State Breach Notification Laws: 50-State Comparison and How to Track Deadlines

May 1, 2026 • Rebecca Leung •

breach notification state breach laws data breach

Table of Contents

TL;DR

All 50 states have data breach notification laws. They don’t agree on deadlines, covered data types, or what counts as a breach.

California, New York, Florida, Colorado, and Washington all require notification within 30 days. HIPAA’s 60-day window is a floor, not a ceiling.

California SB 446 (effective January 1, 2026) added a firm 30-day consumer deadline and a 15-day AG notification requirement for larger breaches.

Over 90% of breach enforcement actions are multistate efforts. Missing one state’s deadline can trigger a coordinated multi-AG response.

Build your incident response timeline around the most stringent applicable jurisdiction — not the most forgiving one.

The moment a breach is confirmed, clocks start running. Not one clock — potentially 50. Each with different deadlines, different definitions of “personal information,” different regulator contacts, and different penalty structures.

If you designed your breach response process around HIPAA’s 60-day window, you’ve probably been operating with a false sense of safety. Twenty states have shorter deadlines. Six states require notification in 30 days or less. And the trend since 2020 has been universally toward shorter timelines and larger penalties.

Here’s the practical map.

The Baseline: All 50 States Are Now Covered

As of 2026, every U.S. state has enacted a data breach notification law. The District of Columbia, Puerto Rico, and Guam have laws as well. There is no jurisdiction in the continental United States where a covered breach doesn’t trigger notification obligations.

The uniformity ends there. State laws diverge on:

Notification deadlines (30 days to “without unreasonable delay”)
What counts as personal information (some states include biometrics, account credentials, or medical information beyond HIPAA scope)
What triggers the law (unauthorized acquisition vs. access vs. disclosure)
Who must be notified (affected individuals, state AG, regulators, consumer reporting agencies)
Format requirements (some states specify minimum content for notification letters)

The Notification Deadline Spectrum

Twenty states (approximately 39% of jurisdictions) specify a numeric deadline for consumer notification. The rest use qualitative language — typically “without unreasonable delay” or “in the most expedient time possible” — which courts and regulators tend to interpret as 45-60 days in practice.

States with 30-Day Deadlines (Strictest Tier)

State	Deadline	Key Notes
California	30 days	SB 446 effective Jan 1, 2026; also requires AG notification within 15 days if 500+ residents affected
Colorado	30 days	Also requires notification to Colorado AG
Florida	30 days	30 days to notify individuals; 30 days to notify FDLE and AG
Maine	30 days	One of the earliest states to adopt a firm numeric deadline
New York	30 days	Requires notification to AG, DFS, and consumer reporting agencies
Washington	30 days	Covers biometric and health data beyond HIPAA scope

For NYDFS-regulated entities in New York, the window is even tighter: a separate 72-hour notification requirement applies for cybersecurity events under Part 500, independent of the state breach law.

States with 45-Day Deadlines

State	Deadline
Alabama	45 days
Arizona	45 days
Indiana	45 days
New Mexico	45 days
Ohio	45 days
Oregon	45 days
Rhode Island	45 days
Tennessee	45 days
Vermont	45 days
Wisconsin	45 days

States with 60-Day Deadlines

State	Deadline
Connecticut	60 days
Delaware	60 days
Louisiana	60 days
South Dakota	60 days
Texas	60 days

States Using Qualitative Deadlines

The remaining states — approximately 29 — use “without unreasonable delay,” “most expedient time possible,” or similar language. This sounds permissive. It isn’t.

Regulators in these states have consistently interpreted “without unreasonable delay” to mean 45 to 60 days in practice. Waiting longer requires documented justification — typically a law enforcement request to delay notification or ongoing forensic investigation that has not yet established scope.

The Federal Layer: HIPAA, GLBA, and How They Interact

HIPAA’s 60-Day Window

HIPAA requires covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates to notify affected individuals within 60 calendar days of discovering a breach. This is the federal baseline.

HIPAA explicitly does not preempt stricter state laws. The statute preserves state law where the state provides greater protections than HIPAA. This means:

A California hospital with a HIPAA breach must notify affected patients within 30 days (under SB 446), not 60.
A Colorado health plan must notify within 30 days regardless of HIPAA’s longer window.
A Florida covered entity must notify within 30 days.

The practical rule: design your breach notification process around the fastest applicable state law, not HIPAA. Meeting the strictest applicable deadline satisfies all less-stringent requirements.

For large breaches (500 or more residents of a given state), HIPAA also requires notification to the Secretary of HHS. States like California and New York add their own AG notification requirements on top of this.

GLBA and Financial Institutions

The FTC’s revised Safeguards Rule (effective 2023) requires non-bank financial institutions to notify the FTC within 30 days of discovering a breach involving 500 or more customers. This requirement runs parallel to state law obligations — both must be satisfied.

NYDFS-regulated financial entities face the most layered obligation stack: the 72-hour Part 500 cybersecurity event notice, the 30-day New York state breach law, the FTC Safeguards Rule notification (if applicable), and any federal prudential regulator requirements.

What Changed in 2026

California SB 446 (Effective January 1, 2026)

California’s existing breach law (Civil Code §1798.82) already required “expedient” notification. SB 446 made it concrete. Effective January 1, 2026:

30-day deadline: Covered entities must notify affected California residents within 30 calendar days of discovering a reportable breach.
AG notification: If the breach affects more than 500 California residents, the entity must provide a sample copy of the consumer notification to the California Attorney General within 15 days of notifying affected individuals.
Broader data scope: The law continues to cover a wide range of personal information, including account credentials, biometric data, and medical information.

For any company with California customers — which is nearly every national consumer-facing business — SB 446 effectively tightens your external deadline to 30 days from discovery.

Oklahoma SB 626 (Effective January 1, 2026)

Oklahoma substantially revised its breach notification statute effective January 1, 2026. Key changes align Oklahoma’s law more closely with the strictest state frameworks, including expanded definitions of personal information and clearer notification requirements.

The Enforcement Reality: State AGs Are Your Primary Risk

The CFPB is constrained under the current administration. Federal privacy enforcement has slowed. But state attorneys general are moving in the opposite direction.

Over 90% of data breach enforcement actions are now brought as multistate collaborative efforts — multiple AGs coordinating investigation, demands, and settlement terms. When you miss a breach notification deadline in one state, you’re rarely dealing with just one state’s AG.

Recent enforcement examples illustrate the stakes:

NYDFS $2 million fine: For failure to notify within 72 hours of a cybersecurity event as required under Part 500. The cybersecurity regulation notification requirement is separate from — and stricter than — the state breach law.
Massachusetts AG $795,000 settlement: Against a property management company that unlawfully delayed required data breach notifications to Massachusetts residents.
New York civil penalties: Up to $5,000 or $20 per affected individual (whichever is greater), capped at $250,000 per breach event.
California civil penalties: $75,000 for entities that fail to implement reasonable safeguards; up to $150,000 for entities without safeguards or proper notice.

The multistate enforcement mechanism is important to understand. Because most companies operate in multiple states, a breach affecting residents in California, New York, and Texas simultaneously triggers notification obligations in all three. If your timeline satisfies Texas (60 days) but not California (30 days), the California AG can act — and will likely coordinate with other AGs who receive similar complaints.

How to Build a Notification-Ready Incident Response Process

The standard incident response lifecycle — detect, contain, investigate, remediate, notify — has a timing problem. Many organizations don’t activate their legal and compliance notification process until the technical investigation is complete. At that point, you may already be inside a 30-day window with no documentation, no draft notifications, and no AG contacts on file.

A notification-ready process activates much earlier.

The First 24 Hours: Activate, Don’t Wait

Within 24 hours of confirming a potential breach (even before scope is established):

Activate your breach counsel — attorney-client privilege is essential to protect investigation communications
Start the jurisdiction clock — begin mapping which states’ residents may be affected based on what you know now
Open your notification tracking log — document discovery date, time, and who was informed
Pull your state deadline matrix — identify the most stringent applicable deadline

You don’t need to know the full scope to know that you’re inside a 30-day window in California. That determination should happen on day one.

The Jurisdiction Matrix: Build It Before You Need It

Every organization with multi-state operations should maintain a pre-built jurisdiction matrix covering:

Column	What to Include
State	All states where you have resident customers, employees, or data subjects
Deadline	Numeric deadline or “without unreasonable delay”
Covered Data Types	Which categories of PII trigger the law
Regulator Contact	AG office, DFS, or other notification recipient
Notification Format	Any required minimum content or format
Penalty	Civil penalty structure

This document belongs in your incident response plan alongside your escalation tree and vendor contacts. Hunting for each state’s law during an active incident is a way to miss deadlines.

Pre-Draft Your Notification Templates

State laws vary in what they require notification letters to include. Common requirements:

Description of what happened
Types of information involved
Steps taken to protect individuals
Steps affected individuals can take to protect themselves
Contact information for questions

Some states (California, Maryland) require specific content elements. Others (Delaware) require credit monitoring offers for certain breach types. Pre-drafting template language for your most likely breach scenarios — credential theft, unauthorized database access, ransomware with confirmed data exfiltration — means you’re filling in variables during an incident, not writing from scratch.

Law Enforcement Delay: Know the Rules

Most state breach laws include a provision allowing notification to be delayed at the request of law enforcement if notification would impede a criminal investigation. This exception is narrow:

It requires an actual law enforcement request (not an assumption that law enforcement might prefer delay)
It applies only as long as law enforcement requests the delay — and law enforcement will specify the timeframe
It does not eliminate the notification obligation; it defers it
It does not apply to NYDFS’s 72-hour cybersecurity event notification requirement

Document any law enforcement delay request in writing. If law enforcement contacts you orally, confirm in writing immediately.

How to Stay Current as Laws Change

State breach laws have been amended or expanded in every year since 2018. Maintaining a static jurisdiction matrix is not enough. Build a monitoring process:

Subscription resources:

IAPP U.S. State Breach Notification Chart — updated as laws change
NCSL Security Breach Notification Laws tracker — the authoritative legislative tracking source
Perkins Coie Breach Notification Chart — maintained by privacy counsel with practice-level updates

Internal triggers for matrix review:

January 1 of each year — review for laws taking effect with the new year
After any multistate enforcement action in your industry
When expanding operations into a new state

The incident response plan template at this site includes a breach notification tracking section, but every team should build a living jurisdiction matrix that gets reviewed at least annually.

So What Does This Mean for Your Program?

Breach notification compliance is a timing discipline more than a legal knowledge problem. Most organizations know notifications are required. The failures happen because:

The legal team doesn’t activate until the technical investigation is “done” — by which point the 30-day clock is already more than halfway expired
The jurisdiction matrix doesn’t exist or is out of date, so the team wastes time during the incident figuring out which deadlines apply
Notification templates aren’t pre-drafted, so drafting consumes the time that should go to review and approval
The AG notification requirement is missed because the team focused only on consumer notification

Fix these four things and you’re ahead of most of the enforcement actions that have gone badly for organizations.

The Incident Response & Breach Notification Kit includes a 50-state breach notification deadline tracker, pre-drafted notification letter templates, a state AG contact directory, and a HIPAA/state law crosswalk. Updated for 2026 law changes including California SB 446.

Sources:

Frequently Asked Questions

Do all 50 states have data breach notification laws?

Yes. All 50 states have enacted data breach notification laws, along with the District of Columbia, Puerto Rico, and Guam. The laws vary significantly in notification deadlines, covered data types, triggering definitions, and penalty structures.

Which states have the shortest breach notification deadlines?

Several states require notification to affected individuals within 30 days: California (effective January 1, 2026, per SB 446), Colorado, Florida, New York, Washington, and Maine. NYDFS additionally imposes a 72-hour cybersecurity incident notification requirement for regulated entities under Part 500.

How does HIPAA interact with state breach notification laws?

HIPAA gives covered entities 60 days to notify affected individuals, but HIPAA does not preempt stricter state laws. If you operate in a state with a 30-day deadline, you must meet that faster timeline for state law purposes. Align your breach response process to the most stringent applicable deadline.

What are the penalties for missing a breach notification deadline?

Penalties vary by state. California imposes civil penalties of $75,000 to $150,000 per breach. New York can impose up to $250,000. The Massachusetts AG obtained a $795,000 fine for delayed notifications. NYDFS imposed a $2 million fine for failure to notify within 72 hours of a cybersecurity event.

What changed in breach notification law in 2026?

California's SB 446 (effective January 1, 2026) added a firm 30-day deadline to notify individuals and requires the California AG to be notified within 15 days of notifying affected consumers if more than 500 residents are impacted. Oklahoma's SB 626 (also effective January 1, 2026) substantially revised the state's breach notification requirements.

How should compliance teams track breach notification deadlines across multiple states?

Build a jurisdiction matrix listing each state's deadline, triggering data types, regulator contact, and required notice format. Subscribe to the IAPP State Breach Notification Chart and NCSL's breach law tracker for updates. Your incident response plan should activate a notification tracking checklist within 24 hours of breach discovery — before you've confirmed scope.

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

Related Framework

Incident Response & Breach Notification Kit

Step-by-step incident response playbooks and breach notification templates for all 50 states.

See What's Included → Buy Now — $69

Keep Reading

Incident Response

NIST Incident Response Framework: SP 800-61 Rev. 3 Explained

NIST SP 800-61 Rev. 3 was finalized April 3, 2025, withdrawing the 2012 Rev. 2 that most incident response programs were built on. Here's what changed, what the CSF 2.0 restructuring means for your IR program, and what you need to update.

May 1, 2026

Incident Response

Cyber Incident Response Playbook: From Detection to Lessons Learned

A step-by-step cyber incident response playbook covering all six phases: preparation, detection and analysis, containment, eradication, recovery, and post-incident review. Includes NIST SP 800-61 Rev. 3 alignment and CIRCIA reporting integration.

Apr 30, 2026

Incident Response

Incident Response Plan Template: The 6 Phases (and What Most Templates Miss)

A practical guide to the 6-phase incident response lifecycle — Preparation through Lessons Learned — including what most IRP templates overlook: notification timelines, CIRCIA requirements, and NIST SP 800-61 Rev. 3.

Apr 26, 2026

Immaterial Findings ✉️

Weekly newsletter

Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.

Join practitioners from banks, fintechs, and asset managers. Delivered weekly.