US Data Breach Notification Laws

Data breach notification laws in the United States establish mandatory timelines, content requirements, and recipient obligations when organizations experience unauthorized access to protected personal information. The US framework is fragmented across 50 state statutes, federal sector-specific regulations, and emerging federal-level rulemaking — creating a compliance matrix that affects every industry handling consumer data. Understanding the structural boundaries of these laws is essential for legal, compliance, and security professionals operating in any regulated sector.

Definition and scope

A data breach notification law is a statute or regulation requiring covered entities to inform affected individuals, regulatory agencies, or both when a security incident results in unauthorized access to, or acquisition of, personally identifiable information (PII) or protected data categories. All 50 US states, the District of Columbia, Puerto Rico, Guam, and the US Virgin Islands have enacted breach notification statutes (National Conference of State Legislatures, NCSL State Security Breach Notification Laws).

Scope varies significantly across jurisdictions on four primary dimensions:

1. Covered data types — Most statutes protect name combined with Social Security number, financial account credentials, or driver's license numbers. States including California (via the California Consumer Privacy Act, Cal. Civ. Code § 1798.82) also extend coverage to medical information, biometric data, and login credentials.
2. Covered entities — Statutes apply to businesses, nonprofits, and government agencies that collect or maintain data on residents of the enacting state, regardless of where the organization is headquartered.
3. Triggering threshold — Breach is generally defined as unauthorized acquisition of unencrypted data. Encrypted data that remains with its key is typically excluded from notification triggers.
4. Regulatory layering — Federal sector regulations impose additional obligations on top of state statutes. HIPAA's Breach Notification Rule (45 CFR §§ 164.400–414) governs covered healthcare entities; the FTC's Health Breach Notification Rule (16 CFR Part 318) covers health apps and non-HIPAA vendors; the SEC's cybersecurity disclosure rules (17 CFR § 229.106) require material incident reporting for public companies.

Cybersecurity incident reporting requirements operate in parallel with notification laws and often share overlapping definitions of "incident" and "breach."

How it works

The operational mechanics of breach notification follow a structured sequence:

1. Discovery — The clock starts when the organization determines, or reasonably should have determined, that a breach occurred. State laws differ on whether this is the date of unauthorized access or the date of detection.
2. Investigation window — Organizations conduct forensic investigation to determine scope, data categories affected, and number of individuals impacted. Statutes typically permit a defined investigation window — 30 days under Florida's statute (Fla. Stat. § 501.171), 45 days under North Carolina's law (N.C. Gen. Stat. § 75-65) — before notification must be issued.
3. Notification to individuals — Written notice (physical mail, email under specified conditions, or substitute notice for large-scale breaches) must include: a description of what happened, the data types involved, steps taken to contain the breach, and recommended protective actions for recipients.
4. Notification to regulators — 34 states require notification to the state attorney general when a breach affects more than a statutory threshold of residents (thresholds range from 500 to 1,000 depending on jurisdiction). Federal agencies including HHS and the FTC maintain separate reporting portals.
5. Third-party and vendor obligations — Service providers that maintain data on behalf of covered entities are frequently required to notify the contracting business within a defined window (commonly 10 to 30 days) to allow the covered entity to meet its own statutory deadlines.

Cyber incident response compliance frameworks detail how investigation, containment, and notification phases integrate into formal incident response programs.

Common scenarios

Healthcare sector breach — A hospital's electronic health record system is accessed by an unauthorized third party, exposing protected health information for 600 patients. HIPAA's Breach Notification Rule requires individual notification within 60 days of discovery, HHS notification within 60 days, and — because the breach affects fewer than 500 individuals in any single state — annual log submission to HHS rather than media notice. HIPAA cybersecurity requirements govern the broader security program surrounding this obligation.

Multi-state retail breach — A retailer's payment system is compromised, exposing payment card data for customers across 22 states. The organization must satisfy the breach notification statute of each state in which affected residents reside, resulting in 22 potentially different content requirements, timelines, and regulator notification obligations. PCI DSS (PCI Security Standards Council) imposes separate card brand incident notification timelines that may be shorter than state statutes.

Business email compromise affecting financial data — An employee's email account is accessed, exposing wire transfer account numbers. Even absent a system-level intrusion, most state statutes treat exposure of financial account credentials as a notifiable breach.

Decision boundaries

The threshold questions that determine notification obligations:

• Was the data encrypted? Encrypted data with intact key management is excluded from most state and federal notification triggers. Encryption standards matter: AES-256 is widely accepted as adequate; weaker or deprecated algorithms may not satisfy statutory safe-harbor definitions.
• Was acquisition confirmed or only possible? Several states (including California under Cal. Civ. Code § 1798.82) require notification upon "unauthorized access" even without confirmed exfiltration. Others require evidence of actual acquisition.
• What is the harm likelihood standard? New York's SHIELD Act (N.Y. Gen. Bus. Law § 899-aa) requires notification only when the breach poses a "material risk of harm." Florida requires notification without a harm threshold.
• Does a federal preemptive rule apply? HIPAA preempts state notification laws that are less stringent than the federal rule; it does not preempt more protective state provisions. Financial institutions subject to the Gramm-Leach-Bliley Act must also comply with the GLBA Safeguards Rule, which carries its own customer notification requirements under the FTC's 2021 amendments.

The absence of a single unified federal breach notification statute means that an organization experiencing a breach affecting residents in 40 states must simultaneously satisfy 40 state statutory schemes alongside any applicable federal sector rules — a compliance burden that drives significant investment in legal and technical response infrastructure.

References

• National Conference of State Legislatures — Security Breach Notification Laws
• HHS — HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414
• FTC — Health Breach Notification Rule, 16 CFR Part 318
• SEC — Cybersecurity Disclosure Rules, 17 CFR § 229.106
• California Civil Code § 1798.82 — Breach Notification
• Florida Statute § 501.171 — Security of Confidential Personal Information
• New York General Business Law § 899-aa — SHIELD Act
• PCI Security Standards Council
• North Carolina General Statute § 75-65