Data breach notification laws by state: How to notify, who to notify and when

Cyber hackers have become smarter, making it difficult for companies to keep up with the best data protections and to adhere to data privacy laws. It’s common to see companies that pour all of their focus solely into data breach prevention. However, the companies that are ready on all data security fronts also prioritize data breach response planning. These organizations realize that it’s not necessarily a matter of whether or not a breach will happen, but instead, when it happens and how prepared they are to react swiftly.

Data privacy laws and regulations have become increasingly more comprehensive in the U.S. with the enactment of CCPA and the NY SHIELD Act and most recently the voting in of CPRA. This is why it’s recommended for organizations to become privacy-forward and build out security strategies that involve data breach notification response plans, especially to avoid penalties for non-reporting. Here, we cover data breach notification laws in the U.S. along with the key pieces of information organizations need to know about them.

Which states have passed data breach notification laws?

All 50 U.S. states have laws that require business entities to notify individuals when their personally identifiable information (PII) has become compromised due to a data breach. No matter what state a company does business in or that their customers reside in, organizations have a legal obligation of data breach notification.

Each state will have different requirements, exemptions and guidelines for data breach notification. Some states may not have comprehensive legislation, while other states, like California, are much more stringent about data privacy and security.

Which states have the toughest data breach notification laws?

To check the specifications of each state’s data breach notification requirements, the chart provided by the National Conference of State Legislatures is a good starting point. It’s important to note that this chart does not include each state’s laws regarding privacy and data breach notification laws of personal student data.

There are some states who arrived a bit later at developing and passing data breach notification laws, like Alabama who became the last state to add this protection in 2018. On the other hand, there are states like California that have more robust protections in place. Here, we highlight a few states with the toughest notification laws that you should be aware of.


The CCPA was a groundbreaking law that has set a new standard for data privacy and protection across the U.S. Even more recently, the CPRA, which is sometimes referred to as CCPA 2.0, has been passed.

As far as data breach notification goes, California’s civil code (ARTICLE 7. Accounting of Disclosures [1798.29]) requires that entities disclose any breach of their system’s security to any California resident whose PII was either disclosed or reasonably believed to be compromised by an unauthorized person. This notification must be as immediately as possible without unreasonable delay.


Delaware requires that any commercial website, cloud computing service, or mobile application that collects the PII of Delaware residents must make their privacy policies prominently available for users to view.

Delaware’s obligations are similar to that of California but with an interesting stipulation: notification is not required if a business determines (after an appropriate investigation) that the breach is unlikely to result in any harm to the individuals whose PII have been breached.

If an organization needs to notify more than 500 Delaware residents, it also needs to provide notice of the breach to the attorney general. Another requirement (TITLE 6 – CHAPTER 12B. Computer Security Breaches) is that if the data breach includes social security numbers, the business needs to offer each Delaware resident whose PII was breached, or reasonably believes to have breached, free credit monitoring services for one year (see § 12B-102 Disclosure of breach of security; notice).


Illinois is considered a state with tougher privacy laws because they have detailed biometric laws. In 2008, the state of Illinois required consent for collection of sensitive biometric information, like fingerprints or retina scans.

In terms of data breach notification law, Illinois’ are extensive. Similar to Delaware, if more than a certain amount of residents needs to be notified, a business must also provide notice to the attorney general. The notice to anyone affected must be a written notice or electronic notice.

In some cases a substitute notice (see (815 ILCS 530/) Personal Information Protection Act) is available to businesses that:

  • demonstrate that the cost of providing notice would exceed $250,000
  • the quantity of affected individuals exceeds 500,000, or
  • the business does not have sufficient contact information

Substitute notices can include notification to major statewide media or prevalent posting of the notice on the business’s website.

What should businesses do to prevent and prepare for data breaches?

Planning and preparation are essential to both preventing and responding to data breaches. Below are key questions for an organization to ask and core actions to take when creating an appropriate data security strategy.

Key questions

Some of the questions that an organization should answer when creating a data privacy and security strategy that addresses data breach notification are:

  1. Where does all of my organization’s data currently reside?
  2. Who in the organization has access to sensitive data? What permissions do they have?
  3. How are we monitoring our sensitive data? Are we able to get insights in real-time across our on-premise networks and cloud platforms?
  4. How quickly can we respond to a potential breach? Do we have standardized communications and workflows that make us agile?
  5. Which compliance laws apply to our business? What are the legal, financial, and reputational ramifications of being non-compliant?
  6. What is our current sensitive data footprint and how does that translate into our potential risks?
  7. Core Actions

    When an organization begins thinking about these key questions, they will find that there are a few core actions that can bring their business to a better place. These include:

    1. Sensitive Data Discovery

    This process provides companies with a detailed account of how much sensitive data they have acquired, where it all resides and who has access to it. Without this step, you’ll find that there are many missing pieces while developing your overall data security strategy.

    2. Data Policies and Workflows

    To react quickly and efficiently, your organization’s security team needs to be aligned. Creating a data governance plan or data security policies will better enable your staff to work smoothly with one another and take ownership over their designated responsibilities for your organization’s data privacy efforts. While creating policies, it’s a good idea to create workflows, and an even better idea to automate those workflows.

    3. Real-Time Risk Remediation

    When a data breach occurs, time is of the essence. Using a tool that not only monitors and notifies you of suspicious activity, but that is also built to act with a remediation task when a breach occurs, is pivotal.

    How Spirion can help you manage data breach responses

    Spirion’s Data Privacy Manager features all of the key components that a business needs to prevent and respond quickly to data breaches. It’s an all-in-one solution that empowers organizations with robust sensitive data discovery, real-time data monitoring and risk remediation, and automated workflows. To see how Data Privacy Manager works, request a free demo.