US State Data Breach Notification Chart
This chart provides information on US state and territory data breach notification laws.
Contributors:
Jim Dempsey
Lecturer, UC Berkeley Law; Managing Director, Cybersecurity Law Center
IAPP
Cheryl Saniuk-Heinig
CIPP/E, CIPP/US, CIPM
Former research and insights analyst, IAPP
Stephanie Forbes
Former IAPP Summer Privacy Fellow
Ian Scanlon
CIPP/US
Legal extern
IAPP
Additional Insights
Sending notices to consumers when their personal data has been compromised in a cyber incident is probably the most familiar aspect of cybersecurity law, both to data governance professionals and consumers. In the U.S., the first state law requiring notice was enacted by California in 2002 and became effective in 2003. Alabama was last, adopting its law in 2018. Now all 50 states plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands have breach notice laws. In effect, these laws constitute a nationwide mandate — but with variations that complicate compliance.
This resource summarizes all 54 state breach notification laws in simple chart format, with links to the texts of the laws themselves. Among other issues, practitioners should pay special attention to the definitions of personal information, requirements to notify state attorneys general in addition to affected consumers, and deadlines. Note also that a few of the statutes allow for private right of action in case of noncompliance, while attorneys general across all jurisdictions frequently cite the statutes in their enforcement actions following breaches.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Jim Dempsey
Lecturer, UC Berkeley Law; Managing Director, Cybersecurity Law Center
IAPP
Cheryl Saniuk-Heinig
CIPP/E, CIPP/US, CIPM
Former research and insights analyst, IAPP
Stephanie Forbes
Former IAPP Summer Privacy Fellow
Ian Scanlon
CIPP/US
Legal extern
IAPP
Tags:
