Skip to main content

State Data Breach Notification Laws: Overview of Requirements for Responding to a Data Breach - Updated June 2021

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues.  This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and District of Columbia.  All states require that affected residents be notified of a security breach (as that term is defined in each law), and many also require that state agencies and the three major national credit reporting agencies be notified in certain circumstances.  Many state agencies require or permit companies to submit notices online, and some agencies publicly post copies of the notices they receive.  As a practical matter, most companies that experience a breach that affects their customers, employees, or other individuals with whom they have a relationship will be required to comply with all or several state laws depending on where the individuals reside, and international and sector-specific data breach notification laws may also apply.  In addition, many state laws impose data security requirements, which should also be consulted.  

The laws continue to evolve and change, so it is important to consult experienced counsel and check relevant laws for any updates whenever you experience a data breach.

This summary is intended to provide general information about applicable laws and does not constitute legal advice regarding specific facts or circumstances.  

To view the updated data breach notification laws chart, click here

For more information on privacy and data security matters, please contact:

Sheila Millar (+1 202.434.4143,
Tracy Marshall (+1 202.434.4234,