PRIA Logo
Start Free Watch
Back to search
TechnologyPrivacy & Security

Data Breach Notification — Federal & State Requirements for Reporting Breaches

10 min read·Updated Apr 21, 2026

Data Breach Notification — Federal & State Requirements for Reporting Breaches

When an organization experiences a data breach — unauthorized access to or disclosure of personal information — it must notify affected individuals, regulators, and in some cases the media. But unlike most areas of federal law, data breach notification has no single comprehensive federal statute. Instead, notification requirements come from a patchwork of 50 state laws (plus D.C., Guam, Puerto Rico, and the Virgin Islands), sector-specific federal laws (HIPAA for health data, GLBA for financial data), and agency-specific rules (SEC for public companies, FTC for general consumer protection, banking regulators for financial institutions). This fragmented framework means that a single breach may trigger notification obligations under dozens of different laws simultaneously — each with different definitions of "personal information," different notification timelines, different content requirements, and different regulatory recipients. All 50 states have data breach notification laws — California was first (2003), and Alabama was last (2018). Federal sector-specific requirements include: HIPAA (health data breaches affecting 500+ individuals must be reported to HHS within 60 days and to affected individuals "without unreasonable delay"), GLBA (financial institutions must notify customers and regulators of breaches affecting nonpublic personal information), FERPA (educational records), and the SEC's 2023 cyber incident disclosure rules (public companies must disclose material cybersecurity incidents within 4 business days via Form 8-K). Efforts to enact a comprehensive federal data breach notification law that would preempt the state patchwork have been introduced in every Congress since 2005 but have never been enacted.

Current Law (2026)

ParameterValue
Comprehensive federal lawNone — state patchwork + sector-specific federal laws
State lawsAll 50 states + D.C. + territories have breach notification statutes
HIPAA42 U.S.C. § 17932 — health data breaches; 60-day notification to HHS for 500+ individuals
GLBA15 U.S.C. § 6801 et seq. — financial data breaches; FTC Safeguards Rule
SECForm 8-K material incident disclosure within 4 business days (public companies)
FTCSection 5 authority — failure to notify may be an unfair practice; Health Breach Notification Rule for non-HIPAA health data
Common triggerUnauthorized access to personally identifiable information (PII) — name + SSN, financial account number, driver's license, or other state-defined data
  • 42 U.S.C. § 17932 — HITECH Act breach notification requirements for HIPAA-covered entities and business associates
  • 15 U.S.C. § 6801 et seq. — Gramm-Leach-Bliley Act (financial institution data security and breach notification)
  • 16 C.F.R. Part 318 — FTC Health Breach Notification Rule (non-HIPAA health apps and devices)
  • SEC Rule 1.05 of Form 8-K — Material cybersecurity incident disclosure (public companies, effective December 2023)
  • State breach notification statutes — 54 separate laws (all 50 states + D.C. + 3 territories)

How It Works

The notification trigger follows a common pattern across most laws: unauthorized acquisition (or in some states, unauthorized access) of unencrypted personal information that creates a reasonable risk of harm. "Personal information" typically means a person's name combined with a sensitive data element — Social Security number, driver's license number, financial account number with access credentials, health information, or biometric data. If the data was encrypted and the encryption key was not compromised, most state laws provide a safe harbor with no notification required. California, New York, and Massachusetts use broader definitions that include email addresses with passwords and biometric data even without a name. Timelines vary sharply by jurisdiction: Florida and Colorado require notification within 30 days; Ohio within 45 days; HIPAA and many states allow 60 days; California says "without unreasonable delay"; and the SEC requires 4 business days from a materiality determination for public companies — the shortest deadline in the regulatory landscape. Most laws allow a reasonable delay for law enforcement investigation if police request it in writing.

Who must be notified depends on the applicable frameworks. Affected individuals are almost always required (by written letter or email); approximately 35 states require notification to the state Attorney General (often via online portals); HHS must be notified for HIPAA breaches within 60 days; banking regulators receive notification for financial institution breaches; and consumer reporting agencies are required when a breach exceeds state thresholds (typically 500–1,000 residents). The core operational challenge is patchwork: a company breached affecting customers across all 50 states must potentially comply with 54 different notification laws simultaneously — each with different definitions, timelines, content requirements, and regulatory recipients. This compliance complexity is the central argument for a federal breach notification law, though consumer advocates resist preemption of stronger state protections.

How It Affects You

If you receive a data breach notification and want to actually protect yourself: A breach notification letter says your data was exposed — what you do in the next 30 days determines whether that exposure turns into fraud. Immediate steps in priority order:

  1. Place a security freeze at all three bureaus — Equifax (equifax.com/personal/credit-report-services), Experian (experian.com/freeze), and TransUnion (transunion.com/credit-freeze). A freeze is free, can be done online in minutes, and prevents anyone from opening new credit accounts in your name even if they have your SSN and date of birth. Unfreeze temporarily when you need to apply for credit. This is far more protective than credit monitoring alone.
  2. Review the free credit monitoring offered in the breach notice — most large breaches now offer 2 years from services like Experian IdentityWorks or Equifax Complete. These are genuinely useful for detecting accounts opened fraudulently — accept the offer and activate it.
  3. Check for free credit reports at annualcreditreport.com (federally mandated — free from all three bureaus) for unfamiliar accounts.
  4. Search haveibeenpwned.com with your email addresses to see which other breaches you're exposed in — this is publicly maintained and free.
  5. Report identity theft through the FTC at identitytheft.gov — they provide a personalized recovery plan and pre-filled dispute letters for creditors.

If you experience actual fraud: file a police report (you'll need it for credit dispute letters), contact the fraud departments of any affected financial institutions, and file complaints with the FTC at ftc.gov/complaint and your state attorney general. Credit card fraud from a breach is typically resolved within 30-60 days by your card issuer; new credit accounts fraudulently opened take longer. Class action settlements for major breaches sometimes produce additional compensation — search for your specific breach name + "class action settlement" periodically over the following 2 years.

If you're a business that has experienced or is preparing for a data breach: The decisions made in the first 72 hours after discovering a breach determine whether your notification costs run $500,000 or $5 million, and whether you face regulatory enforcement. Your incident response plan should be in place before a breach — not drafted during one.

Pre-breach investments that pay off: (1) retain an incident response (IR) firm on retainer (CrowdStrike, Mandiant, Palo Alto Unit 42, Coveware for ransomware) — retainer agreements typically provide faster response and better pricing than emergency engagement; (2) retain a breach response law firm in your primary jurisdiction — they know the 54-law multi-state notification matrix and run triage on what's required; (3) obtain cyber liability insurance — policies typically cover notification costs, credit monitoring, forensics, and regulatory defense, with claim reporting requirements often as short as 72 hours.

When a breach occurs: preserve all logs and forensic evidence immediately; engage IR and breach counsel simultaneously; begin the 30-day clock from the strictest applicable state law (Florida, Colorado) even before you know all affected jurisdictions; assess encryption status for potential safe harbor; and begin drafting consumer notification letters early — most state laws specify minimum required content. For the SEC's 4-business-day material incident rule: "material" is judged by whether a reasonable investor would consider it important — major ransomware attacks, theft of customer financial data, and breaches compromising core business systems are candidates. You need a documented materiality assessment in writing within 4 days of determination, not 4 days from discovery.

If you're a healthcare organization (hospital, clinic, health plan, clearinghouse) or a business associate: HIPAA's Breach Notification Rule (45 CFR Part 164 Subpart D) is the most detailed and most publicly enforced data breach framework in the U.S. Key mechanics: (1) Risk assessment using HIPAA's 4-factor test (nature of the PHI, who accessed it, whether it was actually acquired or viewed, extent of mitigation); if risk is "low probability" of compromise, it's not a reportable breach under HIPAA. (2) Notification timeline: affected individuals must receive written notice without unreasonable delay and in no case later than 60 days after discovery. For breaches of 500+ individuals: notify HHS at hhs.gov/ocr/breach within 60 days — this triggers automatic posting on HHS's public breach tool (the "Wall of Shame") and typically an HHS investigation. (3) Small breach aggregate reporting: breaches affecting fewer than 500 individuals in a state are reported to HHS annually by March 1 for the preceding calendar year. (4) Business associates must report breaches to the covered entity within 60 days of discovery — and the covered entity's notification clock runs from the date the covered entity discovers it, not when the BA notifies them. Documented BA agreements with breach notification provisions are not optional.

HHS OCR settlements for HIPAA breach failures run from hundreds of thousands to tens of millions of dollars — and the pattern for the largest penalties is not just the breach itself but the failure to implement the required security safeguards beforehand (risk analysis, access controls, encryption of PHI at rest). Treat HIPAA security as a legal obligation, not a compliance exercise.

If you're the CISO or general counsel of a publicly traded company: The SEC's December 2023 cybersecurity disclosure rules created two distinct obligations you must operationalize. Incident disclosure (Form 8-K Item 1.05): when a material cybersecurity incident occurs, you must disclose via Form 8-K within 4 business days of the materiality determination — not 4 days from discovery. This means you need a documented process for determining materiality quickly. Work with legal and financial leadership to establish pre-defined materiality criteria (e.g., data affecting more than X customers, financial impact exceeding $Y, operational disruption lasting more than Z hours). The disclosure must describe the nature, scope, timing, and material impact of the incident. Annual risk disclosures (Form 10-K Item 106): describe your processes for assessing, identifying, and managing material cybersecurity risks; whether and how the board oversees cybersecurity risk; and management's role in managing cybersecurity risk. Board members with cybersecurity expertise should be identified — SEC staff reviews these for consistency with actual governance practices. Coordinate your incident disclosure process with your IR firm and cyber insurance carrier — most policies require notification of the insurer before any public disclosure, and the carrier may have approval rights over forensics vendors and notification content.

State Variations

Data breach notification is the quintessential area of state variation:

  • California (2003): First state law; broadest definition of personal information; private right of action under CCPA for certain breaches ($100–$750 per consumer per incident)
  • New York (SHIELD Act, 2019): Expanded definition of private information; requires "reasonable safeguards"
  • Massachusetts (201 CMR 17.00): Requires written information security programs; specific data security requirements
  • Texas: 60-day notification; AG notification required
  • Strictest timelines: Florida, Colorado (30 days); SEC (4 business days for material incidents)
  • Private rights of action: Available in some states (California, Illinois BIPA, others); most state breach laws allow only AG enforcement

Implementing Regulations

  • 12 CFR Part 364 Appendix B — OCC/FDIC interagency guidelines on response to unauthorized access to customer information, establishing baseline incident response requirements for federally regulated banks and thrifts
  • 16 CFR Part 314 — FTC Safeguards Rule (data security requirements for non-bank financial institutions under GLBA, updated 2023 to add breach notification requirements to the FTC within 30 days)
  • 45 CFR Parts 160, 164 — HHS HIPAA Security Rule and Breach Notification Rule (requirements for covered entities and business associates to notify individuals, HHS, and in some cases media of breaches of protected health information)
  • Note: There is no comprehensive federal data breach notification law; requirements vary by sector (financial, healthcare, federal agencies) and all 50 states have their own breach notification statutes, creating a patchwork compliance environment

Pending Legislation

Federal data breach notification bills are introduced every Congress. See Privacy Law or Technology Regulation for related legislative activity in the 119th Congress.

Recent Developments

The SEC's cybersecurity incident disclosure rules (effective December 2023) created the most significant new federal breach reporting requirement in years — requiring public companies to disclose material cybersecurity incidents within 4 business days. The FTC has expanded its use of Section 5 authority to bring enforcement actions against companies with inadequate data security practices — even without a specific breach. Organizations should also consider their obligations under the Computer Fraud and Abuse Act when investigating the scope of unauthorized access. For broader privacy compliance, see data privacy law and the NIST Cybersecurity Framework. State laws continue to evolve: several states have added biometric data, health data, and email credentials to their definitions of covered personal information. Major breaches (MOVEit, 23andMe, Change Healthcare) continue to demonstrate the scale and impact of data compromise.

  • ADPPA dead in 119th Congress (2025): The American Data Privacy and Protection Act, which passed the House Energy and Commerce Committee in 2022 but stalled over state law preemption disputes, was not reintroduced with the same momentum in the 119th Congress. The Trump administration has shown limited interest in comprehensive federal privacy legislation; state laws (California CPRA, Colorado CPA, Virginia CDPA, and now 18+ state privacy laws) continue to fragment the compliance landscape. Companies operating across states face an increasingly complex multi-state notification framework with varying definitions, timelines, and covered data categories.
  • FTC under Trump — Gail Slater and data security enforcement (2025): The Trump FTC under chair Andrew Ferguson (confirmed 2025) has reshuffled enforcement priorities. The Biden FTC's aggressive data security enforcement posture — using Section 5 to pursue companies for inadequate security without specific injury — has been scaled back. However, breach notification enforcement by state AGs has increased, partly filling the federal gap. The SEC's 4-business-day material cybersecurity incident disclosure rule remains in effect for public companies; the Trump SEC has not withdrawn this rule.