Resource Center

Introduction to Resource Center
This page provides an overview of the IAPP's Resource Center offerings.

Contact Resource Center
For any Resource Center related inquiries, please reach out to resourcecenter@iapp.org.

State Data Breach Notification Chart

• A hyperlink to the state’s notification statute.
• The timeframe in which notification to impacted individuals is required.
• Any exceptions to notification requirements.
• If and when notification must be made to a state agency, consumer protection agency or consumer reporting agency.
• Special forms or language that must be included in the notice.
• Whether the statute provides for a private right of action.

Each column can be filtered to allow notification laws with certain features to be hidden or prioritized. As a starting point, a practitioner could filter the “Timeframe for Breach Notification” column to identify which states have the shortest notification window to further investigate the state-specific requirements. For convenience, the IAPP has also included subsequent sheets with three categories of pre-sorted data:

• Shortest notification timeframe.
• Requires attorney general notification (ranked from the lowest number of impacted individuals to highest).
• Requires consumer reporting agency notification (ranked from the lowest number of impacted individuals to highest).

This chart does not include exceptions to or additional compliance requirements with federal laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act. Additionally, an entity must determine if it owns, controls or licenses “personally identifiable information” before it can determine if the “personally identifiable information” was compromised in a “breach” (compared to a security “event” or “incident”), which will be uniquely defined by each law.

NOTE: This tool is for informational purposes only and is not legal advice. State requirements, including any recent changes, should always be verified via official sources. Requirements, if there is a security event, incident or breach, will vary depending on the specific facts, locations and circumstances.

Related Stories

Irish DPC: A Practical Guide to Personal Data Breach Notifications under the GDPR

This guidance from the Data Protection Commission aims to give data controllers some practical advice on how to handle data breaches and understand data breach notifications under the EU General Data Protection Regulation. Click To View .

Data Breach Notification in the United States and Territories

This report from Privacy Rights Clearinghouse took a close look at the current landscape of data breach notification statutes across the country and identified key disparities in the level of protections that each statute affords. Their analysis compares each state’s data breach notification statute.

About

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.

• What is Privacy
• Corporate Members
• Board of Directors

• Advisory Boards
• IAPP Staff
• Locations

Become a member

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.

© 2024 International Association of Privacy Professionals.
All rights reserved.

Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200