US Data Breach Notification Laws by Jurisdiction

Data breach notification law in the United States operates through a fragmented patchwork of 50 state statutes, federal sector-specific mandates, and emerging regulatory guidance — with no single federal omnibus notification standard in force. This page maps the structural landscape of that legal framework: how jurisdictions define a breach, what triggers a notification obligation, how timelines and penalties vary, and where the law remains contested. It serves compliance professionals, legal researchers, and incident response teams navigating multi-jurisdiction obligations.

Definition and Scope

A data breach notification law, at its operational core, is a statute requiring entities that collect or maintain personal information to notify affected individuals — and often government regulators — when that information is accessed, acquired, or disclosed without authorization. The scope of "personal information" varies materially by statute: California's data breach law (Cal. Civ. Code § 1798.29 and § 1798.82) covers a named set of data element combinations, while New York's SHIELD Act (N.Y. Gen. Bus. Law § 899-aa) extended coverage to include biometric information and email credentials.

All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted some form of breach notification statute, as documented by the National Conference of State Legislatures (NCSL). Federal overlay laws add sectoral obligations on top of state requirements: the Health Insurance Portability and Accountability Act (HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414) governs healthcare entities; the Gramm-Leach-Bliley Act (GLBA Safeguards Rule, 16 CFR Part 314) governs financial institutions; and the FTC's Health Breach Notification Rule (16 CFR Part 318) covers health apps outside HIPAA's reach.

The cyber safety providers maintained by this authority index service providers operating across these jurisdictions, where notification compliance capability is a relevant credential.

Core Mechanics or Structure

Notification obligations activate when three threshold conditions are met: (1) a qualifying data element combination is involved, (2) unauthorized access or acquisition occurred, and (3) a harm threshold test — where applicable — is not satisfied in the entity's favor.

Qualifying data elements are the first gating criterion. The most common triggering combination under state laws is first name (or initial) plus last name, paired with one or more of: Social Security number, driver's license number, financial account number with access credential, or medical/health information. Post-2018 state amendments, including those in Colorado (C.R.S. § 6-1-716), Oregon, and Vermont, expanded qualifying elements to include usernames and passwords as standalone triggers.

Harm threshold clauses allow entities to forgo notification when a risk assessment concludes that the breach is unlikely to result in harm to affected individuals. California eliminated this clause for breaches of certain data types; other states such as Wisconsin retain it.

Notice recipients typically include: the affected individual (written, electronic, or substitute notice), the state attorney general, and — for large-scale breaches — major statewide media outlets. HIPAA additionally requires notification to the US Department of Health and Human Services (HHS): breaches affecting 500 or more individuals in a state must be reported to HHS simultaneously with individual notice; breaches affecting fewer than 500 must be logged and reported annually.

Notification timelines range from 30 days (Florida, Fla. Stat. § 501.171) to 72 hours for HIPAA-regulated covered entities in some interpretations, to an undefined "expedient time/without unreasonable delay" standard used by 28 states as catalogued by NCSL.

Causal Relationships or Drivers

The fragmentation of US breach notification law traces directly to the legislative vacuum left by the absence of a federal omnibus privacy law. Beginning with California's SB 1386, enacted in 2002, states filled that vacuum unilaterally, producing compounding layers of inconsistency.

Federal preemption — the legal mechanism that would subordinate state laws to a single federal standard — has not been enacted for general data breach notification. Sector-specific preemption exists: HIPAA preempts contrary state law for covered entities, but only where state law provides less protection, not more (45 CFR § 160.203). The result is that a healthcare provider may face simultaneous HIPAA obligations and a stricter state timeline.

Corporate consolidation and cloud-hosted data environments have expanded multi-state exposure. An organization headquartered in one state routinely holds personal information of residents in 40 or more states — triggering notification obligations in every jurisdiction where affected residents reside, not only where the company is incorporated.

The FTC Act Section 5 unfair-or-deceptive-acts authority gives the Federal Trade Commission enforcement power over data security failures even absent a specific notification statute, as demonstrated in FTC enforcement actions catalogued in the agency's public case records.

Classification Boundaries

Breach notification laws divide along four primary classification axes:

1. Covered entity type: Some statutes apply only to commercial entities (e.g., businesses and sole proprietors). Others explicitly include government agencies, nonprofits, and educational institutions. The California Consumer Privacy Act (CCPA), Cal. Civ. Code § 1798.150, covers businesses meeting size or revenue thresholds, while California's breach law under § 1798.29 covers state agencies separately.

2. Covered data scope: Laws classify personal information along a spectrum — from narrow Social Security and financial account data to broad biometric, geolocation, genetic, and device-based identifiers. Illinois's Biometric Information Privacy Act (BIPA), 740 ILCS 14/ is the most stringent biometric-specific statute, imposing per-violation liquidated damages of $1,000 for negligent violations and $5,000 for intentional violations.

3. Notification trigger standard: The "unauthorized acquisition" standard (most states) versus the "unauthorized access" standard (stricter; adopted by states including California and Maryland) creates a meaningful classification boundary. Unauthorized acquisition requires evidence of actual data removal; unauthorized access may trigger notification even if data was only viewed.

4. Enforcement mechanism: State attorneys general hold primary enforcement authority in 50 jurisdictions. Private rights of action — allowing individuals to sue directly — exist in California (CCPA), Illinois (BIPA), and a limited set of other states. Federal agencies (HHS, FTC, OCC, FDIC) hold parallel enforcement authority within their sectors.

Tradeoffs and Tensions

The most contested structural tension in breach notification law sits between notification speed and notification accuracy. Early notification to a large population whose data may not have been compromised generates harm through phishing attacks that exploit the notification itself. Delayed notification — even by 10 days — can allow credential reuse attacks to compound. Neither extreme serves affected individuals optimally.

A second tension involves safe harbor provisions for encrypted data. Most state statutes exempt encrypted data from notification requirements if the decryption key was not also compromised. This incentivizes encryption investment but creates perverse incentives to classify borderline encryption implementations as sufficient to trigger exemption.

Federal preemption proposals represent a recurring legislative tension. Industry coalitions have advocated for a single federal standard to reduce compliance complexity across 50+ regimes. Civil liberties organizations and state attorneys general have opposed federal preemption on grounds that federal minimums would weaken protections in states like California and New York that exceed baseline requirements.

The resource provides further context on how the compliance services sector has structured around this legal fragmentation.

Common Misconceptions

Misconception: Encryption automatically eliminates notification obligations.
Correction: Encryption creates a conditional safe harbor in most states, but only where the encryption key was not accessed in the same incident. Several state statutes explicitly condition the safe harbor on the key remaining uncompromised. HIPAA applies a similar conditional standard under 45 CFR § 164.402.

Misconception: A breach must involve financial data to trigger notification.
Correction: Statutes in 30+ states, including Colorado and New York, trigger notification for username-and-password combinations alone, independent of any financial data element.

Misconception: Notification to the company's home state is sufficient.
Correction: Notification obligations attach to the state of residence of the affected individual, not the state where the breached entity is headquartered. An organization with 100,000 affected customers spread across 35 states faces up to 35 concurrent statutory obligations.

Misconception: Small businesses are exempt from all state breach laws.
Correction: Most state breach statutes contain no small-business exemption. CCPA contains revenue and data-volume thresholds, but California's § 1798.29 (agency breach law) and the general § 1798.82 (business breach law) apply regardless of entity size.

Misconception: The 72-hour GDPR deadline applies in the US.
Correction: The EU General Data Protection Regulation's 72-hour supervisory authority notification deadline does not apply domestically. Florida's 30-day deadline (Fla. Stat. § 501.171) is among the most aggressive US state timelines. Federal sector timelines — particularly under the FFIEC's incident notification guidelines and OCC rules — impose 36-hour notification windows for banking organizations.

The how to use this cyber safety resource page outlines how the provider network's service categories map to compliance and incident response functions.

Notification Obligation Checklist

The following sequence describes the structural phases of breach notification compliance as reflected across the statutory landscape. This is a descriptive reference, not a legal compliance protocol.

  1. Incident identification — Determine whether unauthorized access or acquisition of personal information occurred or is reasonably suspected.
  2. Data element inventory — Identify which specific data elements were involved; cross-reference against triggering element definitions in statutes for each relevant jurisdiction.
  3. Affected individual geography — Determine the state of residence for each potentially affected individual to establish which jurisdictions' laws apply.
  4. Harm threshold assessment — Where applicable, conduct and document a risk-of-harm analysis under the standards of each implicated state statute.
  5. Encryption and key status review — Determine whether a conditional encryption safe harbor applies in each jurisdiction, and confirm the encryption key compromise status.
  6. Federal sector overlay check — Identify whether HIPAA, GLBA, FTC Health Breach Notification Rule, or banking regulator rules impose parallel or superseding obligations.
  7. Timeline mapping — Document the notification deadline for each jurisdiction, beginning from the date of discovery or the date unauthorized acquisition is confirmed, whichever the statute uses as the trigger.
  8. Regulatory notification preparation — Prepare filings for applicable state attorneys general; prepare HHS notification for HIPAA-covered incidents affecting 500 or more individuals.
  9. Individual notification execution — Issue written, electronic, or substitute notices compliant with each state's format and content requirements.
  10. Enforcement body escalation — In California, New York, and Illinois, assess whether the incident scope triggers mandatory media notification or private right-of-action exposure.

Reference Table: State Notification Law Comparison Matrix

Jurisdiction Key Statute Timeline AG Notification Required Private Right of Action Notable Scope Expansion
California Cal. Civ. Code § 1798.82 Expedient / without unreasonable delay Yes (500+ residents) Yes (CCPA § 1798.150) Username + password; medical info
New York N.Y. Gen. Bus. Law § 899-aa Expedient / without unreasonable delay Yes Limited Biometric; email credentials
Florida Fla. Stat. § 501.171 30 days Yes No Third-party agent obligations
Texas Tex. Bus. & Com. Code § 521.053 60 days (2021 amendment) Yes (250+ residents) No Covers paper records
Illinois 815 ILCS 530/ + BIPA Expedient Yes Yes (BIPA) Biometric: $1,000–$5,000/violation
Colorado C.R.S. § 6-1-716 30 days (AG); 30 days (individuals) Yes No Username + password trigger
Maryland Md. Code, Com. Law § 14-3504 45 days Yes No Unauthorized access standard
Massachusetts 201 CMR 17.00 Expedient Yes No Comprehensive written security program required
Federal (HIPAA) 45 CFR §§ 164.400–414 60 days from discovery Yes (HHS) No Covered entities + business associates
Federal (GLBA) 16 CFR Part 314 Expedient FTC/banking regulators No Financial institutions
 ·   · 

References

Read Next

Cyber Safety Listings ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Providers The providers contained within... Cyber Safety Directory: Purpose and Scope ANA › Professional Services Authority › National Cyber › National Cyber Safety Cyber Safety Network: Purpose and Scope The National... Critical Infrastructure Cybersecurity Protection Standards ANA › Professional Services Authority › National Cyber › National Cyber Safety Critical Infrastructure Cybersecurity Protection...