Data Breach Notification in the United States and Territories

Given the daily barrage of data breaches impacting consumers, Americans are increasingly demanding stronger privacy protections. In 2002, California became the first state to recognize the need for individuals to be made aware when their data is exposed in security incidents. Sixteen years later, in 2018, South Dakota and Alabama finally became the 49th and 50th states, respectively, to enact data breach notification statutes to protect their residents.

However, not every American enjoys the same level of protections in their respective state. We took a close look at the current landscape of data breach notification statutes across the country, and identified key disparities in the level of protections that each statute affords.

Our analysis compares each state’s data breach notification statutes along key provisions, including:

  • definition of breach;
  • definition of personally identifiable information;
  • form of data covered;
  • whether the statute covers paper records;
  • whether the statute covers encrypted data when the encryption key has been accessed or acquired;
  • what entities are covered by the statute;
  • whether notification triggers after discovery or after reasonable investigation;
  • whether there is a risk of harm trigger for notification;
  • how consumers are notified;
  • what must be included in the notice;
  • whom entities must notify;
  • whether the state publishes breach data publicly;
  • whether individuals have a private right of action for violations;
  • whether there are exceptions to the notification obligation if entity complies with other laws (HIPPA, GLB, etc);
  • whether there is flexibility in notification if the entity maintains equivalent or stronger policy; and
  • penalties for violations.


Download the Full Report (pdf)


Additionally, we have created an advocate’s overview to our nation’s various data breach notification laws in the form of an interactive maps series. These visual representations will help you to see how a state stacks up against the rest of the country in different key areas of data breach notification.



Having trouble viewing the interactive maps? Click here to view them on our Tableau Public profile.


The underlying data used to populate our maps is also available for download. (tab-delimited txt)

This report was researched and compiled by Maddie Ladner (our 2018 legal intern).