Data Breach Notification Laws Across the US

Data breach notification laws establish the legal obligations that organizations must meet when unauthorized access to personal information occurs. Across the United States, this framework is fragmented: no single federal statute creates a universal notification standard, leaving a patchwork of 50 state laws, sector-specific federal regulations, and agency guidance to govern when, how, and to whom breach notices must be sent. Understanding this landscape is essential for compliance professionals, legal counsel, and security practitioners operating across multiple jurisdictions.

Definition and scope

A data breach notification law is a statute or regulation requiring that affected individuals — and in most cases, state attorneys general or designated regulators — receive timely notice when their personally identifiable information (PII) is exposed, stolen, or accessed without authorization. California enacted the first such statute in 2003 (Cal. Civ. Code § 1798.29), and every US state, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have since enacted their own versions (National Conference of State Legislatures, Security Breach Notification Laws).

Scope varies substantially across jurisdictions on four axes:

1. Covered data elements — most laws protect Social Security numbers, driver's license numbers, financial account credentials, and medical record numbers; some extend to biometric data, usernames with passwords, or tax identification numbers.
2. Covered entities — statutes variously apply to businesses, government agencies, nonprofit organizations, or any "person" holding resident data.
3. Notification triggers — definitions of what constitutes a "breach" range from unauthorized acquisition alone to acquisition with a reasonable likelihood of harm.
4. Notification timelines — windows range from 30 days (Florida, Fla. Stat. § 501.171) to 90 days, with some states permitting extensions pending law enforcement holds.

At the federal level, sector-specific rules fill gaps. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule (45 CFR §§ 164.400–414) requires covered healthcare entities to notify individuals within 60 days of discovery. The Gramm-Leach-Bliley Act Safeguards Rule, updated by the FTC in 2023, requires non-banking financial institutions to report qualifying breaches to the FTC within 30 days (FTC Safeguards Rule, 16 CFR Part 314). For broader federal incident reporting obligations, see the Cyber Incident Reporting Requirements reference page.

How it works

When a potential breach is identified, a structured sequence of actions governs the legal response:

1. Discovery and assessment — the organization determines that a security incident has occurred and evaluates whether the compromised data qualifies as covered PII under applicable statutes.
2. Risk or harm analysis — several states require a harm-of-harm threshold assessment; others mandate notification automatically upon confirmed unauthorized access regardless of harm probability.
3. Regulatory notification — most states require simultaneous or prior notification to the state attorney general or a designated agency when the breach affects more than a specified number of residents (thresholds range from 250 residents in North Dakota to 500 in New York under N.Y. Gen. Bus. Law § 899-aa).
4. Consumer notification — written, electronic, or telephone notice must be delivered in a form prescribed by statute, often including specific required content such as a description of the incident, data types exposed, and remediation steps taken.
5. Substitute notice — organizations that cannot identify all affected individuals may use substitute notice (e.g., website posting, statewide media) when direct notice is impracticable or would cost above a statutory ceiling.
6. Recordkeeping — many statutes require documentation of the breach, the assessment process, and notices sent, which may be reviewed during regulatory audits.

The US Cybersecurity Regulatory Framework page details how these notification obligations intersect with broader federal compliance structures.

Common scenarios

Ransomware with data exfiltration — attackers encrypt systems and extract data before deploying ransomware. Even if the organization pays and recovers its files, exfiltration of PII typically triggers notification obligations in all 50 states. Ransomware's national impact on notification volumes has been significant since 2019.

Third-party vendor breach — a service provider holding customer data on behalf of a business experiences unauthorized access. Notification obligations typically fall on the business (data owner), not solely the vendor, requiring clear contractual breach notification clauses with defined response windows.

Accidental exposure via misconfigured cloud storage — an employee misconfigures an Amazon S3 bucket or Azure Blob container, rendering PII publicly accessible. Even absent malicious access, exposure of this type triggers notification obligations in states applying an "accessed or acquired" standard rather than requiring proof of actual unauthorized use.

Healthcare record breach — a hospital's electronic health record system is compromised, exposing protected health information (PHI). Both HIPAA and the applicable state breach law may apply concurrently, requiring parallel notification to HHS (via the HHS Breach Portal) and to affected state residents.

Decision boundaries

The most consequential classification decision is whether a specific incident constitutes a "breach" requiring notification or a lower-severity "security incident" permitting internal remediation only. This boundary is determined by:

• Statutory definition of breach — unauthorized acquisition (all states) vs. unauthorized access (a subset including California under Cal. Civ. Code § 1798.82) vs. acquisition plus risk of harm (Florida, Ohio).
• Safe harbor provisions — encrypted data that has not had its encryption key compromised is expressly excluded from notification requirements in most states.
• Good faith employee access — inadvertent access by an authorized employee acting in good faith is excluded in most statutes, provided the data is not further disclosed.
• Law enforcement delay — all states permit notification delay of 30–90 days at the request of law enforcement agencies investigating the breach.

Comparison across the two most frequently cited state models: California applies a broad access-based trigger with no harm requirement, while Ohio's Ohio Rev. Code § 1349.19 applies a risk-of-harm analysis before notification is mandated. For organizations subject to sector-specific cybersecurity regulations, layered obligations may require notification to multiple regulators under different timelines simultaneously.

References

• National Conference of State Legislatures — Security Breach Notification Laws
• California Civil Code § 1798.29 and § 1798.82 (CalOPPA / CCPA breach provisions)
• Florida Statute § 501.171 — Security of Confidential Personal Information
• New York General Business Law § 899-aa — Notification of Breach of the Security of the System
• HHS HIPAA Breach Notification Rule — 45 CFR §§ 164.400–414
• FTC Safeguards Rule — 16 CFR Part 314
• HHS Office for Civil Rights Breach Reporting Portal
• Ohio Revised Code § 1349.19 — Personal Information — Notice of Breach
• State Cybersecurity Laws Overview