Resource Center / Tools and Trackers / State Data Breach Notification Chart
State Data Breach Notification Chart
This chart provides information on US state and territory data breach notification laws.
Published: March 2021
Contributors:
U.S. data breach notification laws vary across all 50 states and U.S. territories. Each law must be applied to every factual scenario to determine if a notification requirement is triggered.
To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data. The main sheet of this chart, titled “All Data – Alphabetical,” lists all states followed by U.S. territories and contains:
- A hyperlink to the state’s notification statute.
- The timeframe in which notification to impacted individuals is required.
- Any exceptions to notification requirements.
- If and when notification must be made to a state agency, consumer protection agency or consumer reporting agency.
- Special forms or language that must be included in the notice.
- Whether the statute provides for a private right of action.
Each column can be filtered to allow notification laws with certain features to be hidden or prioritized. As a starting point, a practitioner could filter the “Timeframe for Breach Notification” column to identify which states have the shortest notification window to further investigate the state-specific requirements. For convenience, the IAPP has also included subsequent sheets with three categories of pre-sorted data:
- Shortest notification timeframe.
- Requires attorney general notification (ranked from the lowest number of impacted individuals to highest).
- Requires consumer reporting agency notification (ranked from the lowest number of impacted individuals to highest).
This chart does not include exceptions to or additional compliance requirements with federal laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act. Additionally, an entity must determine if it owns, controls or licenses “personally identifiable information” before it can determine if the “personally identifiable information” was compromised in a “breach” (compared to a security “event” or “incident”), which will be uniquely defined by each law.
NOTE: This tool is for informational purposes only and is not legal advice. State requirements, including any recent changes, should always be verified via official sources. Requirements, if there is a security event, incident or breach, will vary depending on the specific facts, locations and circumstances.