U.S. Data Breach Notification Laws — State-by-State Reference Table
Current as of April 2026 · For Informational Purposes Only — Not Legal Advice
Every U.S. state and the federal government require data‑breach notifications, but the exact rules differ by jurisdiction. States vary on timing, who must be notified, what counts as personal information, and whether the Attorney General must be notified. Federally, requirements depend on sector‑specific laws (HIPAA, GLBA, etc.).
. Of these 51 jurisdictions, 20 states specify numeric deadlines ranging from 30 to 60 days, while the remaining 31 use qualitative language such as “without unreasonable delay” or “most expedient time possible.” Federal sector-specific requirements — including HIPAA, GLBA, SEC disclosure rules, and the forthcoming CIRCIA critical infrastructure reporting mandate — are included as separate rows at the end of this document.
State Notification Requirements
| State | Deadline | Notification Requirements |
| Alabama | 45 days |
Notify affected residents and AG. AG notification required if 1,000+ residents affected. Must also notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Alaska | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if breach involves information about state residents. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Arizona | 45 days |
Notify affected individuals and AG. AG notification required within 45 days if 1,000+ residents affected. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, health insurance, or biometric data. |
| Arkansas | Most expedient time possible, without unreasonable delay |
Notify affected residents. No AG notification required by statute. Covers name + SSN, DL#, or financial account info. |
| California | 30 days (effective Jan 1, 2026, per SB 446) |
Notify affected residents within 30 days. Must notify AG within 15 days of consumer notification if 500+ residents affected. Must notify consumer reporting agencies if 500+ affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. |
| Colorado | 30 days |
Notify affected residents within 30 days of determination. Must notify AG if 500+ residents affected. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, or biometric data. |
| Connecticut | 60 days |
Notify affected residents within 60 days. Must notify AG within 60 days. Must provide free credit monitoring for SSN breaches. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. |
| Delaware | 60 days |
Notify affected residents within 60 days. Must notify AG if 500+ residents affected. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account info, or login credentials. |
| District of Columbia | Most expedient time possible, without unreasonable delay |
Notify affected residents and AG. AG notification required if 50+ residents affected. Must provide 18 months of identity theft protection for SSN breaches. Private right of action with treble damages. Covers name + SSN, DL#, financial account, passport, taxpayer ID, military ID, medical info, biometric data, genetic info, or health insurance info. |
| Florida | 30 days |
Notify affected residents within 30 days of determination. Must notify AG within 30 days if 500+ residents affected. Fines of $1,000/day for first 30 days, then $50,000 per 30-day period, capped at $500,000. Covers name + SSN, DL#, financial account, medical info, or health insurance info. |
| Georgia | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify consumer reporting agencies if 10,000+ affected. No specific AG notification requirement. Covers name + SSN, DL#, or financial account info. |
| Hawaii | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG (Office of Consumer Protection). Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. Covers paper records in addition to electronic data. |
| Idaho | Most expedient time possible |
Notify affected residents. No AG notification required by statute. Covers name + SSN, DL#, or financial account info. |
| Illinois | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if breach involves information about state residents. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. Illinois BIPA provides separate biometric data protections with private right of action ($1,000–$5,000 per violation). |
| Indiana | 45 days |
Notify affected residents within 45 days. Must notify AG. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account info, or login credentials. |
| Iowa | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG within 5 business days of notifying consumers. Covers name + SSN, DL#, financial account info, or login credentials. |
| Kansas | Most expedient time possible, without unreasonable delay |
Notify affected residents. No specific AG notification requirement. Covers name + SSN, DL#, or financial account info. |
| Kentucky | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG and consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Louisiana | 60 days |
Notify affected residents within 60 days of discovery. Must notify AG and consumer reporting agencies if 1,000+ affected. Penalties up to $5,000 per violation. Covers name + SSN, DL#, financial account, passport, or biometric data. |
| Maine | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if any residents affected (no minimum threshold). Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account info, or login credentials. |
| Maryland | Most expedient time possible, without unreasonable delay (but no later than 45 days) |
Notify affected residents. Must notify AG before notifying consumers. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. |
| Massachusetts | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG and Director of Consumer Affairs and Business Regulation. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Michigan | Most expedient time possible, without unreasonable delay |
Notify affected residents. No specific AG notification requirement. Covers name + SSN, DL#, or financial account info. |
| Minnesota | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG. Must notify consumer reporting agencies if 500+ affected. Covers name + SSN, DL#, or financial account info. |
| Mississippi | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if 250+ residents affected. Covers name + SSN, DL#, financial account, medical info, or health insurance info. |
| Missouri | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if 1,000+ affected. Covers name + SSN, DL#, financial account, medical info, or health insurance info. |
| Montana | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG. Covers name + SSN, DL#, financial account info, medical info, or taxpayer ID. |
| Nebraska | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG. Covers name + SSN, DL#, financial account info, or login credentials. |
| Nevada | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if breach involves NV resident data. Covers name + SSN, DL#, financial account, medical ID, or login credentials. |
| New Hampshire | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| New Jersey | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify State Police. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| New Mexico | 45 days |
Notify affected residents within 45 days. Must notify AG within 45 days if breach involves NM resident data. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. |
| New York | 30 days (effective Dec 2024) |
Notify affected residents within 30 days. Must notify AG, Department of State, and Division of State Police. Must notify consumer reporting agencies if 5,000+ affected. Covers name + SSN, DL#, financial account, biometric data, or login credentials. SHIELD Act imposes reasonable security requirements. |
| North Carolina | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if 1,000+ residents affected. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| North Dakota | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG if 250+ residents affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, or login credentials. |
| Ohio | 45 days |
Notify affected residents within 45 days. Must notify AG if breach involves OH resident data. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Oklahoma | Without unreasonable delay (revised by SB 626, effective Jan 1, 2026) |
Notify affected residents without unreasonable delay. Must notify AG within 60 days of consumer notification if 500+ affected. Covers name + SSN, DL#, financial account, biometric data, or electronic identifier + access code. Penalties up to $150,000 per breach; reasonable safeguards defense available. |
| Oregon | 45 days |
Notify affected residents within 45 days. Must notify AG within 45 days if 250+ residents affected. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, passport, biometric data, medical info, or health insurance info. |
| Pennsylvania | Most expedient time possible, without unreasonable delay |
Notify affected residents. No specific AG notification required. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Rhode Island | 45 days |
Notify affected residents within 45 days. Must notify AG within 45 days. Must provide free credit monitoring for SSN breaches (minimum 12 months). Covers name + SSN, DL#, financial account, medical info, health insurance info, or login credentials. |
| South Carolina | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG and consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, or other identifying number. |
| South Dakota | 60 days |
Notify affected residents within 60 days. Must notify AG within 60 days if 250+ residents affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, or login credentials. |
| Tennessee | 45 days |
Notify affected residents within 45 days. Must notify AG and consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, or financial account info. |
| Texas | 60 days |
Notify affected residents within 60 days. Must notify AG within 60 days if 250+ residents affected. Penalties up to $100–$250,000 per breach. Covers name + SSN, DL#, financial account, medical info, health insurance info, or login credentials. |
| Utah | Most expedient time possible, without unreasonable delay |
Notify affected residents. Must notify AG. Covers name + SSN, DL#, or financial account info. |
| Vermont | 45 days |
Notify affected residents within 45 days. Must notify AG within 14 business days of discovery. Must notify consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, medical info, or login credentials. |
| Virginia | Without unreasonable delay (no later than 60 days after investigation) |
Notify affected residents. Must notify AG and consumer reporting agencies if 1,000+ affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, passport, military ID, or biometric data. |
| Washington | 30 days |
Notify affected residents within 30 days of discovery. Must notify AG within 30 days if 500+ residents affected. Must notify consumer reporting agencies if 500+ affected. Covers name + SSN, DL#, financial account, medical info, health insurance info, biometric data, or login credentials. |
| West Virginia | Most expedient time possible, without unreasonable delay |
Notify affected residents. No specific AG notification required. Covers name + SSN, DL#, or financial account info. |
| Wisconsin | 45 days |
Notify affected residents within 45 days. No specific AG notification required. Covers name + SSN, DL#, financial account, DNA profile, or login credentials. |
| Wyoming | Most expedient time possible |
Notify affected residents. Must notify AG. Covers name + SSN, DL#, or financial account info. |
Federal Requirements
| Law | Deadline | Notification Requirements |
| HIPAA Breach Notification Rule | 60 days from discovery |
Covered entities (healthcare providers, health plans, clearinghouses) and business associates must notify affected individuals, HHS, and media (if 500+ in a state/jurisdiction). Breaches of fewer than 500 individuals may be batched and reported to HHS annually. Applies to unsecured (unencrypted) protected health information (PHI). Tiered penalties from $145 to $73,011 per violation. |
| GLBA / FTC Safeguards Rule | 30 days from discovery |
Non-bank financial institutions under FTC jurisdiction must notify the FTC within 30 days of discovering a breach involving unencrypted information of 500+ consumers. Civil penalties of $53,088 per violation. Effective May 13, 2024. |
| Banking Regulators (OCC/FDIC/Fed) | 36 hours from determination |
Banks and depository institutions must notify their primary federal regulator within 36 hours of determining a “notification incident” has occurred. Bank service providers must notify affected banking organization customers as soon as possible. |
| SEC Cybersecurity Disclosure | 4 business days from materiality determination |
Publicly traded companies must file Form 8-K within 4 business days of determining a cybersecurity incident is material. Must also include annual cybersecurity risk disclosures in Form 10-K. |
| FTC Health Breach Notification Rule | 60 days |
Health apps, fitness trackers, and personal health record vendors outside HIPAA must notify consumers, FTC, and media (if 500+ affected). Penalties of $53,088 per violation. |
| CIRCIA (Critical Infrastructure) | 72 hours for incidents; 24 hours for ransomware payments (final rule pending) |
Critical infrastructure operators across 16 sectors must report significant cyber incidents within 72 hours and ransomware payments within 24 hours to CISA. Note: As of early 2026, final implementing regulations are still being finalized. |
This document is for informational purposes only and does not constitute legal advice. Data breach notification laws are complex and fact-specific. Requirements depend on the specific data compromised, the nature of the breach, applicable exemptions, and other factors. Always consult qualified legal counsel when responding to an actual or suspected data breach. Laws current as of April 2026.
Click for a Cyber Liability Insurance Quote
Contact Me Today
Lee Norcross, MBA, CPCU
California License # 0D87292
L Squared Insurance Agency, LLC ® DBA in California as L2 L Squared Insurance Agency, License # 0L93416
Managing Director, CEO
Lee@L2Ins.com
616-726-7080
