If your organization experiences a data breach, you will need to navigate one of the most fragmented regulatory landscapes in the world. The United States has no single federal breach notification law. Instead, you face a patchwork of 50 state laws, sector-specific federal requirements, and international obligations — each with different definitions of what constitutes a breach, different timelines, different notification recipients, and different penalties for non-compliance.
This guide summarizes the notification obligations in effect as of 2026, with a focus on the requirements most likely to affect businesses operating in New York and across the U.S.
The U.S. State Breach Notification Patchwork
Every U.S. state, plus D.C., Puerto Rico, and several territories, has a breach notification law. They share a common framework — you must notify affected individuals when their personal information is exposed — but diverge significantly on the details.
Strictest State Requirements
California: Under the state's data breach notification statute (Cal. Civ. Code § 1798.82, as amended by SB 446), and as of January 1, 2026, California requires breach notification to affected residents within 30 calendar days of discovery, and — for breaches affecting 500 or more Californians — a sample copy of that notification must be electronically submitted to the California Attorney General within 15 calendar days of notifying residents. This replaced the prior open-ended "most expedient time possible and without unreasonable delay" standard, which set no fixed deadline. Note that this AG-notification duty arises under § 1798.82, while the CCPA/CPRA itself provides the separate § 1798.150 private right of action for inadequate security. The definition of personal information is broad and includes biometric data, geolocation, and inferences drawn from personal data. For CCPA violations, the California Privacy Protection Agency can levy fines of up to $7,500 per intentional violation.
New York (SHIELD Act): New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act requires notification to affected New York residents in the most expedient time possible and without unreasonable delay. New York businesses must also notify the NY Attorney General, the Department of State, and the Division of State Police — plus the Department of Financial Services for DFS-covered entities — within 30 days of discovering a breach, an explicit deadline added by the December 2024 amendment to the state's breach-notification law (N.Y. Gen. Bus. Law § 899-aa, as amended by S2659B, eff. Dec. 21, 2024). The SHIELD Act is notable for its broad scope — it applies to any company that owns or licenses private information of New York residents, not just companies located in New York.
Colorado: Colorado's data breach notification law (C.R.S. § 6-1-716, enacted by HB 18-1128, the Protections for Consumer Data Privacy Act of 2018) requires notification to affected individuals within 30 days of determining that a breach occurred, and notification to the Colorado Attorney General if 500 or more Colorado residents are affected.
State attorneys general actively enforce breach-notification timeliness, and penalties vary widely by case — recent examples include a $6.75M California settlement with Blackbaud over untimely, inaccurate notice (2024) and a $795,000 Massachusetts settlement over data-security and notification failures — so missing your state's notification window carries real, case-specific financial and reputational exposure rather than a fixed fine.
Federal Sector-Specific Requirements
HIPAA (Healthcare)
HIPAA's Breach Notification Rule requires covered entities (healthcare providers, health plans, healthcare clearinghouses) to notify affected individuals within 60 days of discovering a breach of unsecured protected health information (PHI). Business associates must notify the covered entity within 60 days of discovery. If the breach affects 500 or more residents of a state, the covered entity must also notify prominent media outlets in that state. The Department of Health and Human Services (HHS) must be notified; for breaches affecting 500 or more individuals, notification is immediate; for smaller breaches, entities may aggregate and report annually.
FTC Safeguards Rule (Financial Institutions)
The FTC's updated Safeguards Rule, effective since 2023, requires non-bank financial institutions (auto dealers, mortgage brokers, accountants, tax preparers) to notify the FTC within 30 days of discovering a security event involving the information of 500 or more customers. This is notification to the FTC itself, not to consumers — consumer notification obligations still flow through state laws.
SEC Cybersecurity Disclosure Rules (Public Companies)
The SEC's cybersecurity disclosure rules, effective December 2023, require public companies to disclose material cybersecurity incidents on Form 8-K within 4 business days of determining that an incident is material. The 4-day clock starts from the materiality determination, not from incident discovery — a distinction that creates significant incentive to delay the materiality assessment, which the SEC has explicitly warned against. Companies must also disclose cybersecurity risk management practices annually in Form 10-K.
GDPR and International Obligations
For any organization processing personal data of EU residents, the GDPR applies regardless of where the organization is headquartered. Under GDPR Article 33, personal data breaches must be notified to the competent Data Protection Authority (DPA) within 72 hours of becoming aware of the breach. If the breach is likely to result in high risk to individuals, the individuals themselves must also be notified without undue delay under Article 34. The 72-hour clock runs from when the controller becomes aware, not from when the breach occurred.
What Constitutes a Breach
Most U.S. state laws define a breach as unauthorized acquisition of personal information. "Personal information" typically includes name combined with: Social Security number, driver's license number, financial account number plus access credentials, medical information, or login credentials. Some states have expanded this to include biometric data, geolocation, and passport numbers.
Critically, most laws have safe harbor provisions for encrypted data: if the breached data was encrypted and the encryption key was not also compromised, many states do not require notification. This is a strong practical argument for encryption at rest across all data systems.
Practical Notification Workflow
A defensible breach notification process involves: (1) engaging legal counsel immediately to assess notification obligations across all applicable jurisdictions, (2) conducting a reasonable investigation to determine what data was accessed and which individuals are affected, (3) drafting notification letters that meet the content requirements of each applicable law, (4) establishing a dedicated phone line or website for affected individuals to ask questions, and (5) documenting every step of the notification process.
Content requirements vary but typically include: a description of what happened, what information was involved, what steps have been taken to investigate and contain the breach, what steps affected individuals can take to protect themselves (credit monitoring, fraud alerts), and contact information for questions.
An incident response retainer with a firm experienced in breach notification can significantly reduce the time to compliant notification. The alternative — managing multi-state notification obligations manually during a live incident — is a reliable path to missed deadlines and regulatory exposure. Contact Fortress to discuss pre-breach notification planning.