Data Breach Notification Laws by State: A Complete 2026 Guide

What Are Data Breach Notification Laws?

Data breach notification laws require organizations to notify affected individuals — and in many cases state regulators — when personal information is compromised in a security incident. All 50 US states, the District of Columbia, and US territories now have data breach notification statutes. While comprehensive state privacy laws like the CCPA govern how data is collected and used, breach notification laws focus specifically on what happens when that data is exposed.

These laws vary widely in their timelines, definitions of personal information, notification triggers, and enforcement mechanisms. This guide breaks down the key requirements so you can build a response plan that covers every state where you have customers or employees.

How Many States Have Breach Notification Laws?

All 50 states plus DC, Guam, Puerto Rico, and the US Virgin Islands have enacted data breach notification laws. Alabama was the last state to pass its law in 2018. There is no single federal breach notification law (despite repeated proposals), so businesses must comply with a patchwork of state-level requirements.

This is separate from the 20+ states that have enacted comprehensive consumer privacy laws. Breach notification laws are narrower — they only apply when a security incident exposes protected personal information.

Key Elements of State Breach Notification Laws

1. Notification Timelines

The most critical compliance variable is how quickly you must notify affected individuals and regulators after discovering a breach. Timelines range from as few as 30 days to "without unreasonable delay" (no fixed deadline).

Timeline	States
30 days	Arizona, California (as of Oct 2025), Colorado, Florida, South Dakota, Washington
45 days	Ohio, Wisconsin
60 days	Connecticut, Delaware, Hawaii, Iowa, Maine, Maryland, Massachusetts, Minnesota, Montana, Nebraska, New Hampshire, New Mexico, North Carolina, Oregon, Rhode Island, Tennessee, Texas, Vermont, Virginia, Wyoming
72 hours	Puerto Rico (AG notification only)
90 days	Alabama
"Most expedient" / no fixed deadline	Alaska, Arkansas, Georgia, Idaho, Illinois, Indiana, Kansas, Kentucky, Louisiana, Michigan, Mississippi, Missouri, Nevada, New Jersey, New York, North Dakota, Oklahoma, Pennsylvania, South Carolina, Utah, West Virginia

Practical tip: If your business operates in multiple states, plan for the shortest applicable deadline. California's 30-day requirement (effective October 1, 2025 under SB 1223) is currently the strictest fixed timeline. Use our Privacy Law Calculator to determine which states' laws apply to your business.

2. Who Must Be Notified

Most states require notification to:

• Affected individuals — required in all states
• State Attorney General — required in most states, often triggered by a minimum number of affected residents (e.g., 500+ in California, 250+ in Indiana, 1,000+ in many states)
• Consumer reporting agencies — typically required when 1,000+ residents are affected (following the federal FACTA standard)
• State-specific agencies — some states require notification to specialized regulators (e.g., the Connecticut Insurance Department for insurance-related breaches)

3. What Data Triggers Notification

All states cover the "classic" combination of a name plus one of: Social Security number, driver's license or state ID number, or financial account/credit card number. Many states have expanded their definitions to include:

• Medical/health information — California, Connecticut, Maryland, Montana, North Dakota, Texas, and others
• Biometric data — California, Colorado, Connecticut, Illinois, Maryland, Nebraska, New York, Texas, and others
• Online account credentials (email + password) — California, Florida, Maryland, Rhode Island, and others
• Tax ID numbers — many states beyond just SSNs
• Passport/immigration numbers — Arizona, Maryland, New York, and others

States with broader definitions of personal information create more situations where notification is required. Check whether the type of data your business handles falls under each applicable state's definition.

4. Safe Harbors and Exemptions

Several important exemptions can reduce your obligations:

• Encryption safe harbor — Most states exempt breaches where the data was encrypted and the encryption key was not also compromised. This is one of the strongest arguments for encryption at rest and in transit.
• Risk of harm assessment — Some states (e.g., Alaska, Michigan, Ohio, Kansas) allow organizations to skip notification if an internal investigation determines the breach is unlikely to cause substantial harm.
• Law enforcement delay — Nearly all states allow notification to be delayed if law enforcement determines it would impede a criminal investigation.
• HIPAA preemption — Entities already subject to HIPAA's breach notification rule may be exempt from state requirements, but this varies — some states explicitly do not exempt HIPAA-covered entities. See our state privacy law vs. HIPAA comparison.

State-by-State Spotlight: Key Requirements

California

California's breach notification law (Civil Code § 1798.82) is among the most expansive. Key requirements include a 30-day notification deadline (effective October 2025 under SB 1223), notification to the AG when 500+ residents are affected, and a broad definition of personal information that includes biometric data, medical information, and online credentials. Substitute notice must include email notification, conspicuous website posting, and notification to major statewide media. California also requires the notification to be written in plain language and to include specific elements like a description of the incident, types of data compromised, and remediation steps. For more on California's broader privacy framework, see our CCPA compliance guide.

Texas

Texas (Business & Commerce Code § 521.053) requires notification within 60 days and AG notification when 250+ residents are affected. Texas has one of the broadest breach notification triggers — it includes any "sensitive personal information" which encompasses biometric data, financial data, and health data. The Texas Attorney General has been increasingly aggressive with privacy enforcement, as demonstrated by the record $1.4 billion Meta settlement. For the broader privacy framework, see our TDPSA guide.

Florida

Florida's Information Protection Act (§ 501.171) has a 30-day notification deadline — one of the shortest. It requires AG notification when 500+ residents are affected and has a unique feature: the AG must be notified within 30 days even if the investigation is still ongoing. Penalties can reach $500,000 per breach incident. Florida also requires entities to provide identity theft protection services at no cost for at least 12 months if SSNs were compromised.

New York

New York's SHIELD Act (General Business Law § 899-aa) expanded the state's breach notification law significantly. It broadened the definition of "private information" to include biometric data and online credentials, and imposed data security requirements on all businesses holding New York residents' data (not just those conducting business in New York). Notification must be made "in the most expedient time possible" with no fixed deadline, and the AG, Division of State Police, and Division of Consumer Protection must all be notified.

Massachusetts

Massachusetts (M.G.L. ch. 93H) has robust requirements including 60-day notification, detailed AG notification via an online portal, and a requirement that notice be provided to the Director of Consumer Affairs. Massachusetts also mandates that the notification include a right to obtain a police report and information about security freezes. Uniquely, Massachusetts requires notification even when the breach involves only a first name or initial with last name, combined with one triggering data element.

Illinois

Illinois's Personal Information Protection Act (815 ILCS 530) requires notification "in the most expedient time possible and without unreasonable delay." For breaches affecting 500+ Illinois residents, the AG must be notified. Illinois is also notable for its Biometric Information Privacy Act (BIPA), which provides a private right of action for biometric data violations — unlike most states where only the AG can enforce.

Building a Multi-State Breach Response Plan

Given the patchwork of requirements, here's a practical approach to building a response plan that keeps you compliant everywhere:

Step 1: Map Your Data

Identify what personal information you hold, where it's stored, and which states' residents are represented. This determines which states' laws apply to you. Our Privacy Law Calculator can help you assess applicability for comprehensive privacy laws, and the same jurisdictional analysis applies to breach notification.

Step 2: Plan for the Strictest Deadline

If you operate in California or Florida, you're looking at a 30-day clock. Build your incident response plan around that timeline. Key milestones within 30 days should include: discovery and containment (days 1–3), forensic investigation (days 4–14), impact assessment and legal review (days 10–20), notification drafting and delivery (days 15–30).

Step 3: Prepare Template Notifications

Pre-draft notification templates for each state that include the required elements. Most states require: a description of the incident, the types of information compromised, what the organization is doing in response, contact information for the reporting entity, and information about consumer reporting agencies and identity theft protection.

Step 4: Know Your AG Reporting Portals

Many state AGs have moved to online submission portals. Familiarize your legal team with these portals before an incident occurs. California, New York, Massachusetts, and Texas all have online reporting systems that require specific fields and formats.

Step 5: Document Everything

Maintain a detailed incident log from the moment a potential breach is discovered. This documentation protects you if regulators later question whether you met notification deadlines or conducted a thorough investigation. For state-specific compliance checklists, use our interactive tools.

2026 Trends in Breach Notification

Several trends are shaping breach notification compliance in 2026:

• Shorter timelines — California's move to 30 days (from "most expedient time possible") signals a trend toward fixed, shorter deadlines. More states are likely to follow.
• Expanded data definitions — Biometric data, online credentials, and health data are being added to breach notification triggers across states.
• Stricter AG reporting — States are lowering the thresholds for AG notification and requiring more detailed incident reports.
• Enforcement growth — With 20+ states now having comprehensive privacy laws and dedicated enforcement budgets, the risk of enforcement actions following a breach has increased significantly. See our enforcement action tracker and penalties guide.
• Universal opt-out interaction — For organizations subject to both breach notification and comprehensive privacy laws, a breach can trigger obligations under both regimes. See our universal opt-out compliance guide.

Penalties for Non-Compliance

Failing to comply with breach notification requirements can result in significant penalties:

• California: Up to $7,988 per violation (per affected individual); AG enforcement
• Florida: Up to $500,000 per breach; $1,000/day for first 30 days, $50,000/day thereafter for late notification
• New York: Up to $5,000 per violation under the SHIELD Act; AG enforcement plus private right of action for certain claims
• Texas: Up to $100 per individual per day of delayed notification, capped at $250,000 per breach
• Connecticut: Up to $5,000 per violation under the CUTPA

Beyond statutory penalties, businesses face class action litigation, reputational damage, and loss of customer trust. Timely and compliant notification is always less costly than the alternative.

Frequently Asked Questions

Is there a federal data breach notification law?

No. Despite numerous proposals over the years, the US does not have a comprehensive federal data breach notification law as of 2026. Sector-specific federal laws exist — HIPAA for healthcare, the Gramm-Leach-Bliley Act for financial institutions, and the FTC Act for general unfair/deceptive practices — but there is no single federal standard. Businesses must comply with each applicable state's law.

Does encryption prevent the need to notify?

In most states, yes — if the compromised data was encrypted and the encryption key was not also compromised, notification is not required. This is often called the "encryption safe harbor." However, some states have nuances: a few require notification even for encrypted data if there's reason to believe the encryption was compromised, and California requires redaction or encryption to be "in a manner that renders the name or the information unusable."

How do state breach notification laws interact with the CCPA and other comprehensive privacy laws?

They're separate but complementary. A data breach can trigger obligations under both: breach notification laws require you to notify affected individuals and regulators about the incident, while comprehensive privacy laws (like the CCPA) may provide a private right of action for the underlying security failure. In California, the CCPA's data breach private right of action (§ 1798.150) allows consumers to sue for $100–$750 per incident when a breach results from a business's failure to implement reasonable security measures.

Do I need to notify if only employee data was breached?

Yes. Breach notification laws generally apply to any personal information, regardless of whether the individuals are customers, employees, contractors, or any other category. Many comprehensive privacy laws exempt employee data from their scope, but breach notification laws typically do not make this distinction.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.