the incident, data elements involved, steps taken by the organization, remediation resources offered (credit monitoring, etc.), and contact information for inquiries.
-
Submit regulatory notifications. File notifications with state attorneys general or designated regulators within applicable windows. Retain copies of all submissions with timestamps.
-
Document the full response chronology. Regulatory investigations and litigation frequently turn on the timeline between discovery, determination, and notification. The digital forensics overview framework describes evidentiary documentation standards applicable to this phase.
-
Post substitute notice if direct notification is impractical. When mailing addresses are unavailable for more than 10 affected individuals, most statutes permit substitute notice via media or website posting. Requirements vary by state.
Reference table or matrix
| State | Timeline | AG Notification Threshold | Harm Threshold | Notable Expansion |
|---|---|---|---|---|
| California | Without unreasonable delay | 500+ residents | No | CCPA/CPRA civil rights framework; email credential included |
| New York | Expedient / without unreasonable delay | 500+ residents | No | SHIELD Act: biometric, health, email credential |
| Colorado | 30 days | 500+ residents | No | Broad personal information definition |
| Florida | 30 days | 500+ individuals | No | Consumer reporting agency notification ≥1,000 individuals |
| Texas | 60 days | No minimum threshold | No | AG notification required |
| Ohio | 45 days | No minimum threshold | No | Safe harbor for CIS Controls or NIST CSF compliance |
| Alabama | 45 days | 1,000+ residents | Yes | Risk-of-harm analysis before notification required |
| Illinois | Without unreasonable delay | 500+ residents | No | Biometric data (BIPA applies separately) |
| Washington | 30 days (AG); 30 days individuals | 500+ residents | No | Expanded to health, biometric, and login credentials |
| Maine | 30 days | All breaches | No | No minimum size threshold for AG notification |
| Massachusetts | Without unreasonable delay | All breaches | No | Written information security program required |
| Virginia | 60 days | All breaches | No | CDPA framework applies |
Sources: NCSL Security Breach Notification Laws; individual state statutes as cited. The us-cybersecurity-regulations-compliance reference provides additional federal regulatory context applicable to breach notification.
References
- National Conference of State Legislatures — Security Breach Notification Laws
- California Civil Code §1798.82 — Breach Notification
- California Consumer Privacy Act / CPRA — California AG
- New York SHIELD Act — N.Y. Gen. Bus. Law §899-aa
- Florida Statutes §501.171 — Data Security
- Colorado Revised Statutes §6-1-716
- Alabama Data Breach Notification Act — Ala. Code §8-38-1
- Maine 26 M.R.S. §1348 — Notice of Risk to Personal Data
- HHS HIPAA Breach Notification Rule — 45 CFR §§164.400–414
- Illinois Biometric Information Privacy Act — 740 ILCS 14
- Virginia Consumer Data Protection Act — Va. Code §59.1-575
- FTC — Data Breach Response Resources
- NIST Cybersecurity Framework
- Center for Internet Security Controls