State-by-state register
Data breach notification laws by state: 51 statutes, no federal floor.
The United States has no general federal breach-notification law. A multi-state breach must comply with up to 51 separate statutes, each with its own deadline, attorney general threshold, definition of personal information, and penalty structure. Below is the full register: pick a state for its statute citation, notification deadline, who to notify, whether a private right of action exists, and the penalties. Every entry is source-cited and verified in June 2026.
Jurisdictions
51
50 states + DC, all verified
Strictest deadline
30 days
California and others
Fixed-day deadlines
23
28 use "without unreasonable delay"
Private right of action
15
States allowing some private suit
Section R.1 / The deadline ladder
States with the strictest fixed deadlines
The states below set a numeric day-count deadline rather than a qualitative standard. For a multi-state breach, the strictest applicable clock governs your response timeline, so these are the deadlines that matter most in practice.
Section R.2 / Full register
All 50 states + DC, at a glance
Deadline is to affected individuals. AG threshold is the number of residents that triggers attorney general or state-agency notification. Select a state for the full breakdown.
| State | Statute | Deadline | AG threshold | Private action |
|---|---|---|---|---|
| Alabama | Ala. Code 8-38-1 et seq. | 45 days | More than 1,000 Alabama residents | No |
| Alaska | Alaska Stat. 45.48.010 et seq. | Unreasonable delay | Only when invoking the no-likelihood-of-harm exception (written notice to the AG) | Limited |
| Arizona | A.R.S. 18-551, 18-552 | 45 days | More than 1,000 Arizona residents (AG and Dept. of Homeland Security) | No |
| Arkansas | Ark. Code Ann. 4-110-101 et seq. | Unreasonable delay | More than 1,000 Arkansas residents | No |
| California | Cal. Civ. Code 1798.82 | 30 days | More than 500 California residents | Yes |
| Colorado | C.R.S. 6-1-716 | 30 days | 500 or more Colorado residents | No |
| Connecticut | Conn. Gen. Stat. 36a-701b | 60 days | All breaches (no minimum resident threshold) | No |
| Delaware | Del. Code tit. 6, Ch. 12B | 60 days | 500 or more Delaware residents | No |
| District of Columbia | D.C. Code 28-3851 et seq. | Unreasonable delay | 50 or more District residents | Yes |
| Florida | Fla. Stat. 501.171 | 30 days | 500 or more Florida residents | No |
| Georgia | Ga. Code 10-1-912 | Unreasonable delay | No general AG requirement (reporting agencies at 10,000+ residents) | No |
| Hawaii | HRS Ch. 487N | Unreasonable delay | 1,000 or more Hawaii residents (written notice to the Office of Consumer Protection) | Yes |
| Idaho | Idaho Code 28-51-104 et seq. | Unreasonable delay | Government agencies only (no requirement for commercial entities) | No |
| Illinois | 815 ILCS 530 | Unreasonable delay | More than 500 Illinois residents (private collectors); 250 for state agencies | No |
| Indiana | Ind. Code 24-4.9 | 45 days | All qualifying breaches | No |
| Iowa | Iowa Code Ch. 715C | Unreasonable delay | 500 or more Iowa residents | No |
| Kansas | K.S.A. 50-7a01 et seq. | Unreasonable delay | No general AG requirement (reporting agencies at more than 1,000 residents) | No |
| Kentucky | KRS 365.732 | Unreasonable delay | No general AG requirement (reporting agencies at more than 1,000 residents) | No |
| Louisiana | La. R.S. 51:3071 et seq. | 60 days | All breaches affecting Louisiana residents | Limited |
| Maine | 10 M.R.S. 1346 et seq. | 30 days | All breaches (no minimum resident threshold) | No |
| Maryland | Md. Code, Com. Law 14-3504 | 45 days | All breaches (AG notified before individual notices are sent) | No |
| Massachusetts | Mass. Gen. Laws ch. 93H | Unreasonable delay | All breaches (AG and Office of Consumer Affairs and Business Regulation) | Yes |
| Michigan | MCL 445.72 | Unreasonable delay | Not currently required (pending SB 360 would require it at 100+ residents) | No |
| Minnesota | Minn. Stat. 325E.61 | Unreasonable delay | No general AG requirement (reporting agencies at 500+ residents within 48 hours) | No |
| Mississippi | Miss. Code Ann. 75-24-29 | Unreasonable delay | No AG notification requirement at any threshold | No |
| Missouri | Mo. Rev. Stat. 407.1500 | Unreasonable delay | More than 1,000 Missouri consumers | No |
| Montana | Mont. Code Ann. 30-14-1704 et seq. | Unreasonable delay | All breaches affecting Montana residents | No |
| Nebraska | Neb. Rev. Stat. 87-801 et seq. | Unreasonable delay | All breaches affecting Nebraska residents | No |
| Nevada | Nev. Rev. Stat. 603A.010 et seq. | Unreasonable delay | No AG notification requirement | No |
| New Hampshire | N.H. Rev. Stat. 359-C:19 et seq. | Unreasonable delay | 1,000 or more residents (AG notified before individual notices) | No |
| New Jersey | N.J. Stat. 56:8-161 et seq. | 30 days | All breaches (Division of Consumer Affairs and State Police) | Yes |
| New Mexico | N.M. Stat. Ann. 57-12C-1 et seq. | 45 days | Any breach affecting New Mexico residents | No |
| New York | N.Y. Gen. Bus. Law 899-aa | 30 days | All breaches (AG, Dept. of State, State Police) | Limited |
| North Carolina | N.C. Gen. Stat. 75-65 | Unreasonable delay | All breaches (Consumer Protection Division of the AG) | Yes |
| North Dakota | N.D. Cent. Code Ch. 51-30 | Unreasonable delay | 250 or more North Dakota residents | No |
| Ohio | Ohio Rev. Code 1349.19 | 45 days | No direct AG requirement (reporting agencies at more than 1,000 residents) | No |
| Oklahoma | Okla. Stat. tit. 24, 161 et seq. | Unreasonable delay | 500 or more Oklahoma residents | No |
| Oregon | ORS 646A.600 et seq. | 45 days | 250 or more Oregon residents | No |
| Pennsylvania | 73 Pa. Stat. 2301 et seq. | Unreasonable delay | More than 500 Pennsylvania residents | Yes |
| Rhode Island | R.I. Gen. Laws Ch. 11-49.3 | 45 days | 500 or more Rhode Island residents | No |
| South Carolina | S.C. Code 39-1-90 | Unreasonable delay | No direct AG requirement (Dept. of Consumer Affairs at 1,000+ residents) | Yes |
| South Dakota | S.D. Codified Laws 22-40-19 et seq. | 60 days | More than 250 South Dakota residents | No |
| Tennessee | Tenn. Code Ann. 47-18-2107 | 45 days | No mandatory AG notification for private-sector breaches | Yes |
| Texas | Tex. Bus. & Com. Code 521.053 | 60 days | 250 or more Texas residents | Limited |
| Utah | Utah Code 13-44-202 | Unreasonable delay | 500 or more Utah residents (AG and Utah Cyber Center) | No |
| Vermont | 9 V.S.A. 2430, 2435 | 45 days | All breaches (no minimum resident threshold) | No |
| Virginia | Va. Code 18.2-186.6 | Unreasonable delay | All breaches (concurrent with individual notice) | Limited |
| Washington | RCW 19.255.010 | 30 days | More than 500 Washington residents | Yes |
| West Virginia | W. Va. Code 46A-2A-101 et seq. | Unreasonable delay | No AG notification requirement | No |
| Wisconsin | Wis. Stat. 134.98 | 45 days | No AG notification requirement | No |
| Wyoming | Wyo. Stat. 40-12-501, 40-12-502 | Unreasonable delay | No AG notification requirement | No |
Primary source:Statute citations, deadlines, and thresholds verified June 2026 against state statutory summaries (Recording Law US data-privacy series, 2026 edition), the IAPP US State Data Breach Notification Chart, Foley & Lardner's State Data Breach Notification Laws Chart (4 March 2026), Davis Wright Tremaine and Perkins Coie compilations, and the underlying statute text via FindLaw, Justia, and state legislature sites.
Index / Companion schedules
Schedule 09 / Notification laws
→Global frameworks (GDPR, UK, Canada) and the cost of notification.
Regulation / GDPR
→The 72-hour clock and 4%-of-revenue fine framework.
01 / Breach cost calculator
→Estimate your breach exposure, including notification cost.
08 / By country
→Cost impact of these notification regimes worldwide.
Cost / Notification
→Why notification is roughly 6% of total breach cost.
04 / Biggest breaches
→The notification clocks these companies faced.
Schedule F / Reference Q&A