INCIDENT RESPONSE · 50 STATES + DC · UPDATED 2026

US data breach notification laws — every state in one place

You just discovered a breach. You have hours, not days, to plan the multi-state notification. Find your residents' deadlines, AG-filing thresholds, encryption safe harbors, private-right-of-action exposure, and penalty schedules for every US state and the District of Columbia.

Browse states Free incident-response policy audit
51
Jurisdictions covered
37
Require state-AG notification
14
Allow private lawsuits by residents
30 days
Strictest deadlines (CO, FL, ME, WA, PA)

The 4 things every multi-state breach team gets wrong

  1. Sequencing — Maryland and New Jersey require AG/State-Police notice BEFORE residents. Louisiana requires AG within 10 days AFTER residents. Most other states require simultaneous filing.
  2. Harm threshold — California, Illinois, Tennessee and Minnesota are largely no-harm-threshold states (notify on acquisition). Other states allow a documented "no reasonable risk" exception — but the documentation must be retained 3-5 years.
  3. PI definition — Each state defines "personal information" differently. Washington and Wyoming include date of birth; Wisconsin includes DNA; Illinois has separate BIPA exposure for biometrics; New York's SHIELD Act covers unauthorized ACCESS (not just acquisition).
  4. Vendor flowdowns — If you are the processor, most states (e.g. Alabama) require you to notify the controller within 10 days — NOT the residents directly. Misrouting notification is itself a violation.
Alabama (AL)
45d
Ala. Code §§8-38-1 to 8-38-12 (Alabama Data Breach Notification Act of 2018)
AG noticeEncryption safe harbor
Open law →
Alaska (AK)
ASAP
Alaska Stat. §§45.48.010–45.48.090 (Personal Information Protection Act)
Private suitEncryption safe harbor
Open law →
Arizona (AZ)
45d
Ariz. Rev. Stat. §18-552
AG noticeEncryption safe harbor
Open law →
Arkansas (AR)
ASAP
Ark. Code §§4-110-101 to 4-110-108 (Personal Information Protection Act)
AG noticeEncryption safe harbor
Open law →
California (CA)
ASAP
Cal. Civ. Code §§1798.29 (state agencies), 1798.82 (businesses), 1798.84 (private action)
AG noticePrivate suitEncryption safe harbor
Open law →
Colorado (CO)
30d
Colo. Rev. Stat. §6-1-716
AG noticeEncryption safe harbor
Open law →
Connecticut (CT)
60d
Conn. Gen. Stat. §36a-701b
AG noticeEncryption safe harbor
Open law →
Delaware (DE)
60d
6 Del. C. §§12B-101 to 12B-104
AG noticeEncryption safe harbor
Open law →
District of Columbia (DC)
60d
D.C. Code §§28-3851 to 28-3853 (Consumer Personal Information Security Breach Notification Act)
AG noticePrivate suitEncryption safe harbor
Open law →
Florida (FL)
30d
Fla. Stat. §501.171 (Florida Information Protection Act)
AG noticeEncryption safe harbor
Open law →
Georgia (GA)
ASAP
Ga. Code §§10-1-910 to 10-1-915
Encryption safe harbor
Open law →
Hawaii (HI)
ASAP
Haw. Rev. Stat. §§487N-1 to 487N-7
AG noticePrivate suitEncryption safe harbor
Open law →
Idaho (ID)
ASAP
Idaho Code §§28-51-104 to 28-51-107
Encryption safe harbor
Open law →
Illinois (IL)
ASAP
815 ILCS 530/1 et seq. (Personal Information Protection Act)
AG noticeEncryption safe harbor
Open law →
Indiana (IN)
ASAP
Ind. Code §§24-4.9-1 to 24-4.9-5
AG noticeEncryption safe harbor
Open law →
Iowa (IA)
ASAP
Iowa Code §§715C.1, 715C.2
AG noticeEncryption safe harbor
Open law →
Kansas (KS)
ASAP
Kan. Stat. §50-7a02
Encryption safe harbor
Open law →
Kentucky (KY)
ASAP
Ky. Rev. Stat. §365.732
Encryption safe harbor
Open law →
Louisiana (LA)
60d
La. Rev. Stat. §§51:3071 to 51:3077 (Database Security Breach Notification Law)
AG noticePrivate suitEncryption safe harbor
Open law →
Maine (ME)
30d
10 M.R.S.A. §§1346 to 1349
AG noticeEncryption safe harbor
Open law →
Maryland (MD)
45d
Md. Code Com. Law §§14-3501 to 14-3508 (Personal Information Protection Act)
AG noticeEncryption safe harbor
Open law →
Massachusetts (MA)
ASAP
Mass. Gen. Laws ch. 93H §§1–6 + 201 CMR 17.00 (WISP regulations)
AG noticeEncryption safe harbor
Open law →
Michigan (MI)
ASAP
Mich. Comp. Laws §§445.63, 445.72 (Identity Theft Protection Act)
Encryption safe harbor
Open law →
Minnesota (MN)
30d
Minn. Stat. §§325E.61, 325E.64 (Plastic Card Security Act)
AG noticePrivate suitEncryption safe harbor
Open law →
Mississippi (MS)
ASAP
Miss. Code §75-24-29
Encryption safe harbor
Open law →
Missouri (MO)
ASAP
Mo. Rev. Stat. §407.1500
AG noticeEncryption safe harbor
Open law →
Montana (MT)
ASAP
Mont. Code §§30-14-1701 to 30-14-1736
AG noticePrivate suitEncryption safe harbor
Open law →
Nebraska (NE)
ASAP
Neb. Rev. Stat. §§87-801 to 87-807
AG noticeEncryption safe harbor
Open law →
Nevada (NV)
ASAP
Nev. Rev. Stat. §§603A.010 to 603A.290 + SB 220 (Nevada Privacy Law)
Encryption safe harbor
Open law →
New Hampshire (NH)
ASAP
N.H. Rev. Stat. §§359-C:19 to 359-C:21
AG noticePrivate suitEncryption safe harbor
Open law →
New Jersey (NJ)
ASAP
N.J. Stat. §56:8-163
AG noticeEncryption safe harbor
Open law →
New Mexico (NM)
45d
N.M. Stat. §§57-12C-1 to 57-12C-12 (Data Breach Notification Act)
AG noticeEncryption safe harbor
Open law →
New York (NY)
ASAP
N.Y. Gen. Bus. Law §899-aa + §899-bb (SHIELD Act, eff. 2020)
AG noticeEncryption safe harbor
Open law →
North Carolina (NC)
ASAP
N.C. Gen. Stat. §§75-60 to 75-65 (Identity Theft Protection Act)
AG noticePrivate suitEncryption safe harbor
Open law →
North Dakota (ND)
ASAP
N.D. Cent. Code §§51-30-01 to 51-30-07
AG noticeEncryption safe harbor
Open law →
Ohio (OH)
45d
Ohio Rev. Code §§1349.19, 1347.12 (state agencies)
Encryption safe harbor
Open law →
Oklahoma (OK)
ASAP
24 Okla. Stat. §§161 to 166 (Security Breach Notification Act)
Encryption safe harbor
Open law →
Oregon (OR)
45d
Ore. Rev. Stat. §§646A.600 to 646A.628 (Consumer Identity Theft Protection Act / Oregon Consumer Information Protection Act)
AG noticeEncryption safe harbor
Open law →
Pennsylvania (PA)
30d
73 Pa. C.S. §§2301 to 2330 (Breach of Personal Information Notification Act)
AG noticeEncryption safe harbor
Open law →
Rhode Island (RI)
45d
R.I. Gen. Laws §§11-49.3-1 to 11-49.3-6 (Identity Theft Protection Act of 2015)
AG noticePrivate suitEncryption safe harbor
Open law →
South Carolina (SC)
ASAP
S.C. Code §39-1-90
AG noticePrivate suitEncryption safe harbor
Open law →
South Dakota (SD)
60d
S.D. Codified Laws §§22-40-19 to 22-40-26
AG noticeEncryption safe harbor
Open law →
Tennessee (TN)
45d
Tenn. Code §47-18-2107
Private suitEncryption safe harbor
Open law →
Texas (TX)
60d
Tex. Bus. & Com. Code §521.053 (Identity Theft Enforcement and Protection Act); TDPSA §541.107 (privacy law)
AG noticeEncryption safe harbor
Open law →
Utah (UT)
ASAP
Utah Code §§13-44-101 to 13-44-301 (Protection of Personal Information Act)
AG noticeEncryption safe harbor
Open law →
Vermont (VT)
45d
9 V.S.A. §§2430, 2435 (Security Breach Notice Act)
AG noticeEncryption safe harbor
Open law →
Virginia (VA)
ASAP
Va. Code §18.2-186.6 (also §32.1-127.1:05 for medical info)
AG noticePrivate suitEncryption safe harbor
Open law →
Washington (WA)
30d
Wash. Rev. Code §19.255.010 (amended by HB 1071, 2020 expansion)
AG noticePrivate suitEncryption safe harbor
Open law →
West Virginia (WV)
ASAP
W. Va. Code §§46A-2A-101 to 46A-2A-105
Encryption safe harbor
Open law →
Wisconsin (WI)
45d
Wis. Stat. §134.98
Encryption safe harbor
Open law →
Wyoming (WY)
ASAP
Wyo. Stat. §§40-12-501 to 40-12-509
Encryption safe harbor
Open law →

One breach. 51 jurisdictions. A 72-hour clock.

Run a free audit of your privacy policy and incident-response language against every state breach notification statute and we'll surface every gap before you have to use it for real.

Run free policy audit