Data Breach Notification Laws by State: A Full Guide

Last reviewed: April 2026

U.S. data breach notification laws are primarily state-based, which means incident response teams often need a practical, state-by-state view to quickly determine who must be notified, what must be included, and how fast notices must go out. This guide is designed to be update-friendly: it uses a consistent structure, emphasizes “what to do” actions, and avoids statute-by-statute quoting so you can maintain it over time.

Important: This article is general information, not legal advice. Always confirm requirements for your organization’s facts (including sector rules like HIPAA, GLBA, and state-specific definitions of personal information).

How state breach notification requirements generally work

Most states require notification when there is unauthorized acquisition or access to certain categories of personal information (PII) that creates a risk of harm, fraud, or misuse. The exact trigger (access vs. acquisition), the definition of PII, and required recipients vary by state.

In addition to state rules, some organizations must follow federal or sector regulations. For example, covered entities and business associates under HIPAA must follow the HHS Breach Notification Rule for protected health information (PHI), which can run alongside state requirements.

What to do first (works in every state)

Use the steps below as your default playbook, then layer in the state-specific items from the state section.

Contain and preserve evidence: isolate affected systems, rotate credentials, preserve logs, and document timelines.
Determine scope and data types: identify whose data was affected, what data elements were involved, and whether the data was encrypted or otherwise protected.
Map affected individuals to states: notification obligations typically depend on the state of residence of impacted individuals (not where your company is located).
Assess notification triggers and exceptions: many states have exceptions for encrypted data or require a risk-of-harm analysis.
Prepare notices and regulator reports: tailor content, delivery method, and timing to each state’s rules and thresholds.
Coordinate with law enforcement when appropriate: many states allow delay if law enforcement determines notice would impede an investigation.

For practical incident-response checklists and notice drafting tips, align your process with the FTC’s data breach response guide for businesses.

How to use the state-by-state section (maintainable format)

Each state summary follows the same fields so updates are easy. When you review or update a state, only edit those bullets.

Trigger: the typical event and PII concept the statute covers.
Notify individuals: whether consumer notice is required and common delivery options.
Notify regulators/others: whether the attorney general, consumer protection agency, or credit bureaus must be notified above a threshold.
Timing: whether there is a fixed deadline or a “without unreasonable delay” standard.
Notable notes: common content requirements, substitutes, or special thresholds.

State-by-state summaries

Alabama

Trigger: Unauthorized acquisition of sensitive personally identifying information.
Notify individuals: Yes, if misuse is reasonably likely to occur.
Notify regulators/others: Often required for larger incidents involving many residents.
Timing: Generally without unreasonable delay; may include an outside maximum in statute.
Notable notes: Written incident response program requirements may apply to covered entities.

Alaska

Trigger: Unauthorized acquisition of personal information.
Notify individuals: Yes.
Notify regulators/others: May require notice to the attorney general for significant events.
Timing: Without unreasonable delay (law enforcement delay permitted).
Notable notes: Substitute notice may be allowed if costs/volume exceed thresholds.

Arizona

Trigger: Security incident involving personal information; risk-based concepts may apply.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above certain resident counts.
Timing: Without unreasonable delay; check statute for any outer limit.
Notable notes: Content elements and substitute notice rules apply.

Arkansas

Trigger: Unauthorized acquisition of computerized data containing personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required over a threshold.
Timing: Without unreasonable delay.
Notable notes: Particular requirements can apply to disposal and vendor arrangements.

California

Trigger: Breach of security of a system containing specified personal information.
Notify individuals: Yes; specific formatting/content rules can apply (including sample headings).
Notify regulators/others: Attorney general notice required if the breach affects more than a defined number of residents.
Timing: In the most expedient time possible and without unreasonable delay.
Notable notes: Substitute notice permitted under conditions; some industries have additional requirements.

Colorado

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice for larger incidents is commonly required.
Timing: A fixed outside deadline may apply; also requires prompt notice.
Notable notes: Strong vendor notification obligations; maintain documentation of investigations.

Connecticut

Trigger: Breach involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice is typically required.
Timing: A statutory outside deadline may apply; law enforcement delay permitted.
Notable notes: Credit monitoring requirements may apply for certain data types/incidents.

Delaware

Trigger: Breach of security involving personal information.
Notify individuals: Yes; risk-of-harm analysis may be part of the trigger.
Notify regulators/others: Attorney general and/or consumer protection notice may be required over thresholds.
Timing: Without unreasonable delay; an outside limit may exist.
Notable notes: Requires reasonable security practices for covered entities.

District of Columbia

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: District regulator notification may be required for significant events.
Timing: Without unreasonable delay (law enforcement delay permitted).
Notable notes: Substitute notice rules and content requirements apply.

Florida

Trigger: Unauthorized access to personal information.
Notify individuals: Yes.
Notify regulators/others: State regulator notice required above certain thresholds.
Timing: A relatively short outside maximum deadline is set by statute; verify current number of days.
Notable notes: Detailed content requirements and documentation expectations for investigations.

Georgia

Trigger: Unauthorized acquisition of computerized data containing personal information.
Notify individuals: Yes.
Notify regulators/others: Credit reporting agencies may require notice above certain thresholds.
Timing: Without unreasonable delay.
Notable notes: Substitute notice permitted if cost/volume exceeds thresholds.

Hawaii

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: State regulator notice may apply for significant incidents.
Timing: Without unreasonable delay.
Notable notes: Expands personal information definition compared to older statutes.

Idaho

Trigger: Unauthorized acquisition of computerized data containing personal information.
Notify individuals: Yes.
Notify regulators/others: Credit bureaus may require notice above thresholds.
Timing: Without unreasonable delay.
Notable notes: Substitute notice permitted under cost/volume conditions.

Illinois

Trigger: Unauthorized acquisition of computerized data containing personal information.
Notify individuals: Yes; may require notice for broader data elements than some states.
Notify regulators/others: Attorney general notice may be required for larger incidents.
Timing: Without unreasonable delay; verify any specific reporting timelines for regulators.
Notable notes: Requirements may apply to data brokers and certain entities.

Indiana

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above a resident threshold.
Timing: Without unreasonable delay.
Notable notes: Credit bureaus notice may apply in large breaches.

Iowa

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above thresholds.
Timing: Without unreasonable delay.
Notable notes: Some entities (e.g., regulated financial institutions) may have parallel obligations.

Kansas

Trigger: Unauthorized acquisition of unencrypted computerized data containing personal information.
Notify individuals: Yes.
Notify regulators/others: State regulator notice may be required in certain cases.
Timing: As soon as possible.
Notable notes: Substitute notice available under cost/volume triggers.

Kentucky

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required for large incidents.
Timing: Without unreasonable delay.
Notable notes: Pay attention to definitions of personal information for affected data types.

Louisiana

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice often required for significant events.
Timing: Without unreasonable delay; verify any deadline for regulator notification.
Notable notes: Requires reasonable security measures for personal information.

Maine

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: State regulator notice is commonly required; credit bureaus may be required above thresholds.
Timing: Without unreasonable delay; confirm regulator timing requirements.
Notable notes: Some public reporting may occur through state processes once notified.

Maryland

Trigger: Breach of security involving personal information.
Notify individuals: Yes, after investigation; risk-of-harm concepts may apply.
Notify regulators/others: Attorney general/consumer protection notice may be required; credit bureaus for large breaches.
Timing: Without unreasonable delay; verify any specific regulator notice timing.
Notable notes: Strong content requirements and substitute notice rules.

Massachusetts

Trigger: Unauthorized acquisition or use of personal information that creates a substantial risk of identity theft or fraud.
Notify individuals: Yes, but notice content is restricted (often must not include certain sensitive details).
Notify regulators/others: Attorney general and consumer affairs regulator notice is typically required.
Timing: As soon as practicable and without unreasonable delay.
Notable notes: Extensive security program requirements apply to many organizations holding MA residents’ data.

Michigan

Trigger: Breach of security involving sensitive personal information.
Notify individuals: Yes.
Notify regulators/others: Regulator notice may be required above thresholds; credit bureaus may apply.
Timing: Without unreasonable delay; check statute for any specified limits.
Notable notes: Content and substitute notice requirements apply.

Minnesota

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: In some cases, affected consumers must be offered identity protection services.
Timing: Without unreasonable delay.
Notable notes: Particular service-provider and encryption-related considerations.

Mississippi

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: May require notice to the attorney general above thresholds.
Timing: Without unreasonable delay; check for any outside deadline.
Notable notes: Substitute notice permitted under defined conditions.

Missouri

Trigger: Unauthorized access to and acquisition of personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required for significant incidents.
Timing: As soon as practicable and without unreasonable delay.
Notable notes: Review whether encryption safe harbors apply.

Montana

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above certain thresholds.
Timing: Without unreasonable delay; check any regulator timeline.
Notable notes: Substitute notice allowed in defined circumstances.

Nebraska

Trigger: Breach of security involving personal information.
Notify individuals: Yes, when misuse is reasonably likely (risk-based trigger).
Notify regulators/others: Attorney general notice may be required above thresholds.
Timing: Without unreasonable delay.
Notable notes: Pay close attention to the risk-of-harm assessment documentation.

Nevada

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Regulator notice may apply in certain cases.
Timing: Without unreasonable delay.
Notable notes: Strong encryption requirements and special provisions for certain entities.

New Hampshire

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required; credit bureaus for large breaches.
Timing: As soon as possible.
Notable notes: Written notice content requirements can be specific.

New Jersey

Trigger: Unauthorized access to electronic files, media, or data containing personal information.
Notify individuals: Yes.
Notify regulators/others: State police/consumer affairs notice may be required before consumer notice; credit bureaus for large incidents.
Timing: Most expedient time possible and without unreasonable delay.
Notable notes: Check sequencing requirements (regulator notice may precede consumer notice).

New Mexico

Trigger: Security breach involving personal information.
Notify individuals: Yes; risk-of-harm concepts may apply.
Notify regulators/others: Attorney general notice required for significant incidents.
Timing: Without unreasonable delay; an outside limit may apply.
Notable notes: Requirements for data processors and reasonable security measures.

New York

Trigger: Unauthorized access to or acquisition of private information.
Notify individuals: Yes.
Notify regulators/others: Multiple agencies may require notice, depending on the entity and scale; credit bureaus may also be required.
Timing: In the most expedient time possible and without unreasonable delay.
Notable notes: Comprehensive security program requirements apply to many covered entities.

North Carolina

Trigger: Security breach involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice required if affected residents exceed a threshold.
Timing: Without unreasonable delay.
Notable notes: Written incident documentation and substitute notice rules apply.

North Dakota

Trigger: Unauthorized acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required for significant incidents.
Timing: Without unreasonable delay.
Notable notes: Review any state guidance for content expectations.

Ohio

Trigger: Unauthorized access to and acquisition of personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above thresholds; credit bureaus for large incidents.
Timing: A statutory outside maximum deadline may apply; confirm current number of days.
Notable notes: Safe harbor concepts may exist for organizations with certain security programs.

Oklahoma

Trigger: Breach of system security involving personal information.
Notify individuals: Yes, when misuse is reasonably likely (risk-based trigger).
Notify regulators/others: Attorney general notice may be required if resident count exceeds thresholds.
Timing: Without unreasonable delay.
Notable notes: Maintain documentation supporting any risk-of-harm decision.

Oregon

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required for significant incidents.
Timing: Without unreasonable delay; an outside maximum may apply.
Notable notes: Vendor/service provider notice requirements can be specific.

Pennsylvania

Trigger: Unauthorized access and acquisition of unencrypted and unredacted personal information.
Notify individuals: Yes.
Notify regulators/others: Consumer protection or attorney general-related notice may apply in some cases; credit bureaus may be required over thresholds.
Timing: Without unreasonable delay.
Notable notes: Some sector regulators may also require notice depending on entity type.

Rhode Island

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required; credit bureaus for large incidents.
Timing: Without unreasonable delay; confirm any specific regulator deadline.
Notable notes: Requires reasonable security procedures and vendor obligations.

South Carolina

Trigger: Unauthorized access to and acquisition of unencrypted personal information.
Notify individuals: Yes.
Notify regulators/others: Consumer affairs/attorney general notice may be required over thresholds.
Timing: Without unreasonable delay.
Notable notes: Consider whether a “material risk of identity theft” test applies.

South Dakota

Trigger: Breach of system security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required when resident counts exceed thresholds.
Timing: Without unreasonable delay; check any outside deadline.
Notable notes: Substitute notice available under conditions.

Tennessee

Trigger: Unauthorized acquisition of unencrypted computerized data containing personal information.
Notify individuals: Yes.
Notify regulators/others: Credit bureaus notice may be required over thresholds.
Timing: Without unreasonable delay.
Notable notes: Confirm whether special rules apply to information brokers.

Texas

Trigger: Breach of system security involving sensitive personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice often required for significant resident counts.
Timing: Without unreasonable delay; statute may include an outside maximum for consumer notice.
Notable notes: Also has specific requirements for reporting to the attorney general and potentially to consumer reporting agencies.

Utah

Trigger: Unauthorized acquisition or use of personal information; risk-based threshold may apply.
Notify individuals: Yes, if misuse is likely or has occurred.
Notify regulators/others: Attorney general notice may be required above thresholds.
Timing: Without unreasonable delay.
Notable notes: Document the risk analysis supporting notice decisions.

Vermont

Trigger: Security breach involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice is commonly required and may have detailed content requirements.
Timing: Without unreasonable delay; check statute for any specific regulator timelines.
Notable notes: May require additional details such as incident descriptions and remediation steps.

Virginia

Trigger: Unauthorized access and acquisition of unencrypted and unredacted personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required when resident counts exceed thresholds; credit bureaus may be required for large incidents.
Timing: Without unreasonable delay.
Notable notes: Substitute notice permitted for high-cost/high-volume events.

Washington

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice required for significant incidents.
Timing: A statutory outside deadline may apply for consumer and/or regulator notice; confirm current number of days.
Notable notes: Requires specified content elements, including contact information and types of data involved.

West Virginia

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above thresholds.
Timing: Without unreasonable delay.
Notable notes: Confirm whether consumer protection agency guidance affects content.

Wisconsin

Trigger: Unauthorized acquisition of personal information.
Notify individuals: Yes.
Notify regulators/others: Consumer protection/attorney general notice may be required for large incidents; credit bureaus may apply.
Timing: Within a reasonable time.
Notable notes: Content and substitute notice requirements apply.

Wyoming

Trigger: Breach of security involving personal information.
Notify individuals: Yes.
Notify regulators/others: Attorney general notice may be required above thresholds.
Timing: Without unreasonable delay.
Notable notes: Review definitions of personal information for expanded data types.

Idaho, Puerto Rico, and other U.S. territories

U.S. territories and commonwealths may have their own breach notice requirements. If your incident impacts residents of Puerto Rico, Guam, U.S. Virgin Islands, American Samoa, or Northern Mariana Islands, treat each jurisdiction like a “state” in your matrix and verify the applicable local statute and regulator contacts.

Multi-state incidents: a practical compliance approach

When one incident impacts residents in multiple states, the simplest operational method is to comply with the strictest common elements across impacted states (for timing, content, delivery method, and regulator reporting), then add any unique requirements for specific states (for example, special formatting rules or additional regulator notices).

Build a resident-by-state count: this drives whether attorney general and credit bureau notice thresholds are triggered.
Create a “notice package”: one core consumer notice plus state addenda for special content restrictions or required headings.
Track deadlines in a single timeline: list the earliest statutory outside deadline (if any) and back-plan drafting, printing, and mailing.
Document decision points: encryption status, risk-of-harm assessment, law enforcement delay requests, and regulator communications.

What your consumer notice should usually include

While each state differs, most consumer notices are expected to clearly explain what happened and what the affected person can do next. A strong notice package typically includes:

What happened: a plain-language description and the date range (if known).
What information was involved: categories of data elements (avoid disclosing unnecessary sensitive specifics if prohibited by the state).
What you are doing: containment, remediation, and support measures (e.g., call center, monitoring).
What the person can do: password changes, fraud alerts, credit freezes, account monitoring.
How to reach you: a toll-free number, mailing address, email or web support.

FAQs

Do I notify based on where my company is located or where the person lives?

In most cases, state notification obligations are driven by the affected person’s state of residence. That is why resident mapping is a critical early step.

Are encrypted records always exempt from notification?

Many states provide a safe harbor for properly encrypted data, but requirements vary. Some states treat encrypted data as not reportable unless the encryption key was also compromised or the encryption was not effective.

Can we delay notification?

Many states allow delay if law enforcement determines that notice would impede a criminal investigation. The delay is usually limited to the period requested by law enforcement, and notice must proceed promptly afterward.

Do we have to notify the attorney general in every state?

No. Some states require regulator notice for any reportable incident, while many require it only when affected resident counts exceed a threshold. Use the “Notify regulators/others” field in each state summary as your starting point, then confirm the current statute for thresholds and where to send reports.

How often should we update this guide?

Plan a quarterly review for major changes and an annual full review. A good maintenance routine is to (1) re-check states with recent legislative activity, (2) verify regulator submission portals and email addresses, and (3) spot-check definitions of personal information as they often expand over time.

Quick takeaway

State data breach notification laws share a common goal—rapid, clear notice to people at risk—but the details differ. Use the universal steps to stabilize the incident, then apply the state summaries to finalize who to notify, when, and with what content.

This is Why I Disabled UPnP and WPS on My Router

Arris Modem Lights – A Detailed Guide

How To Login To NETGEAR Orbi Router

5 Best Portable Wi-Fi Routers For Travel

Data Breach Reporting Requirements: Who You Notify, When & Why

Data Breach Notification Letter Example: What to Include & What to Avoid

Verizon Data Breach Investigations Report: Key Statistics & Takeaways

Change Healthcare Data Breach: Timeline, What Was Exposed & What to Do

Data Breach Reported Today: How to Verify a Breach & Avoid Scams

Cybersecurity Breaches Today: What Counts as a Breach & What to Do First

Data Breach Notification: Requirements, Timelines & Templates

HIPAA Data Breach Notification Timeline: What Covered Entities Must Do

Healthcare Cybersecurity Statistics 2026: Threat Trends, Ransomware & Security Gaps

Healthcare Data Breach Statistics 2026: Incidents, Records Exposed & Attack Types