US Data Breach Notification Requirements by State and Sector

Data breach notification law in the United States operates through a fragmented patchwork of 50 state statutes, multiple federal sector-specific regulations, and overlapping enforcement jurisdictions — creating compliance obligations that vary by the type of data exposed, the industry of the breached organization, and the state of residence of affected individuals. This page maps the structural framework of that patchwork: how state laws are triggered, how federal sector mandates layer on top of them, where conflicts arise, and how the major classification boundaries are drawn. Professionals navigating breach response, compliance officers structuring notification programs, and researchers studying regulatory divergence will find precise reference material here.

Definition and scope

A data breach notification requirement is a statutory or regulatory obligation compelling an entity that has experienced unauthorized access to, or acquisition of, personally identifiable information (PII) to inform affected individuals, state regulators, or federal agencies within a defined timeframe. The notification duty is triggered not by the breach event itself, but by the determination that the breach created a risk of harm — a threshold that varies materially across jurisdictions.

All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted breach notification laws, a landscape documented by the National Conference of State Legislatures (NCSL). California enacted the first such statute in 2002 (California Civil Code §1798.29 and §1798.82), setting the template that most subsequent state laws followed. Despite this common ancestry, no two state statutes are identical on all key parameters.

At the federal level, sector-specific mandates independently govern organizations in healthcare, financial services, telecommunications, and critical infrastructure. These include the HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D), the FTC's Health Breach Notification Rule (16 CFR Part 318), the Gramm-Leach-Bliley Act Safeguards Rule notification provisions enforced by the FTC (16 CFR Part 314), and the CISA-administered reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA, Pub. L. 117-138). Each of these federal instruments carries its own trigger definitions, covered-entity scope, and penalty structures — and none of them preempts state law for direct consumer notification obligations.

For a broader operational context on how the information security providers sector is structured around these compliance obligations, the provider network infrastructure at this domain maps service providers by specialty and jurisdiction.

Core mechanics or structure

The breach notification process proceeds through five structural phases regardless of jurisdiction:

1. Discovery and internal classification. The clock on most notification deadlines begins at the moment of "discovery" — defined in some statutes as the date the entity first becomes aware of the breach, and in others as the date a reasonable investigation would have uncovered it. Under the HIPAA Breach Notification Rule, a covered entity is deemed to have knowledge of a breach when any workforce member (other than the person committing the breach) becomes aware of it (45 CFR §164.404(a)(2)).

2. Risk-of-harm assessment. Most state statutes require a good-faith determination that the breach is reasonably likely to cause harm before notification is mandatory. HIPAA applies a four-factor "low probability of compromise" safe harbor: nature and extent of PHI involved, who accessed or used the information, whether access actually occurred, and extent to which risk has been mitigated (45 CFR §164.402).

3. Individual notification. Affected individuals must receive written, electronic, or substitute notice depending on statute. California's CCPA and its successor amendments under AB 1130 (2019) and SB 1120 establish some of the broadest definitions of covered personal information in any state statute.

4. Regulator notification. Forty-seven states require notification to the state attorney general or a designated privacy office when a breach exceeds a defined threshold — commonly 500 or 1,000 affected residents, though thresholds differ. HIPAA requires notification to HHS within 60 days for breaches affecting 500 or more individuals in a single state or jurisdiction (45 CFR §164.408).

5. Media notification (conditional). Breaches affecting 500 or more residents of a state within a 12-month period trigger a HIPAA requirement to notify "prominent media outlets" in that state — a provision absent from most state statutes but uniquely impactful for healthcare entities.

Causal relationships or drivers

The fragmentation of US breach notification law has four primary structural drivers:

Absence of a federal omnibus statute. Despite legislative efforts in every Congress since 2003, no single federal breach notification law governing all sectors and preempting state law has been enacted. The result is that an entity breached in one event may owe notification obligations to the residents of 50 different states under 50 different legal frameworks simultaneously.

Expanding definitions of personal information. Each state legislature independently defines what data elements constitute "personal information" triggering notification obligations. Early statutes covered only Social Security numbers plus financial account credentials. Colorado's HB 18-1128 (2018) added biometric data. Illinois added usernames with passwords. New York's SHIELD Act (2019) expanded to include biometric identifiers, account usernames, and email addresses paired with security question answers. This definitional drift means a breach of a single data type may or may not trigger obligations across multiple states.

Sector-specific federal preemption gaps. Federal statutes like HIPAA partially preempt contrary state law, but only as to their regulated entities and only where a state law is "less protective" than the federal standard (45 CFR §160.203). A state law that is more protective than HIPAA survives preemption, meaning healthcare entities may simultaneously owe HIPAA notification and stricter state notification.

Rising enforcement activity. HHS OCR's enforcement of the HIPAA Breach Notification Rule has accelerated since 2016, with civil monetary penalty settlements publicly documented in its enforcement portal. State attorneys general have similarly increased direct enforcement actions against entities failing to provide timely notification — New York, California, and Washington have been the most active enforcement states in documented public records.

Classification boundaries

Data breach notification obligations sort along three primary axes:

By data category. The most foundational boundary is whether exposed data falls within a statute's definition of covered personal information. Medical information, financial account numbers, government-issued identifiers, and biometric data are universally covered across all 50 state statutes. Login credentials, precise geolocation data, and genetic information are covered in a subset of states — with California (Cal. Civ. Code §1798.81.5) among the most expansive.

By entity type. Covered entities under HIPAA (healthcare providers, health plans, healthcare clearinghouses) face the federal notification framework plus applicable state law. Financial institutions subject to the Gramm-Leach-Bliley Act face the FTC Safeguards Rule's notification obligations and, for bank-supervised entities, the interagency notification rule finalized by the OCC, FRB, FDIC, and NCUA in 2021 requiring notification to banking regulators within 36 hours of a computer security incident that materially disrupts operations. Entities not subject to a federal sector framework face state law alone.

By breach type. Encryption safe harbors appear in 47 state statutes and in HIPAA — breaches of properly encrypted data that has not had the encryption key compromised are generally exempt from notification requirements. Ransomware incidents where data was encrypted by an attacker but not exfiltrated occupy a contested zone: HHS guidance issued in 2022 states that ransomware events presumptively constitute HIPAA breaches unless low probability of compromise can be affirmatively demonstrated.

Tradeoffs and tensions

Speed versus accuracy. Forty-five states set notification deadlines ranging from 30 days (Florida, Stat. §501.171) to 90 days, with a handful permitting "expedient" timing without a fixed deadline. The tension between rapid notification — which may be based on incomplete forensics — and delayed notification — which improves accuracy but extends victim exposure — has no universally correct resolution. HIPAA's 60-day outer limit represents a middle-ground policy choice, not a safety threshold.

Consumer protection versus organizational burden. Broader definitions of covered personal information increase the frequency of notification obligations, which some stakeholders argue creates notification fatigue among consumers who receive breach notices so frequently that the warnings lose salience. Narrower definitions reduce burden but leave more breach events unreported to affected individuals.

Uniform national standard versus state autonomy. Proposals for federal preemptive breach notification legislation consistently generate opposition from state attorneys general and consumer advocacy organizations who argue that state standards have historically outpaced federal minimum floors — a position supported by the trajectory of California, New York, and Colorado statutes.

Regulator notification versus public disclosure. Under HIPAA, the HHS "Wall of Shame" — the public breach portal at HHS OCR — publicly discloses all breaches affecting 500 or more individuals, creating reputational consequences independent of regulatory penalties. Most state attorney general notification requirements do not mandate equivalent public disclosure, creating asymmetric transparency across sectors.

Common misconceptions

Misconception: Encrypting breached data always eliminates notification obligations.
Correction: Encryption safe harbors require that the encryption meet a defined standard and that the cryptographic key was not also compromised. If the attacker obtained both the encrypted data and the decryption key, the safe harbor does not apply. HIPAA's low-probability-of-compromise analysis must still be conducted regardless of encryption status.

Misconception: A single federal law governs all breach notifications.
Correction: No omnibus federal breach notification statute exists for all sectors. HIPAA governs healthcare entities; the FTC Health Breach Notification Rule governs personal health record vendors not covered by HIPAA; the GLB Safeguards Rule governs financial institutions; CIRCIA governs critical infrastructure sectors. For all entities and individuals not covered by a federal sector mandate, the applicable law is the state statute of each affected individual's state of residence.

Misconception: Notification is only required when data is confirmed stolen.
Correction: Most statutes trigger notification upon "unauthorized access" or "unauthorized acquisition," not confirmed theft or confirmed misuse. Under Florida's breach statute (Fla. Stat. §501.171), unauthorized access to unencrypted data triggers the notification obligation regardless of whether misuse is documented.

Misconception: The 60-day HIPAA clock starts at the breach date.
Correction: The 60-day clock begins at the date of discovery by the covered entity, not the date the breach occurred. A breach that began months before discovery still permits 60 days from discovery for individual notification, though delay in discovering a breach may itself constitute a HIPAA Security Rule violation.

Misconception: Small organizations are exempt from state notification requirements.
Correction: No US state breach notification statute establishes a small-business exemption from notification obligations. Employee count or revenue thresholds affect obligations under California's CCPA for the broader privacy regime, but the breach notification duty under California Civil Code §1798.82 applies to any business that owns or licenses personal information of California residents, regardless of size.

Notification compliance checklist

The following sequence reflects the structural phases that breach notification programs must execute — presented as a reference framework, not as legal instruction:

  1. Document the discovery date — the point at which any employee, system, or log first indicated unauthorized access; this timestamp anchors all statutory deadlines.
  2. Identify data elements exposed — map each compromised field against the covered-data definitions in each applicable state statute and federal regulation.
  3. Determine residency of affected individuals — notification obligations run to the state of residence of each affected person, not the state of the breached organization.
  4. Apply encryption and safe harbor tests — document whether encryption was in place, the encryption standard used, and whether the encryption key was compromised.
  5. Conduct risk-of-harm assessment — for HIPAA, complete the four-factor low-probability-of-compromise analysis; for state statutes with harm-threshold triggers, document the assessment in writing.
  6. Map applicable federal sector mandates — determine whether HIPAA, FTC Health Breach Notification Rule, GLB Safeguards Rule, or CIRCIA apply to the entity or to the category of data breached.
  7. Draft individual notification content — each statute specifies required content elements; California requires description of the incident, data elements involved, and contact information for the entity; HIPAA requires a description of what happened, data types involved, steps taken to protect individuals, steps individuals can take, and contact information (45 CFR §164.404(c)).
  8. Execute regulator notification — file with state attorney general offices for each affected state meeting threshold counts; file HHS notification for covered HIPAA breaches; file banking regulator notifications within 36-hour window if applicable.
  9. Evaluate media notification trigger — apply the HIPAA 500-in-a-single-state threshold; apply any equivalent state media-notification requirements.
  10. Retain documentation — HIPAA requires covered entities to maintain breach-related documentation for 6 years from the date of creation or last effective date (45 CFR §164.414(b)).

Professionals operating across this compliance landscape often use information security providers to identify breach response service providers organized by sector and regulatory specialization. The describes the classification structure used to organize those providers by regulatory domain.

Reference table or matrix

Jurisdiction / Mandate Trigger Standard Individual Notice Deadline Regulator Notice Deadline Encryption Safe Harbor Key Data Scope
HIPAA Breach Notification Rule (45 CFR Part 164, Subpart D) Low probability of compromise not demonstrated 60 days from discovery 60 days (≥500); Annual report (<500) Yes — if key not compromised ePHI (healthcare data)
FTC Health Breach Notification Rule (16 CFR Part 318) Unauthorized access to identifiable health information 60 days from discovery 10 business days to FTC (≥500) Not explicitly defined PHR identifiable health data
GLB Safeguards Rule / Interagency Rule (16 CFR Part 314; OCC/FRB/FDIC/NCUA 2021 rule) Computer security incident materially disrupting operations Notification to customers without unreasonable delay 36 hours to banking regulator Yes Financial account data
CIRCIA (2022) (Pub. L. 117-138; CISA rulemaking) Substantial cyber incident or ransomware payment 72 hours (incident); 24 hours (ransom payment) CISA only (not individual notification) N/A Critical infrastructure sectors
California (Cal. Civ. Code §1798.82) Unauthorized acquisition; reasonable risk of harm Expedient time; not to exceed delay for law enforcement AG notification if >500 CA residents Yes SSN, financial data, medical info, login credentials, biometric, geolocation
Florida (Fla. Stat. §501.171) Unauthorized access 30 days from determination 30 days to AG

References

 ·   · 

Read Next

Information Security Listings ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority Information Security Providers The providers... Information Security Directory: Purpose and Scope ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority Information Security Network: Purpose and Scope... US Cybersecurity Regulations: FISMA, HIPAA, CMMC, and More ANA › Professional Services Authority Authority › National Cyber Authority Authority › Information Security Authority US Cybersecurity Regulations: FISMA, HIPAA,...