Fer O’Neil did some comparisons of state laws on the content of notices. His write-up of what he found is well worth reading. Here’s a snippet from it:
The first metric I looked at was the number of states and territories that had some required content of notice. I was a little surprised that 63% (31 of 49 reported) had None. The remaining 8 had an average of 2 between 1 and 11 (the majority had 4-5).
This means that for most states, they have no requirements or recommendations for what content is included in a data breach notification. The content itself is entirely left up to the company sending the notification.
Read more about what his research uncovered on WeLiveSecurity.com.