One, in the absence of any specific law or regulation the person who was hacked is not required to notify anyone, including the people whose information was accessed, that their information was compromised. That is why access to the below specific notification requirements is critically important.
Two, if there is a requirement to notify people whose protected information has been compromised, all of the people required to be notified must be notified. There is no “best efforts” or a half-assed “technology-assisted” or “reasonable efforts” safe harbor. All means all. There are no excuses.
There may be both federal and state laws or regulations that require notification to state or federal agencies as well as to individuals and other companies. Each law has its own definition of what entities it covers and how it defines a reportable breach. Some laws also incorporate provisions so that if the entity has complied with a federal law (like HIPAA), it will be presumed to have complied with the state’s breach notification law.
New laws or amendments have been recently enacted or proposed. The resources on this page are current at the time of posting but will likely require updating over time so be sure to check back.
State Data Breach Notification Laws
The National Conference of State Legislatures provides links to each state’s data breach notification laws as they apply to both private entities and government agencies. The NCSL resource was last updated in January 2022, but it appears that they did annotate Texas’s entry to reflect that SB 768 subsequently amended the deadline for entities to notify the state from 60 days to 30 days.
There are some additional resources where you can find links and information on breach notification laws for U.S. states and territories. One of the most current online resources is BakerHostetler’s US Data Breach Notification Law Interactive Map and their downloadable state data breach notification laws file.
Another recent resource is Foley & Lardner’s State Data Breach Notification Laws Chart (current as of December 1, 2023). DLA Piper also provides Data Protection Laws of the World (last reviewed January 2023).
In addition to state laws compiled in the resources above, states may have other laws for specific sectors. As one example, NYS enacted Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500. The requirements include specific notification obligations.
All 50 U.S. states, the District of Columbia, as well as American Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the U.S. Virgin Islands, have an attorney general (AG). You can find your AG on the National Association of Attorneys General site. Their sites often provide links to submit breach notifications to the state.
In January 2024, the California Privacy Protection Agency opened a new website with resources for California residents about their privacy rights under the California Consumer Privacy Act. Residents can also find information on how to submit a complaint against a business. There are also resources for businesses to help them understand their obligations under the CCPA.
Federal Data Breach Notification Laws
Many federal laws or regulations are sectoral but the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) applies to entities in 16 critical infrastructure sectors. The sectors are outlined in Presidential Policy Directive 21. More information on CIRCIA can be found on CISA’s website.
Telecommunications Sector
The Federal Communications Commission (FCC) breach notification rule, adopted in 2007, requires a telecommunications carrier to notify law enforcement of a breach of its customers’ proprietary network information (CPNI) no later than seven business days after a reasonable determination of a breach by sending electronic notification through a central reporting facility to the Secret Service and the Federal Bureau of Investigation (FBI). After notifying law enforcement, carriers are allowed to inform customers, although the current rules do not specify the precise content of the notice.
In January 2023, the FCC published a Notice of Proposed Rulemaking that would amend breach notification obligations. PerkinsCoie has a helpful explainer on the proposal.
Financial Sector
Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers: Final Rule (pdf). On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (collectively, the agencies) issued the Final Rule. Under the rule, which went into effect May 1, 2022, banks must notify their regulator of record “as soon as possible and no later than 36 hours” after they have identified a significant computer security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, results in customers being unable to access their deposit and other accounts, or impacts the stability of the financial sector.
CIRCIA (mentioned above) also covers the financial sector, and requires, among other provisions, that payments made to ransomware attackers be reported within 24 hours.
The Gramm–Leach–Bliley Act (GLBA) requires covered financial institutions to notify customers whose non-public personal information is compromised by a security breach. GLBA also applies to universities and colleges that offer federal student loans.
Healthcare Sector and Those Collecting or Using Health Data
Health Insurance Portability and Accountability Act (HIPAA) is probably the best-known federal statute. HIPAA has a Breach Notification Rule.
Health Information Technology for Clinical and Economic Health (HITECH) Act, expanded the notification requirements of HIPAA to business associates and also strengthened the penalties for violations. HITECH also gave state attorneys general the authority to initiate civil suits on behalf of their residents for violations of HIPAA. The Department of Justice handles criminal prosecutions under HIPAA..
Health Breach Notification Rule is enforced by the Federal Trade Commission (FTC). Vendors of personal health records and PHR-related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than ten business days following the date of discovery of the breach. The FTC is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications.
Education Sector
Family Education Rights and Privacy Act (FERPA) does not require covered schools and universities or colleges to provide notification to individuals of any data security breach or privacy breach. It does, however, require that a student’s records be annotated to indicate that on the specified date, the records were disclosed without authorization.
While FERPA does not require notification to the U.S. Department of Education or individuals, state laws may require it.
This page was last updated January 26, 2024. While this site does not compile non-U.S. breach notification laws, we note that BakerHostetler has an EU GDPR Data Breach Notification Interactive Map that readers may find helpful.
