๐Ÿ“ž (800) 373-2804 Direct: +1 (919) 859-5294
Insurance & surety specialists since 1994
50-state reference

Data breach notification laws by state

Every U.S. state now requires businesses to notify people when their personal data is breached โ€” but the deadlines, thresholds and definitions differ in all 51 jurisdictions. Here is the framework, the state-by-state deadlines, and the federal rules that sit on top.

The short version

All 50 states โ€” plus the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands โ€” have data breach notification laws. Roughly 20 states set a numeric deadline of 30 to 60 days to notify affected individuals; the rest require notice "without unreasonable delay." Most also require notice to the state attorney general once a breach crosses a resident-count threshold (commonly 250, 500 or 1,000). For a multi-state incident, you comply with each affected person's home-state law, and the strictest applicable clock governs your timeline.

Important This is a plain-language reference for planning, not legal advice. Breach-notification law is fact-specific and changes frequently. When an actual or suspected breach occurs, engage qualified counsel and verify the current statute for every affected jurisdiction. Authoritative trackers include the IAPP state chart and each state attorney general's office.

Every state has a law now

The patchwork is complete: Alabama and South Dakota were the last states to adopt breach-notification statutes, in 2018, so there is no longer any U.S. jurisdiction without one. What differs is the detail โ€” deadlines, which regulators must be told, what data elements trigger the duty, risk-of-harm exceptions, and penalties. That's why a single incident touching customers in a dozen states is mapped state by state rather than handled under one national rule.

Who you must notify

A breach can trigger up to three separate audiences, each with its own trigger:

  • Affected individuals. Required in every state when personal information is acquired or accessed without authorization.
  • The state attorney general (or a designated agency). Required in roughly 36 states once the number of affected residents crosses a threshold.
  • Consumer reporting agencies. Typically required when 1,000 or more residents are affected in a single incident, following the federal FACTA standard.

Notification deadlines by state

The table below groups each jurisdiction's consumer-notice deadline. States without a fixed day-count require notice in the "most expedient time possible and without unreasonable delay." Because the strictest applicable clock governs a multi-state breach, national businesses should build their response around the 30-day floor.

JurisdictionConsumer-notice deadlineNotable
Alabama45 days
AlaskaWithout unreasonable delay
Arizona45 days
ArkansasWithout unreasonable delay
California30 days
Colorado30 days
Connecticut60 days
Delaware60 days
District of ColumbiaWithout unreasonable delay
Florida30 days
GeorgiaWithout unreasonable delay
HawaiiWithout unreasonable delay
IdahoWithout unreasonable delay
IllinoisWithout unreasonable delay
Indiana45 days
IowaWithout unreasonable delay
KansasWithout unreasonable delay
KentuckyWithout unreasonable delay
Louisiana60 days
Maine30 days
Maryland45 days
MassachusettsWithout unreasonable delayRisk-of-harm standard; rolling notice expected
MichiganWithout unreasonable delay
MinnesotaWithout unreasonable delay
MississippiWithout unreasonable delay
MissouriWithout unreasonable delay
MontanaWithout unreasonable delay
NebraskaWithout unreasonable delay
NevadaWithout unreasonable delay
New HampshireWithout unreasonable delay
New Jersey30 days
New Mexico45 days
New YorkWithout unreasonable delaySHIELD Act โ€” notify AG, State Police & Dept. of State
North CarolinaWithout unreasonable delay
North DakotaWithout unreasonable delay
Ohio45 days
OklahomaWithout unreasonable delayAG notice added 2026 (SB 626), 500+ residents
Oregon45 days
PennsylvaniaWithout unreasonable delay
Rhode Island45 days
South CarolinaWithout unreasonable delay
South Dakota60 days
Tennessee45 days
Texas60 days
UtahWithout unreasonable delay
Vermont45 days
VirginiaWithout unreasonable delay
Washington30 days
West VirginiaWithout unreasonable delay
Wisconsin45 days
WyomingWithout unreasonable delay

Deadline tiers reflect statutes as of early 2026 (Privacy Rights Clearinghouse 50-State Survey 2026, IAPP, and state amendments including California SB 446 and Oklahoma SB 626). Several states use a risk-of-harm trigger; verify the current statute before relying on any single date.

Attorney-general thresholds

Regulator notice usually kicks in at a resident-count threshold, and the deadline for the AG filing can differ from the consumer deadline. A few well-known examples:

StateAG-notice triggerAG-notice timing
Texas250+ residentsWithin 30 days; filed to a public breach portal
California500+ residentsWithin 15 days of individual notice (SB 446, 2026)
Colorado500+ residentsWith individual notice
Oklahoma500+ residentsWithin 60 days of individual notice (SB 626, 2026)
Indiana500+ residentsWithout unreasonable delay
Many states1,000+ residentsPlus consumer reporting agencies (FACTA)
Why the portal matters In states like Texas, the AG filing becomes searchable public record โ€” your incident is discoverable the moment you report it. That's one reason breach response is coordinated with counsel and communications from hour zero.

What counts as "personal information"

Every state covers the classic combination of a person's name plus at least one of: Social Security number, driver's license or state-ID number, or a financial account or payment-card number. A growing set of states has expanded the definition to include medical and health information, biometric data, online account credentials, and government-issued identifiers. Some states also apply a risk-of-harm analysis โ€” notice is owed when the incident creates a real risk of identity theft or fraud โ€” while others require notice regardless of assessed harm.

Substitute notice

When you can't reach affected people directly โ€” contact information is unavailable, or the cost of individual notice would exceed a statutory ceiling (commonly 50,000โ€“00,000) or the number of people is very large โ€” most states allow substitute notice: a conspicuous notice posted on your website plus notification to statewide media. Many of the largest breaches in recent years used substitute notice to reach tens of millions of people.

Federal overlays

State law is only half the map. Depending on your sector and data, federal rules layer on top โ€” often with shorter clocks:

RegimeApplies toKey obligation
HIPAA / HITECHHealth plans, providers, business associatesNotify affected individuals and HHS; media notice for 500+ in a state
GLBAFinancial institutionsSafeguards Rule; customer notice of unauthorized access
SEC Reg S-PBroker-dealers, RIAs, investment companiesIncident-response program & customer notification requirements
SEC public-company ruleSEC registrantsDisclose material incidents on Form 8-K within 4 business days of materiality
CIRCIACritical-infrastructure entitiesReport incidents to CISA within 72 hours; ransom payments within 24 hours (final rule pending in 2026)

What changed for 2026

Two amendments stand out. California's SB 446 (effective January 1, 2026) replaced the old "without unreasonable delay" standard with a hard 30-calendar-day deadline to notify residents, and requires notice to the attorney general within 15 days of notifying individuals when 500 or more Californians are affected. Oklahoma's SB 626 expanded covered data to include biometrics and government IDs and added an attorney-general notification requirement for breaches affecting 500 or more residents. Both track a clear national trend toward shorter clocks, broader data definitions, and mandatory regulator notice.

How cyber insurance responds

Meeting these obligations is expensive and time-sensitive, which is exactly what breach-response coverage is for. A cyber policy funds the breach coach (privacy counsel) who maps your notification duties across every affected state, the notification and call-center costs, credit monitoring or identity-protection services for affected individuals, and regulatory defense if an attorney general opens an inquiry. In practice, the coverage is as much about the expert response team it puts on the phone at hour zero as it is about the dollars. See our coverage overview and ransomware guide for how these pieces fit together.

Frequently asked

Do all 50 states require breach notification?

Yes โ€” all 50 states plus DC, Puerto Rico, Guam and the U.S. Virgin Islands. Alabama and South Dakota were the last to adopt, in 2018.

What is the deadline to notify after a data breach?

It depends on the state. About 20 states set a fixed deadline of 30 to 60 days; the rest require notice "without unreasonable delay." For a multi-state breach, plan around the strictest applicable deadline โ€” currently 30 days.

When do I have to notify the attorney general?

In roughly 36 states, once affected residents exceed a threshold โ€” commonly 250, 500 or 1,000, depending on the state. Texas requires AG notice at 250 residents within 30 days; California and several others trigger at 500.

Laws summarized here reflect statutes as of early 2026 and are provided for general information only, not as legal advice. Verify current requirements with counsel and the relevant attorney general before acting on any breach. Cyber-coverage descriptions are summaries; the policy issued governs.

Coverage that funds the response, not just the loss.

A cyber policy puts privacy counsel and a notification team on the phone the moment you're breached โ€” and pays the bill. Let's make sure yours does.