There is no federal US breach notification law. There is a patchwork of fifty state statutes, a handful of sector-specific federal rules, and a growing layer of regulator-specific obligations. If your incident response plan says "notify per applicable law," you do not have a plan. You have a sentence.

What you need is a matrix — jurisdiction by jurisdiction — that your legal team can run against the facts of an incident in the first 24 hours. This post is not legal advice. It is a field guide for the security leader who has to translate "we had an incident affecting customer data in 41 states" into a defensible notification workflow.

The axes that actually vary

Every state statute differs along the same handful of dimensions. Build your matrix around these:

  • Definition of personal information. Some states stop at name + SSN/DL/account number. Others include biometrics, health data, tax IDs, usernames plus password or security question, or passport numbers. Illinois BIPA and the expanded Texas HB 300 are outliers.
  • Trigger standard. Strict (any unauthorized acquisition = notify) versus harm-based (notify only if there is a reasonable likelihood of harm, often called a "risk of harm" analysis). Most states are harm-based, but the bar varies.
  • Timing. "Most expeditious time possible and without unreasonable delay" is the default. Hard clocks exist: Florida and Colorado at 30 days, Maine at 30 days after scope determination, some others at 45 or 60. HIPAA is 60 days. SEC Form 8-K disclosure is 4 business days after materiality determination.
  • Regulator notification. Many states require parallel notice to the attorney general, often with a threshold (e.g., 500 or 1,000 residents affected). New York SHIELD and the California Attorney General portal are among the most actively enforced.
  • Substitute notice and media notice. Thresholds above which you must notify via website posting, email, and major media outlets.
  • Content requirements. Some states prescribe specific content — dates, categories of data, credit monitoring offers. California is the strictest; a non-conforming letter is itself a violation.

The ones you cannot fumble

In practice, a few jurisdictions and regulators do most of the enforcement work. Get these right first:

  • California (CCPA/CPRA). Broad definition of personal information, private right of action for certain data categories, active AG and CPPA enforcement.
  • New York (SHIELD Act, DFS 23 NYCRR 500). If you touch financial services, DFS has 72-hour notification requirements and has levied multi-million dollar penalties.
  • Texas (HB 300 for health data). Stricter than HIPAA in places; expanded identity data rules.
  • HIPAA / HITECH. 60 days to individuals, HHS, and sometimes media. Applies to business associates too.
  • SEC cyber disclosure rule. Public companies: Form 8-K within four business days of a materiality determination. The clock is on materiality, not on discovery, and the SEC has begun testing that in enforcement.
  • GLBA Safeguards Rule (FTC). 30-day notification to the FTC for incidents affecting 500+ consumers at nonbank financial institutions.

What your legal team actually needs from you

Legal cannot run the matrix without facts. Your job during an incident is to produce, as early as possible:

  • Data categories implicated, with evidence (not guesses).
  • Residency counts by state — not "roughly 100k records" but a per-state breakdown.
  • Acquisition evidence: did the attacker access, or just have the ability to access? This distinction drives trigger analysis in many states.
  • Timeline with specific dates for discovery, confirmation, and scope determination. Regulators will ask.
The worst time to build your state notification matrix is while the incident is active. The best time was yesterday. The second-best time is before the next quarterly tabletop.

The takeaway

Ask your general counsel for the current version of your state notification matrix. If it does not exist, or was last updated in 2022, that is the first finding of your next tabletop. The laws move quickly — Maryland, Pennsylvania, and New Hampshire all tightened in recent cycles, and more federal regulators are claiming jurisdiction over cyber disclosure every year. Notification is not an IT decision. It is a legal decision that depends entirely on the facts you give legal. Get the facts clean, early, and in writing.