Breach notification laws require organizations to alert individuals when their personal data is compromised in a cyber incident. The first such law was enacted in California in 2002 and took effect in 2003. Alabama was the final state to adopt one, in 2018. Today, these laws effectively create a nationwide framework — though one marked by significant state-by-state variations.
A notable feature of these laws is their relatively narrow definition of “personal information.” Unlike the broader definitions found in newer comprehensive state privacy laws, breach notification statutes traditionally focus on data elements most directly linked to identity theft and financial fraud.
For example, Hawaii’s law has one of the narrowest scopes. It defines personal information as an individual’s first name or initial and last name in combination with a Social Security number, driver’s license or state ID number, or financial account details (including account number, credit or debit card number, access code, or password). Hawaii is also unusual in that its law applies to paper records in some cases, while most states limit requirements to computerized data.
Even the broadest breach notice laws still leave out significant categories of modern digital data. Illinois and California include elements such as medical information, biometric data, and (in California’s case) genetic data and automated license plate recognition information. However, strictly interpreted, most laws would not cover a breach involving someone’s full search history, location history, cookie data, IP addresses, browsing behavior, or purchasing records — even when linked to an identifiable person. Only Connecticut and Florida explicitly include geolocation data in their breach notification triggers.
This stands in sharp contrast to modern comprehensive privacy laws, such as Virginia’s Consumer Data Protection Act, which defines personal information far more broadly as “any information that is linked or reasonably linkable to an identified or identifiable natural person.”
Breach notification laws generally apply broadly to private-sector entities with few exemptions. Most cover any person or business entity — including nonprofits — that acquires or uses covered personal information. Many also extend to state and local governments, sometimes through separate statutes.
A common safe harbor exists across all states: notification is not required if the compromised data was encrypted (with some states, like Iowa, clarifying that the decryption key must also remain uncompromised). Many laws also excuse notice for properly redacted data.
Thirty-four states require notification to the state attorney general, typically when a breach exceeds a certain threshold of affected residents (ranging from 250 in states like North Dakota and Oregon to 1,000 in many others). A handful of states, including Connecticut and New York, require AG notice regardless of breach size.
Approximately 30 states incorporate a “harm standard,” meaning notification is not required unless the breach has caused or is reasonably likely to cause harm to affected individuals. These standards vary widely:
– Some states (e.g., Arkansas, Oregon, Louisiana) focus on whether there is “no reasonable likelihood” or consumers are “unlikely” to suffer harm.
– Others (e.g., Alabama, Idaho) require notice only if harm is “reasonably likely.”
– Maine’s law ties notification to whether misuse of the data has occurred or is reasonably possible.
– A smaller group of states, including California, Georgia, Illinois, Massachusetts, Minnesota, North Dakota, and Texas, have no harm threshold at all and require notice in nearly all cases.
These differences create compliance challenges for organizations operating across state lines. Reconciling conflicting harm standards is often impossible, and entities may default to notifying in doubtful cases or notifying only when clearly required. Most breach notice laws lack a private right of action but are enforceable by state attorneys general.
