Breach Notification Requirements by State:
Complete 2026 Guide
The definitive reference for data breach notification laws across all 50 US states, the District of Columbia, and US territories. Timelines, AG requirements, statutes, and what makes each state unique.
The Patchwork Problem
The United States does not have a single, comprehensive federal data breach notification law. Instead, organizations face a patchwork of 50+ state and territory laws, each with its own definitions, timelines, notification triggers, and penalties. For organizations that operate across state lines — which today means virtually every business — this creates a compliance nightmare.
When a breach occurs, you may need to comply with dozens of different notification requirements simultaneously. Missing a deadline in even one state can result in significant fines, lawsuits, and regulatory scrutiny. This guide is designed to give you a clear, actionable overview of every state's requirements so you can respond quickly and correctly.
Notification timelines range from as little as 30 days (Colorado, Florida, Maine, Rhode Island, Washington) to the more common "without unreasonable delay" standard. Many states also require separate notification to the state Attorney General, consumer reporting agencies, or both — often with different thresholds for when those obligations kick in.
Key Takeaways
No single federal breach notification law exists. Organizations must comply with the specific laws of every state where affected individuals reside.
Timelines range from 30 to 90 days, with "without unreasonable delay" being the most common standard across states. The strictest states (CO, FL, ME, RI, WA) require notification within 30 days.
Most states require Attorney General notification, often with different thresholds (e.g., 250+, 500+, or 1,000+ affected individuals). Some states like New Jersey require AG notification before notifying individuals.
Penalties range from $100 to $750,000+ per violation, with some states like Florida imposing fines of up to $500,000 per breach. Class action lawsuits can add millions more in liability.
State-by-State Breach Notification Requirements
All 50 states plus the District of Columbia. Search or scroll to find the states relevant to your breach response.
| State | Timeline | AG Notification | Statute | Notable Provisions |
|---|---|---|---|---|
| Alabama | 45 days | Yes (1,000+ affected) | SB 318 | Requires notification to AG and credit reporting agencies if 1,000+ affected |
| Alaska | Without unreasonable delay | Yes | AS 45.48.010 | Applies to personal information held by any person or entity |
| Arizona | 45 days | Yes (1,000+ affected) | ARS 18-552 | Includes online account credentials in definition of personal information |
| Arkansas | Without unreasonable delay | No | AR Code 4-110-105 | Applies to computerized data containing personal information |
| California | Most expedient time possible | Yes (500+ affected) | CA Civil Code 1798.82 | Broadest definition of personal information; requires specific notification format |
| Colorado | 30 days | Yes | CRS 6-1-716 | One of the strictest timelines in the nation; includes biometric data |
| Connecticut | 60 days | Yes | CGS 36a-701b | AG must be notified no later than the time individuals are notified |
| Delaware | 60 days | Yes (500+ affected) | 6 Del. C. 12B-102 | Requires notification to credit reporting agencies if 500+ affected |
| Florida | 30 days | Yes | FL Stat 501.171 | One of the strictest timelines; penalties up to $500,000 per breach |
| Georgia | Without unreasonable delay | No | GA Code 10-1-912 | Applies to information brokers and data collectors |
| Hawaii | Without unreasonable delay | No | HRS 487N-2 | Covers government agencies and businesses equally |
| Idaho | Without unreasonable delay | Yes | ID Code 28-51-105 | Notification must be made within a reasonable time frame |
| Illinois | Without unreasonable delay | Yes | 815 ILCS 530/10 | Includes BIPA biometric data; AG notification required |
| Indiana | Without unreasonable delay | Yes | IC 24-4.9-3-3 | AG must be notified prior to or simultaneously with individuals |
| Iowa | Without unreasonable delay | Yes (500+ affected) | Iowa Code 715C.2 | Notification to consumer reporting agencies if 500+ affected |
| Kansas | Without unreasonable delay | No | KS Stat 50-7a02 | Allows substitute notice if cost exceeds $100,000 |
| Kentucky | Without unreasonable delay | Yes | KRS 365.732 | Includes notification to AG and consumer reporting agencies |
| Louisiana | 60 days | Yes | La RS 51:3074 | Covers personal information in computerized and non-computerized form |
| Maine | 30 days | Yes | 10 MRSA 1348 | One of the strictest timelines; requires credit monitoring in certain cases |
| Maryland | 45 days | Yes | MD Com Law 14-3504 | Includes health information and insurance policy numbers |
| Massachusetts | Without unreasonable delay | Yes | MGL c93H s3 | Requires detailed report to AG including nature of breach and remediation steps |
| Michigan | Without unreasonable delay | No | MCLA 445.72 | Applies to any person or agency that owns or licenses data |
| Minnesota | Without unreasonable delay | No | MN Stat 325E.61 | Requires notification to consumer reporting agencies for large breaches |
| Mississippi | Without unreasonable delay | Yes | MS Code 75-24-29 | AG notification required; includes biometric data |
| Missouri | Without unreasonable delay | Yes (1,000+ affected) | MO Rev Stat 407.1500 | AG notification if breach affects 1,000+ Missouri residents |
| Montana | Without unreasonable delay | Yes | MCA 30-14-1704 | Includes tax identification numbers and medical information |
| Nebraska | Without unreasonable delay | Yes | NE Rev Stat 87-803 | AG must be notified before or at same time as individuals |
| Nevada | Without unreasonable delay | No | NRS 603A.220 | Requires data collectors to implement reasonable security measures |
| New Hampshire | Without unreasonable delay | Yes | NH RSA 359-C:20 | AG must be notified immediately; includes credit monitoring requirement |
| New Jersey | Without unreasonable delay | Yes (before individuals) | NJSA 56:8-163 | AG and state police must be notified before individuals |
| New Mexico | 45 days | Yes | NM Stat 57-12C-6 | Includes biometric data; AG notification within 45 days |
| New York | Most expedient time possible | Yes | NY GBL 899-aa | SHIELD Act expanded definition of breach and private information |
| North Carolina | Without unreasonable delay | Yes (1,000+ affected) | NCGS 75-65 | Consumer reporting agency notification if 1,000+ affected |
| North Dakota | Without unreasonable delay | Yes (250+ affected) | NDCC 51-30-02 | AG notification required if 250+ residents affected |
| Ohio | 45 days | Yes | ORC 1349.19 | Requires notification to consumer reporting agencies for large breaches |
| Oklahoma | Without unreasonable delay | Yes | 24 OS 163 | AG notification required; includes security freeze provisions |
| Oregon | 45 days | Yes (250+ affected) | ORS 646A.604 | AG notification if 250+ affected; includes vendor notification requirements |
| Pennsylvania | Without unreasonable delay | No | 73 PS 2303 | No AG notification required; applies to state agencies and businesses |
| Rhode Island | 30 days | Yes | RI Gen Laws 11-49.3-4 | Strict 30-day timeline; includes identity theft protection requirements |
| South Carolina | Without unreasonable delay | Yes (1,000+ affected) | SC Code 39-1-90 | Consumer reporting agency notification if 1,000+ affected |
| South Dakota | 60 days | Yes | SDCL 22-40-21 | AG notification required; includes protection services requirement |
| Tennessee | 45 days | Yes | TN Code 47-18-2107 | AG notification required; includes insurance account information |
| Texas | 60 days | Yes (250+ affected) | TX Bus & Com Code 521.053 | AG notification if 250+ Texas residents affected |
| Utah | 60 days | Yes | UC 13-44-202 | AG notification required; includes cybersecurity affirmative defense |
| Vermont | 45 days | Yes | 9 VSA 2435 | AG and department of financial regulation notification required |
| Virginia | 60 days | Yes | VA Code 18.2-186.6 | AG and consumer reporting agency notification required |
| Washington | 30 days | Yes | RCW 19.255.010 | One of the strictest timelines; enhanced requirements for health data |
| West Virginia | Without unreasonable delay | No | WV Code 46A-2A-102 | Applies to individuals and entities that own or license data |
| Wisconsin | 45 days | Yes | WI Stat 134.98 | Notification to consumer reporting agencies required |
| Wyoming | Without unreasonable delay | No | WY Stat 40-12-502 | Applies to individuals and commercial entities |
| District of Columbia | Without unreasonable delay | Yes | DC Code 28-3852 | AG notification required; includes credit monitoring provisions |
Showing 51 of 51 jurisdictions
Federal Breach Notification Laws
In addition to state laws, several federal regulations impose breach notification requirements on specific industries. These requirements apply in addition to — not instead of — state law obligations.
HIPAA (Health Insurance Portability and Accountability Act)
Requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach of unsecured protected health information (PHI).
Applies to: Healthcare providers, health plans, healthcare clearinghouses, and their business associates
GLBA (Gramm-Leach-Bliley Act)
Financial institutions must notify affected customers as soon as reasonably practicable when their nonpublic personal information has been compromised. The FTC Safeguards Rule requires notification within 30 days.
Applies to: Banks, credit unions, insurance companies, securities firms, and other financial institutions
SEC Cybersecurity Disclosure Rules
Publicly traded companies must disclose material cybersecurity incidents within four business days via Form 8-K. Annual disclosures about risk management and governance are also required.
Applies to: All publicly traded companies registered with the SEC
FTC Health Breach Notification Rule
Requires vendors of personal health records and related entities not covered by HIPAA to notify consumers, the FTC, and in some cases the media following a breach of unsecured health information.
Applies to: Health apps, fitness trackers, and other non-HIPAA-covered health data handlers
FERPA (Family Educational Rights and Privacy Act)
While FERPA does not have a specific breach notification requirement, institutions must document breaches and may face penalties including loss of federal funding for failure to protect education records.
Applies to: Educational institutions receiving federal funding
Best Practices for Multi-State Notification
Navigating 50+ different notification laws is complex. These best practices will help you stay compliant and minimize risk.
Notify Early, Not Late
When you operate across multiple states, always comply with the shortest applicable deadline. If you have customers in Colorado, Florida, Maine, Rhode Island, or Washington, your effective deadline is 30 days.
Engage Legal Counsel Immediately
Breach notification is a legal minefield. Engage experienced data privacy counsel within the first 24 hours to determine which state laws apply and what your specific obligations are.
Use the Shortest Deadline as Your Standard
Rather than tracking different deadlines for different states, adopt the most restrictive timeline as your company-wide standard. This simplifies compliance and reduces risk.
Document Everything
Maintain detailed records of when the breach was discovered, your investigation steps, your risk assessment, and all notification decisions. This documentation is critical if regulators investigate.
Prepare Notification Templates in Advance
Don't wait for a breach to draft notification letters. Create templates that comply with the most restrictive state requirements so you can move quickly when time is of the essence.
Consider Offering Credit Monitoring Proactively
Even when not legally required, offering free credit monitoring demonstrates good faith and can reduce litigation risk. Many states are moving toward requiring this, so staying ahead of the curve is wise.
Need Help With Breach Notification?
Navigating multi-state notification requirements during a breach is overwhelming. Our incident response team has handled 500+ breaches and can guide you through every notification obligation. Available 24/7/365 with a 1-hour response time.