US Data Breach Notification Laws by Jurisdiction
Data breach notification law in the United States operates as a fragmented patchwork — 50 states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands each maintain distinct statutes governing when, how, and to whom breach notice must be delivered. No single federal omnibus notification law governs the private sector, which means compliance obligations multiply across jurisdictions whenever affected residents span state lines. This page maps the structural landscape of those laws: their definitions, mechanics, jurisdictional boundaries, and the tensions that complicate multi-state incident response.
- Definition and Scope
- Core Mechanics or Structure
- Causal Relationships or Drivers
- Classification Boundaries
- Tradeoffs and Tensions
- Common Misconceptions
- Notification Compliance Steps
- Reference Table: Key Jurisdictional Parameters
Definition and Scope
A data breach notification law is a statute requiring organizations that experience unauthorized access to — or acquisition of — personally identifiable information (PII) to notify affected individuals and, in most cases, state regulators within a prescribed period. California enacted the first such statute in 2002 (California Civil Code §1798.82), triggering adoption across all 50 states by 2018 (NCSL State Security Breach Notification Laws).
Scope varies by statute but typically encompasses:
- Covered data elements: Most statutes define a triggering combination as name plus at least one of — Social Security number, driver's license number, financial account credentials, or medical information.
- Covered entities: Statutes apply to any organization that collects, stores, or processes resident data within the enacting state, regardless of where the organization is headquartered.
- Trigger standard: The majority of states use a "reasonable belief" or "determination" standard — meaning notice is required when the organization concludes that unauthorized access likely resulted in harm or misuse, not merely upon discovery of the intrusion.
Sector-specific federal frameworks — including HIPAA's Breach Notification Rule (45 CFR §§164.400–414) and the FTC's Health Breach Notification Rule (16 CFR Part 318) — layer on top of state requirements rather than preempting them. For a broader regulatory map, see US Cybersecurity Regulations and Compliance.
Core Mechanics or Structure
Notification Timelines
Notification deadlines range from 30 days (Florida, Fla. Stat. §501.171) to 90 days (California, Cal. Civ. Code §1798.82) to "expedient time" or "without unreasonable delay" in states such as Texas (Tex. Bus. & Com. Code §521.053). New York's SHIELD Act mandicts "expedient notice" with no hard ceiling but requires notification to the state Attorney General for breaches affecting more than 500 New York residents.
Regulatory Reporting Thresholds
Most states require parallel notification to the state Attorney General when the breach affects a minimum number of residents — thresholds range from 500 residents (New York, Maryland) to 1,000 residents (North Carolina). Some states require AG notification regardless of size.
Notice Content Requirements
Statutes commonly specify that breach notices must include:
- Description of the incident
- Categories of data involved
- Steps taken by the organization to contain the breach
- Contact information for the notifying entity
- Credit monitoring or identity protection services offered (required in California, New York, and Connecticut for certain breach types)
Safe Harbors
Encryption safe harbors are universal: data rendered unreadable or unusable through encryption that was not compromised in the incident typically does not trigger notification obligations. This safe harbor is codified in, for example, Massachusetts (201 CMR 17.00) and Colorado (C.R.S. §6-1-716).
Causal Relationships or Drivers
The fragmented statutory landscape reflects a specific causal chain: federal legislative deadlock on omnibus data privacy law has left states as primary regulators of consumer data rights. Congress has debated federal preemption proposals — including the American Data Privacy and Protection Act (ADPPA) — without enacting a statute that supersedes state breach notification frameworks.
State-level law proliferation accelerates following high-profile incidents. California's 2002 statute passed in response to public disclosure of a 2002 breach at the state controller's office. Post-2013 mega-breaches involving retailers and healthcare organizations prompted updates in at least 30 states between 2015 and 2019 (NCSL).
Enforcement pressure from state Attorneys General also drives compliance structure. The New York AG's office alone has issued 9-figure settlement demands in breach investigations since 2019, and the FTC has authority to pursue unfair or deceptive practices claims under Section 5 of the FTC Act (15 U.S.C. §45) against organizations that fail to implement reasonable security. See also Cybersecurity Incident Reporting Requirements for federal sector-specific reporting overlaps.
Classification Boundaries
By Statute Type
| Category | Description | Example States |
|---|---|---|
| Specific-timeline statutes | Hard deadline (days from discovery) | FL (30), CO (30), WA (30) |
| Expedient-delay statutes | No hard ceiling; "reasonable" standard | TX, GA, AK |
| Hybrid statutes | Hard ceiling plus harm-threshold analysis | NY, CA, IL |
By Covered Data Category
Tier 1 — Universal triggers: Social Security numbers, financial account numbers with credentials, driver's license or state ID numbers. These categories appear in all 50 state statutes.
Tier 2 — Extended triggers: Medical information, health insurance data, biometric data, usernames with passwords. Present in at least 35 state statutes as of the post-2018 wave of amendments (NCSL).
Tier 3 — Emerging categories: Geolocation data, genetic data, passport numbers. Present in fewer than 12 state statutes, primarily California (CCPA/CPRA), Virginia (VCDPA), and Colorado (CPA).
By Entity Type
- Covered businesses: All 50 statutes apply to private-sector entities handling state resident data.
- Government agencies: 48 states include state government entities within their breach notification frameworks.
- Nonprofits: Explicitly covered in at least 30 states; implied coverage exists in most others.
For sector-specific standards in healthcare, see Healthcare Cybersecurity and HIPAA Standards.
Tradeoffs and Tensions
Preemption vs. Floor-Setting
The central structural tension is between federal preemption and state floor-setting. Industry groups generally favor federal preemption with a single national standard to reduce compliance complexity. Consumer advocacy organizations prefer state floors, arguing that preemption historically results in weaker protections at the federal level than exist in California, Illinois, or New York.
Speed vs. Accuracy
Tight notification windows (30 days) conflict with forensic investigation timelines. Incident response teams often cannot determine the full scope of compromised data within 30 days of discovery, creating a choice between early notification with incomplete information and delayed notification with legal exposure. The CISA incident reporting framework acknowledges this tension but applies only to federal agency and critical infrastructure operators under specific statutes.
Harm Threshold vs. Per Se Disclosure
Some states (Florida, Indiana) require notice only when the breach creates a "reasonable risk" of harm. Others (Massachusetts, New York) move closer to per se disclosure for defined data elements. Risk-based thresholds give entities more discretion but produce under-notification when harm risk is genuinely difficult to assess.
Small Business Capacity
Small organizations face disproportionate compliance burden relative to resources. Several states — including California and New York — impose substantive security program requirements alongside notification duties. The compliance cost differential is documented by the FTC's Small Business Resources and intersects with the operational landscape covered at Small Business Cybersecurity Requirements.
Common Misconceptions
Misconception 1: A single federal law governs all breach notifications.
No such law exists for the general private sector. HIPAA applies only to covered entities and business associates in healthcare (45 CFR Parts 160 and 164). The Gramm-Leach-Bliley Act's Safeguards Rule applies only to financial institutions (16 CFR Part 314). Entities outside these sectors navigate state law exclusively.
Misconception 2: Encryption always eliminates notification obligations.
Encryption safe harbors do not apply if the encryption keys were also compromised, or if the attacker gained access to both ciphertext and decryption credentials. Illinois and Maryland explicitly condition the safe harbor on key integrity.
Misconception 3: Notification is only owed to residents of the state where the company is headquartered.
Notification is owed to residents of each state whose data was compromised, under that state's statute — regardless of where the business is located. A Delaware-incorporated firm with a breach affecting 5,000 California residents must comply with California law.
Misconception 4: A breach must involve exfiltration to trigger notification.
Several states — including Massachusetts and New Jersey — have construed "unauthorized access" broadly to include viewing or acquisition without confirmed data export. The National Conference of State Legislatures (NCSL) tracks these definitional variations.
Misconception 5: Notification to regulators and notification to individuals are interchangeable.
These are parallel, independent obligations. Filing with the Attorney General does not satisfy the obligation to notify affected individuals, and vice versa.
Notification Compliance Steps
The following sequence reflects the operational structure common to multi-state breach notification programs. This is a descriptive map of standard practice, not legal advice.
- Incident detection and containment — Isolate affected systems; preserve forensic evidence per NIST SP 800-61 (Computer Security Incident Handling Guide).
- Forensic investigation and scope determination — Identify which data elements were accessed or acquired, and which individuals and jurisdictions are affected.
- Jurisdictional mapping — For each affected individual, determine their state of residence to identify the applicable state statute and its specific requirements.
- Legal privilege assessment — Determine whether investigation is conducted under attorney-client privilege to protect findings during potential litigation.
- Harm threshold analysis — Evaluate whether the applicable statute requires a harm risk assessment before notification is mandatory.
- Regulator notification — File required reports with each state Attorney General and any sector-specific regulator (e.g., HHS OCR for HIPAA entities, FTC for FTC Health Breach Rule obligations) within the applicable deadline.
- Individual notification — Draft and deliver notices meeting the content requirements of each applicable state statute; confirm delivery method compliance (written, electronic, or substitute notice thresholds vary by state).
- Credit monitoring or remediation services — Determine whether the breach type triggers a statutory obligation to offer credit monitoring (California, New York, Connecticut for certain SSN breaches).
- Documentation and retention — Retain evidence of investigation findings, notification timelines, and delivery confirmation; retention requirements vary but 3–5 years is standard practice per state document retention statutes.
- Post-incident security program review — Assess whether existing security measures satisfy applicable state security standards (e.g., Massachusetts 201 CMR 17.00, New York 23 NYCRR 500 for financial entities).
Reference Table: Key Jurisdictional Parameters
| State | Notification Deadline | AG Notification Threshold | Harm Threshold Required? | Encryption Safe Harbor | Key Statute |
|---|---|---|---|---|---|
| California | 45 days (de facto) / 90 days (statutory) | 500+ residents | No (per se for Tier 1 data) | Yes | Cal. Civ. Code §1798.82 |
| Florida | 30 days | 500+ residents | Yes | Yes | Fla. Stat. §501.171 |
| New York | Expedient / without unreasonable delay | 500+ residents | No | Yes | NY Gen. Bus. Law §899-aa; SHIELD Act |
| Texas | Expedient / 60 days to AG | No threshold specified | Yes | Yes | Tex. Bus. & Com. Code §521.053 |
| Colorado | 30 days | 500+ residents | No | Yes | C.R.S. §6-1-716 |
| Massachusetts | Expedient / without unreasonable delay | All breaches | No | Yes | M.G.L. c. 93H |
| Illinois | Expedient / without unreasonable delay | 500+ residents | No | Conditional | 815 ILCS 530 |
| North Carolina | 30 days | 1,000+ residents | Yes | Yes | N.C. Gen. Stat. §75-65 |
| Washington | 30 days | 500+ residents | No | Yes | RCW 19.255.010 |
| Virginia | 60 days | All breaches | No | Yes | Va. Code §18.2-186.6 |
Statutes are subject to legislative amendment; citations reflect publicly available codified law. For the full enumeration of all 50 state statutes, the NCSL Security Breach Notification Laws tracker provides jurisdiction-by-jurisdiction citations.
Federal sector overlays — including HHS OCR enforcement under HIPAA and SEC cybersecurity disclosure requirements under 17 CFR Part 229 — operate in parallel and are referenced in detail at Federal Cybersecurity Agencies and Roles.
References
- NCSL Security Breach Notification Laws — National Conference of State Legislatures; jurisdiction-by-jurisdiction statute tracker
- HHS OCR HIPAA Breach Notification Rule — 45 CFR §§164.400–414
- FTC Health Breach Notification Rule — 16 CFR Part 318
- FTC Safeguards Rule — 16 CFR Part 314
- FTC Act Section 5 — 15 U.S.C. §45; unfair or deceptive practices authority
- [NIST SP 800-61 Rev. 2: Computer Security Incident Handling Guide](https://csrc.nist.gov/publications