All 50 states now have data breach notification laws requiring businesses to notify individuals when their personal information has been compromised. Requirements vary significantly by state.
Common elements: Most states require notification when unencrypted personal information (name plus SSN, driver's license number, or financial account number) is accessed by an unauthorized party.
Notification timelines: Some states set specific deadlines. Florida requires notification within 30 days. Colorado and Connecticut require 60 days. Many states require notification "without unreasonable delay."
Who to notify: Beyond affected individuals, many states require notification to the state attorney general and sometimes consumer reporting agencies when the breach exceeds a certain threshold (often 500-1,000 individuals).
Expanded definitions: States are broadening what constitutes "personal information." California's CCPA includes biometric data, geolocation, and browsing history. Illinois's BIPA specifically covers biometric identifiers.
Penalties: Failure to comply can result in significant fines. California can impose up to $7,500 per intentional violation. New York's SHIELD Act authorizes the attorney general to seek penalties up to $5,000 per violation.
Businesses operating in multiple states should comply with the most stringent requirements to ensure full compliance.