There is no one overarching federal data breach notification law in the U.S. Attempts to pass one are opposed by those who do not want a federal law to pre-empt stronger state laws. While industry giants may support a federal law if it pre-empts state laws, they do not support any proposal that provides individuals with the right to sue. We are left, then, with state laws, sectoral laws, and some specific federal laws.
State Breach Notification Laws
The National Conference of State Legislatures provides links to each state’s data breach notification laws.
Here are some additional resources on state laws:
- BakerHostetler’s US Data Breach Notification Law Interactive Map and a downloadable state data breach notification laws file (free resources)
- Foley & Lardner’s state breach law chart is current as of July 9, 2024, but do read what it doesn’t cover.
- States may have other laws for specific sectors. As one example, NYS enacted Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R. Part 500. The requirements include specific notification obligations.
- All 50 U.S. states, the District of Columbia, as well as American Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the U.S. Virgin Islands, have an attorney general (AG). You can find your AG on the National Association of Attorneys General site.
- Some states publish breach notifications they receive on their websites, but most do not.
Federal Data Breach Notification Laws
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) applies to entities in 16 critical infrastructure sectors. More information on CIRCIA can be found on CISA’s website. CIRCIA also covers the financial sector, and requires, among other provisions, that payments made to ransomware attackers be reported within 24 hours.
Telecommunications Sector
The Federal Communications Commission (FCC) breach notification rule, adopted in 2007, requires a telecommunications carrier to notify law enforcement of a breach of its customers’ proprietary network information (CPNI) no later than seven business days after a reasonable determination of a breach by sending electronic notification through a central reporting facility to the Secret Service and the Federal Bureau of Investigation (FBI). After notifying law enforcement, carriers are allowed to inform customers, although the current rules do not specify the precise content of the notice.
In January 2023, the FCC published a Notice of Proposed Rulemaking that would amend breach notification obligations. The rule was adopted in December 2023 and went into effect in March, other than amendments noted in the rule.
Financial Sector
Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers: Final Rule (pdf). On November 23, 2021, the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, and the Office of the Comptroller of the Currency (collectively, the agencies) issued the Final Rule. Under the rule, which went into effect May 1, 2022, banks must notify their regulator of record “as soon as possible and no later than 36 hours” after they have identified a significant computer security incident that disrupts or degrades, or is reasonably likely to disrupt or degrade, the viability of the banking organization’s operations, results in customers being unable to access their deposit and other accounts, or impacts the stability of the financial sector.
The Gramm–Leach–Bliley Act (GLBA) requires covered financial institutions to notify customers whose non-public personal information is compromised by a security breach. GLBA also applies to universities and colleges that offer federal student loans.
Healthcare Sector And Those Collecting Or Using Health Data
Health Insurance Portability and Accountability Act (HIPAA) is probably the best-known federal statute. HIPAA has a Breach Notification Rule.
Health Information Technology for Clinical and Economic Health (HITECH) Act, expanded the notification requirements of HIPAA to business associates and also strengthened the penalties for violations. HITECH also gave state attorneys general the authority to initiate civil suits on behalf of their residents for violations of HIPAA. The Department of Justice handles criminal prosecutions under HIPAA..
Health Breach Notification Rule is enforced by the Federal Trade Commission (FTC). Vendors of personal health records and PHR-related entities shall provide notice to the Federal Trade Commission following the discovery of a breach of security. If the breach involves the unsecured PHR identifiable health information of 500 or more individuals, then such notice shall be provided as soon as possible and in no case later than ten business days following the date of discovery of the breach. The FTC is proposing to amend its Health Breach Notification Rule requiring vendors of personal health records to report data breaches to include developers of health applications.
Education Sector
Family Education Rights and Privacy Act (FERPA) does not require covered schools and universities or colleges to provide notification to individuals of any data security breach or privacy breach. It does, however, require that a student’s records be annotated to indicate that on the specified date, the records were disclosed without authorization. And as noted above, GLBA requires colleges and universities that offer federal student loans to notify students in the event of a data breach involving their student loan data.
While FERPA does not require notification to the U.S. Department of Education or individuals, state laws may require it.
This page was last updated June 20, 2024.