Data Breach Notification Laws Across the US

Data breach notification laws establish legally mandated timelines, covered entity definitions, and consumer notice requirements that apply when personally identifiable information is exposed or compromised. The United States operates without a single federal omnibus breach notification statute, leaving a patchwork of 50 state laws, plus sector-specific federal regulations, to govern disclosure obligations. For organizations processing personal data across state lines, compliance requires simultaneous analysis of multiple overlapping frameworks. The security providers on this site index service providers operating in this compliance space.

Definition and scope

A data breach notification law is a statute or regulation requiring that affected individuals, and in some cases government agencies or regulators, receive timely notice when their personal information has been accessed, acquired, or disclosed without authorization. The triggering conditions, covered data types, and notification timelines differ materially across jurisdictions.

All 50 US states have enacted breach notification statutes (National Conference of State Legislatures, State Data Security Breach Notification Laws). California enacted the first such law in 2002 (California Civil Code §§ 1798.29, 1798.82), establishing the template that most other states followed. Beyond state law, three federal sector frameworks impose parallel obligations:

  1. HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) — applies to covered healthcare entities and business associates; requires notification to affected individuals within 60 days of breach discovery and to HHS (HHS Office for Civil Rights).
  2. FTC Health Breach Notification Rule (16 CFR Part 318) — applies to non-HIPAA health apps and personal health record vendors; enforced by the Federal Trade Commission.
  3. GLBA Safeguards Rule / FTC Notification Requirement — financial institutions subject to the Gramm-Leach-Bliley Act must notify the FTC within 30 days of a breach affecting 500 or more customers (FTC, Safeguards Rule).

Covered data typically includes Social Security numbers, financial account credentials, medical records, login credentials, and biometric identifiers — though the specific enumeration varies by state.

How it works

The operational sequence for breach notification follows a recognizable structural pattern across most US frameworks, even where the specific requirements diverge:

  1. Discovery — The organization identifies or is notified of an event involving potential unauthorized access to personal information.
  2. Investigation and risk assessment — A forensic assessment determines whether personal data was actually accessed or acquired. Some state statutes, including those modeled on the NIST Cybersecurity Framework, require a harm-based threshold analysis before mandatory notification is triggered.
  3. Regulatory notification — Depending on jurisdiction and sector, notice must go to the state attorney general, a lead regulator (HHS, FTC, banking regulators), or both, often within a fixed window ranging from 30 to 90 days.
  4. Individual notification — Affected individuals receive written notice by mail, email (where consented), or substitute notice (website posting, media release) when direct contact is impractical.
  5. Remediation and documentation — Organizations retain records of the breach, investigation findings, and notification activities; regulatory audits may require production of these records.

The security provider network purpose and scope provides additional context on how service providers in this sector are categorized.

California's CCPA/CPRA enforcement, overseen by the California Privacy Protection Agency, added a 45-day cure period for certain violations, though the availability of that cure period was modified under CPRA amendments effective January 1, 2023.

Common scenarios

Healthcare data breach — A hospital's EHR vendor experiences a ransomware attack affecting patient records. HIPAA's Breach Notification Rule requires individual notice within 60 days and, if more than 500 residents of a single state are affected, simultaneous media notification in that state.

Retail payment card compromise — A national retailer's point-of-sale system is skimmed, exposing card numbers. PCI DSS incident response obligations intersect with breach notification requirements in all states where cardholders reside, each carrying its own timeline.

Employee HR records exposure — An HR platform misconfiguration exposes Social Security numbers of employees across 12 states. Each state law applies independently; the most restrictive timeline (some states mandate notice within 30 days) governs the overall compliance schedule.

Cloud storage misconfiguration — A publicly accessible S3 bucket exposes customer email addresses and hashed passwords. Some state statutes include login credentials as covered data (e.g., New York SHIELD Act, NY General Business Law §899-aa), triggering notification obligations even when financial data is not involved.

Decision boundaries

Determining which notification obligations apply requires resolving four classification questions:

1. Is the affected data "personal information" under applicable law?
Definitions vary: New York's SHIELD Act covers biometric data and email/password combinations; older state statutes may cover only Social Security and financial account numbers. Mapping breach data to each state's statutory definition is a prerequisite to any compliance analysis.

2. Does a harm threshold apply?
Florida, New York, and Georgia, among others, condition notification on a reasonable determination that the breach has caused or is likely to cause harm to affected individuals. States without a harm threshold — including California — require notification upon unauthorized acquisition regardless of likely harm.

3. Which entities are covered?
HIPAA applies to covered entities and business associates as defined at 45 CFR §160.103. State statutes apply variously to "businesses," "data owners," "data collectors," or "data brokers" — categories that do not uniformly overlap with federal definitions.

4. What substitute notice is permissible?
When the cost of direct notification exceeds a statutory threshold or the number of affected individuals exceeds a defined count, substitute notice (website posting, statewide media release) is permitted under most state statutes but must meet specific content requirements.

Professionals navigating multi-state obligations can reference the how to use this security resource page for guidance on locating qualified compliance service providers verified in this network.

 ·   · 

References

Read Next

NIST Cybersecurity Framework: Structure and Application ANA › Professional Services Authority › National Cyber › National Security NIST Cybersecurity Framework: Structure and Application The... Federal Information Security Modernization Act (FISMA) ANA › Professional Services Authority › National Cyber › National Security Federal Information Security Modernization Act (FISMA) The... Cybersecurity Maturity Model Certification (CMMC) ANA › Professional Services Authority › National Cyber › National Security Cybersecurity Maturity Model Certification (CMMC)...