What are US state data breach notification laws?
US state breach notification laws require organizations to notify affected individuals — and often regulators — when unencrypted personal information is accessed or acquired without authorization. There is no single federal law for general commercial data: all 50 states plus DC and US territories have enacted their own statutes, with deadlines ranging from "without unreasonable delay" to fixed windows of 30–90 days.
Most statutes share a common trigger: unauthorized acquisition of unencrypted personal information — typically a name paired with a Social Security number, financial account number, driver's license number, or health information. Several states apply a "risk of harm" test that may exempt a breach from notification if the risk of harm to individuals is low. Encrypted data is usually exempt provided the encryption key was not also compromised.
How fast must you notify after a breach in each state?
The table below covers all 50 states plus DC. Where a state legislature has set a fixed calendar deadline, that figure is shown. Where the statute uses qualitative language ("without unreasonable delay," "in the most expedient time possible"), that language is reproduced because fabricating a precise day count would be inaccurate.
| State | Individual notice deadline | AG / regulator notification | Statute |
|---|---|---|---|
| Alabama | 45 days | AG if 1,000+ residents | Ala. Code § 8-38-1 et seq. |
| Alaska | Without unreasonable delay | AG (concurrent with individual notice) | Alaska Stat. § 45.48.010 et seq. |
| Arizona | 45 days | AG if 1,000+ residents | Ariz. Rev. Stat. § 18-552 |
| Arkansas | Without unreasonable delay | AG (concurrent) | Ark. Code § 4-110-101 et seq. |
| California | Most expedient time possible, without unreasonable delay | AG if 500+ residents | Cal. Civ. Code § 1798.82 |
| Colorado | 30 days | AG if 500+ residents (concurrent) | Colo. Rev. Stat. § 6-1-716 |
| Connecticut | 60 days | AG (concurrent with individual notice) | Conn. Gen. Stat. § 36a-701b |
| Delaware | 60 days | AG if 500+ residents | Del. Code tit. 6, § 12B-101 et seq. |
| Florida | 30 days | Dept. of Legal Affairs if 500+ residents (30 days) | Fla. Stat. § 501.171 (FIPA) |
| Georgia | Without unreasonable delay | Varies | Ga. Code § 10-1-910 et seq. |
| Hawaii | Without unreasonable delay | Varies | Haw. Rev. Stat. § 487N-1 et seq. |
| Idaho | Without unreasonable delay | AG (if large volume) | Idaho Code § 28-51-104 et seq. |
| Illinois | Without unreasonable delay | AG (concurrent if 500+ residents) | 815 ILCS 530/1 et seq. |
| Indiana | Without unreasonable delay | AG (concurrent) | Ind. Code § 24-4.9-1-1 et seq. |
| Iowa | Without unreasonable delay | AG (concurrent) | Iowa Code § 715C.1 et seq. |
| Kansas | Without unreasonable delay | Varies | Kan. Stat. § 50-7a01 et seq. |
| Kentucky | Without unreasonable delay | Varies | Ky. Rev. Stat. § 365.732 |
| Louisiana | Without unreasonable delay | AG (concurrent) | La. Rev. Stat. § 51:3071 et seq. |
| Maine | 30 days | AG (concurrent if 1,000+ residents) | Me. Rev. Stat. tit. 10, § 1347 et seq. |
| Maryland | 45 days | AG (concurrent) | Md. Code, Com. Law § 14-3501 et seq. |
| Massachusetts | As soon as reasonably possible | AG + Director of Consumer Affairs (concurrent) | Mass. Gen. Laws ch. 93H § 1 et seq. |
| Michigan | Without unreasonable delay | Varies | Mich. Comp. Laws § 445.63 et seq. |
| Minnesota | Without unreasonable delay | Varies | Minn. Stat. § 325E.61 et seq. |
| Mississippi | Without unreasonable delay | Varies | Miss. Code § 75-24-29 et seq. |
| Missouri | Without unreasonable delay | AG (concurrent if large breach) | Mo. Rev. Stat. § 407.1500 et seq. |
| Montana | Without unreasonable delay | Varies | Mont. Code § 30-14-1701 et seq. |
| Nebraska | Without unreasonable delay | AG (concurrent) | Neb. Rev. Stat. § 87-801 et seq. |
| Nevada | Without unreasonable delay | Varies | Nev. Rev. Stat. § 603A.010 et seq. |
| New Hampshire | Without unreasonable delay | AG (concurrent if 1,000+ residents) | N.H. Rev. Stat. § 359-C:19 et seq. |
| New Jersey | Without unreasonable delay | Division of State Police (concurrent) | N.J. Stat. § 56:8-163 et seq. |
| New Mexico | 45 days | AG if 1,000+ residents (concurrent) | N.M. Stat. § 57-12C-1 et seq. |
| New York | Without unreasonable delay | AG + DFS (if applicable, concurrent) | N.Y. Gen. Bus. Law § 899-aa (SHIELD Act) |
| North Carolina | Without unreasonable delay | AG (concurrent if 1,000+ residents) | N.C. Gen. Stat. § 75-65 et seq. |
| North Dakota | Without unreasonable delay | AG (concurrent) | N.D. Cent. Code § 51-30-01 et seq. |
| Ohio | 45 days | Varies | Ohio Rev. Code § 1349.19 et seq. |
| Oklahoma | Without unreasonable delay | Varies | Okla. Stat. tit. 24, § 161 et seq. |
| Oregon | 45 days | AG if 500+ residents (concurrent) | Or. Rev. Stat. § 646A.600 et seq. |
| Pennsylvania | Without unreasonable delay | Varies | 73 Pa. Stat. § 2301 et seq. |
| Rhode Island | 45 days | AG (concurrent) | R.I. Gen. Laws § 11-49.3-1 et seq. |
| South Carolina | Without unreasonable delay | Consumer Protection Division (concurrent) | S.C. Code § 39-1-90 et seq. |
| South Dakota | 60 days | AG if 250+ residents (concurrent) | S.D. Codified Laws § 22-40-20 et seq. |
| Tennessee | Without unreasonable delay | Varies | Tenn. Code § 47-18-2107 et seq. |
| Texas | 60 days | AG (concurrent for all breaches) | Tex. Bus. & Com. Code § 521.053 |
| Utah | Without unreasonable delay | AG (concurrent) | Utah Code § 13-44-101 et seq. |
| Vermont | 45 days | AG (concurrent if 1+ resident) | Vt. Stat. tit. 9, § 2430 et seq. |
| Virginia | 60 days | AG (concurrent) | Va. Code § 18.2-186.6 et seq. |
| Washington | 30 days | AG if 500+ residents (concurrent) | Wash. Rev. Code § 19.255.010 et seq. |
| West Virginia | Without unreasonable delay | Varies | W. Va. Code § 46A-2A-101 et seq. |
| Wisconsin | 45 days | Varies | Wis. Stat. § 134.98 et seq. |
| Wyoming | Without unreasonable delay | AG (concurrent) | Wyo. Stat. § 40-12-501 et seq. |
| District of Columbia | Without unreasonable delay | AG (concurrent) | D.C. Code § 28-3851 et seq. |
Important: State breach notification statutes are amended frequently. The deadlines above reflect generally prevailing requirements as of May 2026, but you should confirm current requirements with qualified legal counsel or a breach coach from a qualified IR firm before sending notices. Do not rely on this table alone for compliance decisions.
When must you notify the state Attorney General?
Many states require AG or regulatory notification when a breach crosses a resident threshold — commonly 500 or 1,000 affected state residents. Some states require AG notice for every breach regardless of size. Timing is typically concurrent with individual notice, though some states allow a short additional window.
States requiring AG notice for every breach
Texas requires AG notification for all breaches, regardless of how many residents are affected. Vermont requires AG notice even if just one resident is affected.
Examples: Texas, Vermont
States with 250–500 resident threshold
South Dakota requires AG notice when 250 or more residents are affected. California, Colorado, Oregon, and Washington set the threshold at 500 residents.
Examples: California (500+), Colorado (500+), South Dakota (250+)
States with 1,000 resident threshold
Alabama, Arizona, Maine, New Hampshire, New Mexico, and North Carolina require AG notice when 1,000 or more residents are affected.
Examples: Alabama (1,000+), Maine (1,000+), North Carolina (1,000+)
States where AG notification "varies"
Some states require AG notice based on the circumstances of the breach (e.g., type of data, sector) rather than a fixed resident count. Legal review is required.
Review statute or consult counsel
Credit reporting agencies (Equifax, Experian, TransUnion) must also be notified if the breach affects 1,000 or more residents in many jurisdictions. Failing to notify the AG within the required window is treated as a separate violation in several states and can trigger civil penalties independent of the underlying breach.
How do federal rules interact with state laws?
State notification laws are the floor, not the ceiling. Federal sector-specific rules often impose additional — and sometimes faster — obligations that run concurrently with state deadlines. You must satisfy all applicable laws simultaneously.
- HIPAA (healthcare): Covered entities and business associates must notify affected individuals and HHS within 60 days of discovering a breach of unsecured protected health information. Breaches affecting 500 or more individuals in a state also require media notification. HIPAA is enforced by HHS OCR and can run alongside state deadlines — if a state requires 30-day notice, the 30-day deadline governs even though HIPAA allows 60 days. See healthcare breach response for the full HIPAA framework.
- GLBA (financial services): Financial institutions subject to GLBA must notify customers of breaches involving their financial information. The FTC's Safeguards Rule requires notification to the FTC as soon as possible and no later than 30 days after discovery of a breach affecting 500 or more customers. See financial services breach response.
- SEC Item 1.05 (public companies): Publicly traded companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. This obligation exists in addition to — not instead of — state notification requirements. See notification requirements for the full matrix.
Practical rule: use the shortest deadline
When multiple laws apply, the shortest deadline controls. If Florida's FIPA requires 30-day notice and HIPAA allows 60 days, you must notify within 30 days. A breach coach tracks all parallel obligations on your behalf — this is one of the most valuable functions an IR firm provides in the first 72 hours.
Frequently Asked Questions
Do all 50 US states have breach notification laws?
Yes. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted data breach notification laws. There is no single federal breach notification law for general commercial data, so each jurisdiction's statute governs independently.
What triggers a breach notification obligation under state law?
Most state laws are triggered by unauthorized acquisition of unencrypted personal information — typically a name combined with a sensitive identifier such as a Social Security number, financial account number, driver's license number, or medical information. A risk-of-harm threshold applies in some states: if the breach is unlikely to cause harm, notification may not be required.
Which state has the strictest breach notification deadline?
Florida (FIPA) and several other states require notification within 30 days of determining a breach occurred — the shortest fixed deadline in the US. Florida also requires notifying the Department of Legal Affairs within 30 days if more than 500 Florida residents are affected.
When do I have to notify the Attorney General about a data breach?
Attorney General notification thresholds vary by state. Many states require AG or regulatory notice when a breach affects 500 or 1,000 or more state residents. Some states (such as Texas) require AG notification for every breach. Some states require AG notice concurrently with individual notice; others allow a short window after.
What happens if I miss a state breach notification deadline?
Late or deficient notification can trigger civil penalties from state Attorneys General, FTC enforcement, class-action lawsuits, and reputational harm. Florida penalties can reach $500,000 per breach incident. California's AG can seek civil penalties of up to $7,500 per intentional violation of the CCPA. An incident response firm with a breach coach can help you meet all deadlines simultaneously.
Need a breach coach to manage all 50 deadlines?
Multi-state breach notification is one of the most time-critical and error-prone parts of incident response. IR firms with breach coaches manage all parallel notification tracks simultaneously, so nothing falls through the cracks.