All 50 states โ plus the District of Columbia, Puerto Rico, Guam and the U.S. Virgin Islands โ have data breach notification laws. Roughly 20 states set a numeric deadline of 30 to 60 days to notify affected individuals; the rest require notice "without unreasonable delay." Most also require notice to the state attorney general once a breach crosses a resident-count threshold (commonly 250, 500 or 1,000). For a multi-state incident, you comply with each affected person's home-state law, and the strictest applicable clock governs your timeline.
Every state has a law now
The patchwork is complete: Alabama and South Dakota were the last states to adopt breach-notification statutes, in 2018, so there is no longer any U.S. jurisdiction without one. What differs is the detail โ deadlines, which regulators must be told, what data elements trigger the duty, risk-of-harm exceptions, and penalties. That's why a single incident touching customers in a dozen states is mapped state by state rather than handled under one national rule.
Who you must notify
A breach can trigger up to three separate audiences, each with its own trigger:
- Affected individuals. Required in every state when personal information is acquired or accessed without authorization.
- The state attorney general (or a designated agency). Required in roughly 36 states once the number of affected residents crosses a threshold.
- Consumer reporting agencies. Typically required when 1,000 or more residents are affected in a single incident, following the federal FACTA standard.
Notification deadlines by state
The table below groups each jurisdiction's consumer-notice deadline. States without a fixed day-count require notice in the "most expedient time possible and without unreasonable delay." Because the strictest applicable clock governs a multi-state breach, national businesses should build their response around the 30-day floor.
| Jurisdiction | Consumer-notice deadline | Notable |
|---|---|---|
| Alabama | 45 days | — |
| Alaska | Without unreasonable delay | — |
| Arizona | 45 days | — |
| Arkansas | Without unreasonable delay | — |
| California | 30 days | — |
| Colorado | 30 days | — |
| Connecticut | 60 days | — |
| Delaware | 60 days | — |
| District of Columbia | Without unreasonable delay | — |
| Florida | 30 days | — |
| Georgia | Without unreasonable delay | — |
| Hawaii | Without unreasonable delay | — |
| Idaho | Without unreasonable delay | — |
| Illinois | Without unreasonable delay | — |
| Indiana | 45 days | — |
| Iowa | Without unreasonable delay | — |
| Kansas | Without unreasonable delay | — |
| Kentucky | Without unreasonable delay | — |
| Louisiana | 60 days | — |
| Maine | 30 days | — |
| Maryland | 45 days | — |
| Massachusetts | Without unreasonable delay | Risk-of-harm standard; rolling notice expected |
| Michigan | Without unreasonable delay | — |
| Minnesota | Without unreasonable delay | — |
| Mississippi | Without unreasonable delay | — |
| Missouri | Without unreasonable delay | — |
| Montana | Without unreasonable delay | — |
| Nebraska | Without unreasonable delay | — |
| Nevada | Without unreasonable delay | — |
| New Hampshire | Without unreasonable delay | — |
| New Jersey | 30 days | — |
| New Mexico | 45 days | — |
| New York | Without unreasonable delay | SHIELD Act โ notify AG, State Police & Dept. of State |
| North Carolina | Without unreasonable delay | — |
| North Dakota | Without unreasonable delay | — |
| Ohio | 45 days | — |
| Oklahoma | Without unreasonable delay | AG notice added 2026 (SB 626), 500+ residents |
| Oregon | 45 days | — |
| Pennsylvania | Without unreasonable delay | — |
| Rhode Island | 45 days | — |
| South Carolina | Without unreasonable delay | — |
| South Dakota | 60 days | — |
| Tennessee | 45 days | — |
| Texas | 60 days | — |
| Utah | Without unreasonable delay | — |
| Vermont | 45 days | — |
| Virginia | Without unreasonable delay | — |
| Washington | 30 days | — |
| West Virginia | Without unreasonable delay | — |
| Wisconsin | 45 days | — |
| Wyoming | Without unreasonable delay | — |
Deadline tiers reflect statutes as of early 2026 (Privacy Rights Clearinghouse 50-State Survey 2026, IAPP, and state amendments including California SB 446 and Oklahoma SB 626). Several states use a risk-of-harm trigger; verify the current statute before relying on any single date.
Attorney-general thresholds
Regulator notice usually kicks in at a resident-count threshold, and the deadline for the AG filing can differ from the consumer deadline. A few well-known examples:
| State | AG-notice trigger | AG-notice timing |
|---|---|---|
| Texas | 250+ residents | Within 30 days; filed to a public breach portal |
| California | 500+ residents | Within 15 days of individual notice (SB 446, 2026) |
| Colorado | 500+ residents | With individual notice |
| Oklahoma | 500+ residents | Within 60 days of individual notice (SB 626, 2026) |
| Indiana | 500+ residents | Without unreasonable delay |
| Many states | 1,000+ residents | Plus consumer reporting agencies (FACTA) |
What counts as "personal information"
Every state covers the classic combination of a person's name plus at least one of: Social Security number, driver's license or state-ID number, or a financial account or payment-card number. A growing set of states has expanded the definition to include medical and health information, biometric data, online account credentials, and government-issued identifiers. Some states also apply a risk-of-harm analysis โ notice is owed when the incident creates a real risk of identity theft or fraud โ while others require notice regardless of assessed harm.
Substitute notice
When you can't reach affected people directly โ contact information is unavailable, or the cost of individual notice would exceed a statutory ceiling (commonly 50,000โ00,000) or the number of people is very large โ most states allow substitute notice: a conspicuous notice posted on your website plus notification to statewide media. Many of the largest breaches in recent years used substitute notice to reach tens of millions of people.
Federal overlays
State law is only half the map. Depending on your sector and data, federal rules layer on top โ often with shorter clocks:
| Regime | Applies to | Key obligation |
|---|---|---|
| HIPAA / HITECH | Health plans, providers, business associates | Notify affected individuals and HHS; media notice for 500+ in a state |
| GLBA | Financial institutions | Safeguards Rule; customer notice of unauthorized access |
| SEC Reg S-P | Broker-dealers, RIAs, investment companies | Incident-response program & customer notification requirements |
| SEC public-company rule | SEC registrants | Disclose material incidents on Form 8-K within 4 business days of materiality |
| CIRCIA | Critical-infrastructure entities | Report incidents to CISA within 72 hours; ransom payments within 24 hours (final rule pending in 2026) |
What changed for 2026
Two amendments stand out. California's SB 446 (effective January 1, 2026) replaced the old "without unreasonable delay" standard with a hard 30-calendar-day deadline to notify residents, and requires notice to the attorney general within 15 days of notifying individuals when 500 or more Californians are affected. Oklahoma's SB 626 expanded covered data to include biometrics and government IDs and added an attorney-general notification requirement for breaches affecting 500 or more residents. Both track a clear national trend toward shorter clocks, broader data definitions, and mandatory regulator notice.
How cyber insurance responds
Meeting these obligations is expensive and time-sensitive, which is exactly what breach-response coverage is for. A cyber policy funds the breach coach (privacy counsel) who maps your notification duties across every affected state, the notification and call-center costs, credit monitoring or identity-protection services for affected individuals, and regulatory defense if an attorney general opens an inquiry. In practice, the coverage is as much about the expert response team it puts on the phone at hour zero as it is about the dollars. See our coverage overview and ransomware guide for how these pieces fit together.
Frequently asked
Do all 50 states require breach notification?
Yes โ all 50 states plus DC, Puerto Rico, Guam and the U.S. Virgin Islands. Alabama and South Dakota were the last to adopt, in 2018.
What is the deadline to notify after a data breach?
It depends on the state. About 20 states set a fixed deadline of 30 to 60 days; the rest require notice "without unreasonable delay." For a multi-state breach, plan around the strictest applicable deadline โ currently 30 days.
When do I have to notify the attorney general?
In roughly 36 states, once affected residents exceed a threshold โ commonly 250, 500 or 1,000, depending on the state. Texas requires AG notice at 250 residents within 30 days; California and several others trigger at 500.