National Data Breach Notification Laws

Data breach notification law in the United States operates through a fragmented, multi-layered structure in which no single federal statute governs all sectors, leaving compliance obligations to be assembled from 50 state laws, the District of Columbia, and sector-specific federal regimes. This page maps the regulatory landscape: which bodies set the rules, how the notice trigger mechanisms work, what timelines and content standards apply, and where the most contested compliance boundaries lie. The reference applies to legal professionals, compliance officers, information security teams, and policy researchers navigating real notification obligations.

Definition and scope

A data breach notification law is a statutory or regulatory instrument that compels an entity holding personal information to disclose, within a defined period, that an unauthorized party has accessed, acquired, or is reasonably believed to have accessed personal data belonging to identifiable individuals. The core obligation is prospective harm-reduction: notification allows affected individuals to take protective action before losses materialize.

The United States does not have a single omnibus federal notification statute applicable to all industries. As of 2023, all 50 states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands had enacted breach notification laws (National Conference of State Legislatures, NCSL, State Security Breach Notification Laws). This creates a patchwork in which the applicable rule depends on the residency of the affected individual, the industry of the breached entity, and the type of data involved.

Sector-specific federal frameworks layer on top of state regimes. The Health Insurance Portability and Accountability Act (HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414) governs covered entities and business associates handling protected health information. The Gramm-Leach-Bliley Act (GLBA Safeguards Rule, 16 CFR Part 314) and the FTC's associated Safeguards Rule require financial institutions to notify the FTC within 30 days when a breach affects 500 or more customers. The federal cybersecurity compliance requirements page catalogs additional sector overlays including those for federal contractors and critical infrastructure operators.

Core mechanics or structure

Every breach notification regime, regardless of jurisdiction, is built from four mechanical components: (1) a trigger definition specifying what constitutes a reportable event; (2) a covered-entity scope specifying who bears the obligation; (3) a notification timeline setting the deadline; and (4) content and delivery standards specifying what the notice must say and how it must be transmitted.

Trigger definition. Most state statutes define a breach as unauthorized acquisition of computerized personal information that compromises its security, confidentiality, or integrity. A significant subset requires a risk-of-harm analysis before notification is mandatory, meaning the entity evaluates whether the exposure is likely to cause harm before the clock starts. California's original Security Breach Information Act (Cal. Civ. Code § 1798.82) was the first state statute enacted in 2002 and remains a reference model.

Covered-entity scope. Most laws apply to any business, government agency, or nonprofit that owns, licenses, or maintains personal information about state residents — regardless of where the entity is headquartered.

Notification timelines. Timelines range from "expedient" or "reasonable" with no specific deadline (older statutes) to hard deadlines. Florida requires notification within 30 days of discovery (Fla. Stat. § 501.171). New York's SHIELD Act requires notification "in the most expedient time possible and without unreasonable delay." The HIPAA Breach Notification Rule sets a 60-day deadline from discovery for covered entities, with a 60-day extension available under specific conditions.

Content and delivery. Standard required elements include: a description of the incident, the categories of data involved, the date of the breach (or estimated date range), steps taken to investigate and contain, contact information for the entity, and recommended protective steps. Substitute notice — such as email, website posting, or statewide media — is typically authorized when the cost of direct notice exceeds a statutory threshold (e.g., $250,000 under California's statute) or when the entity lacks current contact information for more than 500,000 affected individuals.

The cybersecurity reporting obligations page details parallel regulatory reporting obligations that accompany consumer notification, including SEC disclosure rules and CISA's 72-hour cyber incident reporting requirement under CIRCIA.

Causal relationships or drivers

The proliferation of state breach notification laws traces to a market failure: before 2002, entities had no legal incentive to disclose breaches, so affected individuals could not detect identity theft or account fraud originating from a breach they were unaware of. California's 2002 statute created the first enforceable disclosure obligation, and 49 other states followed within 16 years.

Federal sector regulators subsequently used existing statutory authority to layer notification rules onto HIPAA-covered entities (HHS/OCR), financial institutions (FTC, federal banking regulators), and federal agencies (OMB Memorandum M-17-12 for federal civilian agencies).

The privacy and cybersecurity intersection page addresses how state privacy statutes — particularly the California Consumer Privacy Act and Virginia Consumer Data Protection Act — create complementary rights that interact with breach notification obligations.

Classification boundaries

Breach notification obligations diverge along four classification axes:

By data category. Nearly all state statutes restrict coverage to "personal information," defined as a combination of name plus one or more data elements: Social Security number, driver's license number, financial account credentials, medical information, or biometric data. States including California, New York, and Illinois have expanded definitions to include login credentials alone, tax identification numbers, and passport numbers.

By entity type. HIPAA applies only to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. The GLBA Safeguards Rule applies to financial institutions as defined under 15 U.S.C. § 6809. State laws typically apply to all commercial entities and often to government agencies separately.

By breach type. Physical document breaches are excluded from most state notification statutes, which are limited to computerized data. Some states (notably Massachusetts under 201 CMR 17.00) treat both electronic and paper records equivalently in their broader data security regulations, though notification obligations remain tied to electronic systems in most jurisdictions.

By harm threshold. Approximately 25 states require a harm-probability analysis before notice is mandatory; the remaining states use a strict-liability trigger where any unauthorized access to covered data activates notification regardless of likely harm. The state cybersecurity laws by state page maps these divergences by jurisdiction.

Tradeoffs and tensions

Preemption versus uniformity. Federal industry-specific regimes preempt state law only to the extent of direct conflict; state laws frequently impose stricter standards that apply even to federally regulated entities. A healthcare organization breaching HIPAA's 60-day rule and a state's 30-day rule must satisfy the shorter deadline.

Risk-of-harm assessments versus disclosure speed. The risk-of-harm safe harbor — which allows entities to forego notification if internal analysis concludes that affected individuals face low probability of harm — creates a tension between accurate risk assessment and the timeliness of notice. Critics note that entities have inherent financial incentives to conclude harm is unlikely, and the assessment is rarely independently verified.

Notification fatigue versus meaningful disclosure. Empirical research on consumer behavior, including studies published by the Identity Theft Resource Center (ITRC 2023 Annual Data Breach Report), indicates that over 3,200 data compromise events were publicly reported in 2023, a record high. High notification volume reduces per-notification salience, creating a tension between broad notification mandates and the ability of individuals to act meaningfully on notices received.

CIRCIA harmonization. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) directed CISA to develop a unified federal reporting rule. The proposed rule, published in April 2024, covers critical infrastructure sectors and operates independently of consumer notification — applying to operational incidents whether or not personal data is involved.

Common misconceptions

Misconception: A federal law covers all data breaches. No omnibus federal breach notification statute exists. HIPAA, GLBA, and sector-specific rules each cover narrow entity categories; for entities outside those categories, state laws are the primary obligation.

Misconception: Encryption eliminates notification obligations. Encryption is a safe harbor in most state statutes only when the encryption key was not also compromised. If an attacker obtained both encrypted data and the decryption key, the safe harbor does not apply under statutes including California's § 1798.82 and New York's SHIELD Act.

Misconception: Notification to the state attorney general is universal. Attorney general notification is required in approximately 30 states, but thresholds vary. Some states require AG notification only when more than 500 residents are affected; others require it for any breach regardless of size.

Misconception: The HIPAA 60-day clock starts at discovery. The clock starts when the breach is "known" to the covered entity, which HHS/OCR interprets as when any workforce member (other than the perpetrator) has knowledge. Delayed internal escalation does not reset or pause the federal deadline.

Misconception: Vendor breaches are the customer's obligation only. Under HIPAA, a business associate that discovers a breach must notify the covered entity within 60 days, and the covered entity's timeline runs from the business associate's discovery date — not from when the covered entity learned of the event.

Checklist or steps (non-advisory)

The following sequence reflects the structural phases of breach notification compliance as described across federal and state regulatory frameworks. This is a reference map of required operational phases, not legal guidance.

  1. Incident confirmation — Determine whether unauthorized access, acquisition, or disclosure of covered personal information occurred, distinguishing security incidents from reportable breaches per applicable trigger definitions.

  2. Data mapping — Identify the specific categories of personal information involved, the number of affected individuals, and their states of residence to establish which statutes apply.

  3. Harm analysis (where applicable) — Conduct and document a risk-of-harm assessment under statutes that require it, including the HIPAA four-factor test (45 CFR § 164.402) and analogous state frameworks.

  4. Safe harbor evaluation — Assess whether encryption, access controls, or other mitigating factors qualify the incident for a notification exemption under applicable state statutes.

  5. Notification timeline mapping — Compile applicable deadlines by jurisdiction: federal (HIPAA 60 days, FTC/GLBA 30 days, SEC 4 business days for material incidents) and state-specific.

  6. Notice drafting — Prepare notices meeting the content requirements of each applicable jurisdiction: incident description, data categories, dates, remediation steps taken, entity contact information.

  7. Regulatory notification — File required reports with state attorneys general, HHS/OCR (HIPAA), the FTC (GLBA), CISA (if critical infrastructure), and the SEC (if public company with material incident).

  8. Individual notification dispatch — Deliver direct consumer notice via required channel (mail, email, or substitute notice per threshold rules) within each jurisdiction's deadline.

  9. Documentation and retention — Maintain records of the breach, assessment methodology, notifications sent, and regulatory submissions. HIPAA requires a 6-year retention period for breach documentation.

Reference table or matrix

Regime Governing Authority Applicable Entities Notification Deadline Consumer Notice Required Regulatory Notice Required
State statutes (50 + DC + territories) State attorneys general Any entity holding data on state residents 30–90 days (varies); some "expedient" Yes Yes (threshold varies by state)
HIPAA Breach Notification Rule HHS/OCR (45 CFR §§ 164.400–414) Covered entities and business associates 60 days from discovery Yes Yes — HHS/OCR (annual log for <500; immediate for ≥500)
FTC Safeguards Rule (GLBA) FTC (16 CFR Part 314) Non-bank financial institutions 30 days (FTC notification for ≥500 customers) Indirect (via FTC) Yes — FTC
SEC Cybersecurity Disclosure Rule SEC (17 CFR Parts 229, 249) Publicly traded companies 4 business days post-materiality determination No (investor disclosure) Yes — SEC Form 8-K
CIRCIA (proposed rule, 2024) CISA (6 U.S.C. § 681b) Covered critical infrastructure entities 72 hours (incident); 24 hours (ransom payment) No Yes — CISA
FERPA (education records) U.S. Department of Education (20 U.S.C. § 1232g) Educational institutions receiving federal funds No specific breach timeline in statute Contextual Contextual
CCPA/CPRA (California) California Privacy Protection Agency (Cal. Civ. Code § 1798.82; § 1798.150) Businesses meeting CCPA thresholds "Expedient" / no stated deadline for civil action Yes AG notification required for >500 CA residents

References

📜 9 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator