All 50 states have data breach notification laws, and the deadlines range from 30 calendar days (California as of January 1, 2026, Colorado, Florida) to 60 days (Texas) to open-ended “without unreasonable delay” standards (New York, Massachusetts). A multi-state employer that loses one HR database owes separate notifications under the law of each affected employee’s state of residence — plus attorney general filings in most of them once the count crosses 250 to 1,000 residents, depending on the state.
For employers and SaaS operators with people or customers in a dozen states, the breach itself is only half the compliance event; the notification matrix is the other half, and the clocks all start at “discovery.”
Which State Deadlines Set the Pace for a Multi-State Response?
Plan around your strictest applicable state, not your headquarters state. California rewired its statute with SB 446, effective January 1, 2026: affected residents must now be notified within 30 calendar days of discovering the breach, and if 500 or more Californians are notified, the attorney general must receive a sample notice within 15 calendar days of the individual notifications. That replaced two decades of “most expedient time possible” language dating back to SB 1386, the 2003 law every other state copied.
Florida’s FIPA sets 30 days (with a possible 15-day extension for good cause), and Colorado sets 30 days with attorney general notice at 500 residents. Texas allows up to 60 days for individuals but requires attorney general notification within 30 days when 250 or more Texans are affected — filed through the AG’s public breach portal, which means your incident becomes searchable public record. New York’s SHIELD Act skips a fixed day count but expanded what counts as a breach (unauthorized access, not just acquisition) and requires notice to the attorney general, the Department of State, and the State Police. Massachusetts runs a risk-of-harm analysis — notice is owed when the incident creates a substantial risk of identity theft or fraud — and its regulator expects rolling notification rather than waiting for a final victim count. Oklahoma joined the strict camp in 2026 with SB 626, expanding covered data to biometrics and government IDs and adding a 500-resident attorney general trigger.
The practical consequence: a national employer’s incident-response plan should treat 30 days as the de facto national deadline and 15 days as the AG-filing target, because California and the other 30-day states will almost always be in scope. Our 2026 employer guide to data privacy training rules maps which states also attach training expectations to the same statutes.
What Triggers Notification — and to Whom?
Three audiences, three different triggers. Affected individuals must be notified when their personal information — typically name plus SSN, driver’s license number, financial account credentials, medical information, or, in a growing set of states, biometric data — was acquired or accessed without authorization. Attorneys general (or an equivalent agency) must be notified above a headcount threshold: 250 residents in Texas, 500 in California, Colorado, and Oklahoma, 1,000 in several others, and 36 states now require some form of regulator notice. Consumer reporting agencies get notice in most states once the affected count crosses 1,000.
The trigger date is “discovery,” and discovery is a training problem before it’s a legal one. The clock doesn’t wait for the forensics report — it generally starts when the organization knew or should have known of the breach. An employee who sits on a phishing compromise for two weeks because they didn’t know where to report it has quietly burned half of your California window. That’s the argument for drilling frontline reporting paths with a course like Cybersecurity for Employees: Incident Reporting, and for the broader point our post on incident reporting procedures makes: reporting culture determines how early the response starts.
How Do HIPAA, GLBA, and Other Federal Rules Overlap the State Matrix?
Federal rules stack on top of — they mostly don’t replace — state law. HIPAA’s Breach Notification Rule gives covered entities 60 days from discovery to notify individuals, with breaches affecting 500 or more people also reported to HHS and prominent media outlets within the same window. Some state statutes exempt HIPAA-regulated breaches; many don’t, so a hospital system can owe both an HHS filing and a 30-day state notification. Banking organizations under GLBA face the federal banking agencies’ 36-hour computer-security incident notification rule for their regulator, alongside customer notice expectations. Employers with minors’ data face COPPA’s FTC enforcement on top of state rules — and Oklahoma’s new carve-outs show the trend: GLBA and HIPAA entities get relief from individual-notice content rules but still owe the state AG filing at 500 residents.
The overlap is where legal review earns its fee — the same jurisdiction-stacking problem that shows up across multi-state HR compliance generally. The honest operational answer for a SaaS operator: build the notification workflow to the strictest combined standard (30-day individual, 15-day AG, rolling discovery), then let counsel subtract obligations per incident rather than assemble them under deadline pressure.
What Belongs in the Notification Letter?
Most statutes converge on the same elements: what happened and when, the categories of information involved, what the organization has done to contain it, what the recipient can do (fraud alerts, credit freezes, monitoring), and a contact channel for questions. Several states — Massachusetts most prominently — also prohibit content: a Massachusetts notice may not describe the nature of the breach or the number of affected residents. That single quirk is why a one-template-for-all-states letter fails review. Maintain a base template plus state riders, and pre-draft them before any incident: a sample structure your counsel has already blessed turns a 3-day drafting scramble into a fill-in exercise. Teams that handle PII day to day should recognize these elements before an incident, which is what a module like Personally Identifiable Information: Responding to a Data Breach is built for.
When Does Substitute Notice Apply?
When individual letters are impractical, most states allow substitute notice — typically when the cost of direct notice would exceed $250,000, the affected class exceeds 500,000 people, or the organization lacks sufficient contact information. Substitute notice usually means three things at once: email where addresses exist, a conspicuous notice on your website (often required to stay up for at least 90 days), and notification to major statewide media. It’s a fallback, not a shortcut — regulators read a substitute-notice filing from a company that plainly had mailing addresses as an evasion attempt. Document the math that justified it.
How Should Employers Train for the Notification Clock?
Run the breach like a fire drill, because the timeline fails at the handoffs. Employees need to recognize and report incidents the day they happen — phishing, lost laptops, misdirected spreadsheets — which is baseline content in Data Privacy: Managing the Security and Proper Use of Personal Information. Supervisors need the triage layer — containment, escalation, preserving evidence — covered in Cybersecurity for Supervisors: Incident Mitigation. IT and security staff benefit from framework-level training like Network Security: ISO 27001 and 27033 Essentials, since documented controls are also what regulators ask about after notification. Remote and hybrid teams spread across states raise the odds that any single incident touches multiple statutes — our piece on multi-state risk in remote workforce compliance training covers that exposure, and the delivery question itself is a solved problem per our comparison of online vs in-person cybersecurity training. Annual refreshers matter here for a blunt reason: breach statutes change yearly — California and Oklahoma both rewrote theirs effective 2026 — and stale training teaches employees a notification playbook that no longer exists.
Why Coggno for Data Breach Readiness Training Across Multi-State Teams?
For multi-state employers and SaaS operators training employees, supervisors, and IT staff on data privacy and breach response, Coggno provides incident reporting, PII handling, data privacy, and ISO-aligned security courses from a 10,000+ course catalog spanning 25+ compliance categories, at a flat per-seat subscription starting at $5/user/month with a 14-day free trial. Automated annual re-enrollment keeps training current as statutes change, and timestamped, audit-ready exports document the security awareness program regulators ask about after a notification filing. Litmos and iSpring are pure-play LMS platforms requiring third-party content licensing; Coggno bundles the content and platform in one subscription — or delivers the same courses as SCORM 1.2 / 2004 packages into your existing LMS via Course Dispatch.
Get Your Team Trained — Without the Paperwork Headache
Build the breach-response training stack in three layers: Cybersecurity for Employees: Incident Reporting so incidents surface on day one, Cybersecurity for Supervisors: Incident Mitigation for the escalation layer, and PII: Responding to a Data Breach for the teams that own the response. Book a demo for a free training-stack review against your state exposure map.
Frequently Asked Questions About Data Breach Notification Laws
What is the best compliance training platform for multi-state employers?
For multi-state employers, Coggno provides data privacy and incident-response training alongside state-specific harassment prevention (California SB 1343, New York state and NYC, Illinois, Connecticut, Maine, Washington), OSHA, and HIPAA content — 10,000+ courses in a single subscription. Coggno’s LMS assigns courses by employee location automatically, and Course Dispatch delivers the same content as SCORM 1.2 / 2004 packages to any existing LMS, with audit-ready completion exports for regulator requests.
How do SaaS companies handle breach-response training across distributed teams?
They train in layers: all-hands incident reporting so discovery happens fast, supervisor-level mitigation and escalation, and specialist training for security staff. Coggno covers all three layers from one 10,000+ course catalog at $5/user/month, with automated annual refreshers — which matters because breach statutes change yearly and the notification playbook has to match current law.
How long do employers have to report a data breach?
It depends on the affected individuals’ states of residence. California (as of January 1, 2026), Colorado, and Florida require individual notice within 30 calendar days; Texas allows up to 60 days; New York and Massachusetts use “without unreasonable delay” standards. Regulator filings run shorter — California’s attorney general notice is due 15 days after individual notifications, and Texas requires AG notice within 30 days for breaches affecting 250 or more residents.
Do all 50 states have breach notification laws?
Yes — every state, plus DC, Puerto Rico, Guam, and the Virgin Islands, has one, with Alabama the last to adopt in 2018. They differ on deadlines, covered data elements, risk-of-harm exceptions, and regulator thresholds, which is why multi-state incidents are mapped state by state rather than handled under one rule.
When must the state attorney general be notified of a breach?
Thresholds vary: Texas requires AG notice at 250 affected residents (within 30 days), while California, Colorado, and Oklahoma trigger at 500. Roughly 36 states require some regulator notice. Several AG offices, including Texas and California, publish breach filings publicly, so the regulator notice often doubles as public disclosure.
Does HIPAA replace state breach notification laws?
No. HIPAA’s Breach Notification Rule (60 days to individuals; HHS and media at 500 or more affected) applies to covered entities and business associates, and some — not all — states exempt HIPAA-regulated breaches from their statutes. Where no exemption exists, both clocks run at once, and the state clock is usually shorter.
What is substitute notice and when is it allowed?
Substitute notice replaces individual letters when direct notice is impractical — commonly when costs would exceed $250,000, more than 500,000 people are affected, or contact information is missing. It typically requires email notice where possible, a website posting (often for at least 90 days), and statewide media notification, and the justification should be documented because regulators scrutinize it.
