State Data Breach Notification Laws

If your business has a data breach affecting Alabama residents, you must tell them within 45 days. If more than 1,000 people are affected, you also notify the Attorney General.

If you have a data breach affecting Alaskans, notify them as quickly as possible. No specific deadline, but "expedient" is key.

Arizona gives you 45 days to notify affected residents after determining a breach occurred. If more than 1,000 Arizona residents are affected, you must also notify the Attorney General. The law also requires proper disposal of personal information when you no longer need it.

Arkansas businesses must notify residents quickly after a breach. No exact deadline, but don't drag your feet.

If your business has a data breach affecting California residents, you must tell them "in the most expedient time possible" - which usually means within 72 hours of discovering the breach. If more than 500 Californians are affected, you also have to notify the Attorney General. California takes privacy seriously and has some of the strictest rules in the country.

Colorado requires 30-day breach notification and, with the new Colorado Privacy Act, has joined California and Virginia as states with comprehensive privacy laws. If you have data on Colorado residents, you need to comply with both breach notification AND privacy requirements.

Connecticut gives you 60 days to notify affected residents. The state AG must also be notified. New privacy law adds extra requirements.

Delaware gives you 60 days to notify affected residents. If 500+ people are affected, also notify the Attorney General.

Florida has one of the stricter breach notification laws with a hard 30-day deadline. If your business has a breach affecting Florida residents, you must notify them within 30 days. If 500+ Floridians are affected, you must also report to the state. Fines can reach $500,000 for violations.

Georgia requires "most expedient time possible" notification for breaches. While there's no specific day count, delays will be scrutinized. If you're classified as an information broker (businesses that collect and sell data), you have extra reporting requirements.

Hawaii requires quick notification but doesn't set a specific deadline. Don't delay - notify affected residents promptly.

Idaho says notify affected residents as quickly as possible. No specific deadline, but speed matters.

Illinois takes data protection seriously. If you have a breach affecting Illinois residents, you must notify them "as fast as possible" - no specific deadline, but delays can trigger penalties. For biometric data (fingerprints, face scans), Illinois has the strictest law in the country with $1,000-$5,000 fines PER violation.

Indiana requires you to notify the Attorney General of every breach and notify affected residents without unreasonable delay.

Iowa gives you 60 days to notify affected residents. AG notification also required.

Kansas wants you to notify affected residents as quickly as possible. No specific deadline, but act fast.

Kentucky says notify affected residents without unreasonable delay. Also notify the AG.

Louisiana gives you 60 days to notify affected residents. Also notify the AG.

Maine has a strict 30-day deadline for notification. The Department of Professional and Financial Regulation must also be notified.

Maryland gives you 45 days to notify affected residents and the Attorney General. Stricter than many states.

Massachusetts is one of the strictest states for data protection. If you have data on Massachusetts residents, you need a Written Information Security Program (WISP) - not just breach notification procedures. Breaches must be reported "as soon as practicable" to both affected individuals and the Attorney General.

Michigan requires breach notification "without unreasonable delay" - there's no specific deadline, but prompt action is expected. The law also requires you to have security procedures in place and properly dispose of personal information when you no longer need it.

Minnesota wants fast notification without a specific deadline. New consumer data privacy requirements add protections.

Mississippi requires prompt notification but doesn't specify an exact deadline. Just don't delay.

Missouri says notify affected residents without unreasonable delay. AG notification also required.

Montana requires quick notification without a specific deadline. New privacy law adds consumer rights.

Nebraska wants fast notification. Also requires notifying the AG.

Nevada wants quick notification and has specific requirements for data brokers too.

New Hampshire gives you a maximum of 60 days to notify affected residents. Notify the AG too.

New Jersey has a 30-day hard deadline for breach notification. If you have a breach affecting New Jersey residents, you must notify them within 30 days of confirming the breach occurred. The law covers a broad range of personal information.

New Mexico gives you 45 days to notify affected residents. AG notification also required.

If you have data on New York residents, you must notify them "in the most expedient time possible" after a breach. The SHIELD Act also requires you to have a security program protecting their data - this applies even if your business isn't based in NY. Fines can reach $5,000 per violation.

North Carolina is strict about breach notification. You must notify affected residents "without unreasonable delay" and then notify the state within 24 HOURS of notifying residents. If SSNs were exposed, you must provide free credit monitoring. Waiver provisions that limit liability are void.

North Dakota wants quick notification. Also requires notifying the AG.

Ohio is unique: if you implement a strong cybersecurity program (like NIST or CIS Controls), you get legal protection if you're sued over a breach. Notification must happen "as fast as possible." Ohio actually rewards good security practices instead of just punishing breaches.

Oklahoma requires prompt notification without a specific deadline. Just don't delay.

Oregon gives you 45 days to notify affected residents. AG notification required too.

Pennsylvania requires notification "without unreasonable delay" - while there's no hard deadline, the expectation is prompt action. Recent updates expanded what counts as "personal information" and added requirements to notify the state when significant breaches occur.

Rhode Island gives you 45 days to notify affected residents. Also requires notifying the AG.

South Carolina requires prompt notification without a specific deadline for most businesses.

South Dakota gives you 60 days to notify affected residents. AG notification also required.

Tennessee wants quick notification without a specific deadline. Notify residents as soon as possible.

If your business has a data breach affecting Texas residents, you need to notify them "as quickly as possible" - Texas law requires it without unnecessary delay. If more than 250 Texans are affected, you must also notify the Attorney General. Texas takes data protection seriously, with fines up to $250,000 per breach.

Utah wants fast notification. New privacy law adds consumer rights similar to California.

Vermont gives you 45 days to notify affected residents. AG notification also required.

Virginia has both breach notification AND comprehensive privacy requirements. If you do business with Virginia consumers and meet certain thresholds, you must comply with the VCDPA privacy law in addition to breach notification rules. Notification must happen "without unreasonable delay."

Washington has a 30-day deadline for breach notifications. If your breach affects more than 500 Washington residents, you must also notify the Attorney General. The state keeps a public database of all reported breaches, so transparency is key.

West Virginia requires prompt notification without a specific deadline.

Wisconsin gives you 45 days to notify affected residents.

Wyoming wants quick notification without a specific deadline.