# llms.txt — LLM-optimized site description
# https://notification.breached.company/llms.txt
# Standard: https://llmstxt.org/
# Last updated: May 6, 2026

# US State Breach Notification Requirements Tracker

> A free, regularly updated reference tool covering data breach notification obligations across all 50 US states, 15+ federal regulations, and 19 global jurisdictions. Updated through May 2026. For informational purposes only — not legal advice.

## What This Tool Covers

### US State Laws (50 states)
All 50 US states have enacted data breach notification laws. Key data points per state:
- **Notification timeline** (e.g., 30 days: CA, FL, ME, NY, WA, CO; 60 days: LA, SD, TX; 90 days: CT; "without unreasonable delay": most others)
- **AG notification** threshold (varies from >250 to >10,000 residents, or always)
- **Credit bureau notification** threshold
- **Protected PII types** (SSN, driver's license, financial account, medical, biometric, username+password, etc.)
- **Penalties** (civil penalties ranging from $100/violation to $500K per breach)
- **Credit monitoring requirements** (CT: 24 months for SSN/Tax ID; DE: 12 months; PA: 12 months)
- **Encryption safe harbor** (all 50 states; MA/RI require 128-bit+; NY requires key also compromised)
- **Ransomware by access** (CT and NJ only — notification triggered by access alone, not exfiltration)
- **Special requirements** (CA notice format; IL elderly protections; VT data broker registration; OK SB 626 in effect Jan 2026; TX SB 2610 safe harbor Sept 2025)

### Federal Regulations (15+)
- **HIPAA**: 60 days; PHI; ransomware is a breach; NPRM published Jan 6 2025 proposing mandatory MFA, 72h contingency plans
- **GLBA/Safeguards Rule**: 30 days to FTC for 500+ consumers (non-bank financial institutions, eff. May 13 2024); ~$53,088/violation
- **CIRCIA**: 72h cyber incidents + 24h ransom payments; NPRM April 2024; final rule expected mid-2026 after CISA delay
- **SEC Regulation S-P**: 30 days; large entities required Dec 3 2025; smaller entities June 3 2026
- **FTC Health Breach Notification Rule**: 60 days; health apps not covered by HIPAA; fitness/diet/sleep apps
- **PCI DSS 4.0**: Immediately upon discovery; all requirements enforceable March 2025
- **FISMA**: 1 hour to US-CERT for major federal incidents
- **SOX Section 404**: 4 business days Form 8-K for material cybersecurity incidents
- **FCC CPNI Rule**: 30 days to consumers; 7 business days to FCC/FBI/Secret Service (updated March 2024)
- **TSA Pipeline Security**: 12 hours to CISA (pipelines/LNG); 24 hours (rail)
- Plus: FERPA, FCRA, COPPA, DPPA, VPPA

### Global Jurisdictions (19)
| Jurisdiction | Timeline | Authority | Max Penalty |
|---|---|---|---|
| EU GDPR | 72h to DPA; without undue delay to individuals | DPAs (per member state) | €20M or 4% global revenue |
| EU NIS2 | 24h early warning + 72h detailed report (in force Oct 2024) | National competent authorities | €10M or 2% revenue |
| UK GDPR + DUA Act 2025 | 72h to ICO | ICO | £17.5M or 4% global revenue |
| China PIPL | Immediate (8h in practice) | CAC | ¥50M or 5% revenue |
| India DPDPA | 72h (enforceable from May 2027) | Data Protection Board | ₹250 crore (~$30M USD) |
| Brazil LGPD | 3 business days to ANPD | ANPD | R$50M or 2% revenue |
| Canada PIPEDA | As soon as feasible | OPC | CAD $100,000/violation |
| Australia Privacy Act | 30 days to assess; notify OAIC if serious harm | OAIC | AU$50M or 3x benefit or 30% turnover |
| Japan APPI | 3-5 days initial; 30-60 days detailed | PPC | ¥100M administrative |
| South Korea PIPA | 72h if 1,000+ or sensitive | PIPC/KISA | ₩50M fine or 5 years imprisonment |
| Singapore PDPA | 3 calendar days | PDPC | S$1M |
| New Zealand Privacy Act | 72h (recommended) | Privacy Commissioner | NZ$10,000/individual |
| Mexico LFPDPPP | Immediate | Ministry of Anti-Corruption | USD $1.7M |
| South Africa POPIA | As soon as reasonably possible | Information Regulator | ZAR 10M |
| UAE DIFC | As soon as reasonably practicable | DIFC Commissioner | USD $500,000/violation |
| Switzerland FADP | As soon as possible (high-risk) | FDPIC | CHF 250,000 (criminal) |
| Turkey KVKK | 72h | TDPA/Kurul | TRY 20M |
| Israel Privacy Law | Immediate | IPA | Increasing under 2024 amendments |
| Argentina PDPA | Voluntary (no mandate) | AAIP | ARS fines |

## Key Insights (May 2026)

### Recent Law Changes
- **CA SB 446** (in effect Jan 1, 2026): 30-day individual notification; 15-day AG notification for >500 residents
- **NY** (in effect Dec 2024 + Mar 2025): 30-day deadline; Medical + Health Insurance now covered PII
- **Oklahoma SB 626** (in effect Jan 1, 2026): Added biometric, government IDs, unique electronic identifiers; AG notification for >500
- **Pennsylvania** (eff. Sept 2024): 12 months free credit monitoring for SSN/DL/bank account breaches
- **GLBA Safeguards amendment** (eff. May 13, 2024): 30-day FTC notification for 500+ consumers
- **Australia Privacy Act Amendment** (eff. Dec 10, 2024): Penalties increased from AU$2.5M to AU$50M
- **UK Data (Use and Access) Act** (Royal Assent June 19, 2025): PECR harmonized to 72h; fines to £17.5M
- **India DPDPA Rules** (finalized Nov 2025): Phased enforcement; breach notification enforceable May 2027
- **EU NIS2** (in force Oct 18, 2024): Separate cyber incident notification from GDPR; 24h+72h regime
- **TX SB 2610** (eff. Sept 1, 2025): Cybersecurity safe harbor for SMBs (<250 employees)
- **SEC Reg S-P**: Large entity deadline passed Dec 3, 2025; smaller entity deadline June 3, 2026
- **CIRCIA**: Final rule delayed (CISA Sept 2025); expected mid-2026
- **HIPAA Security Rule NPRM**: Published Jan 6, 2025; final rule expected ~mid-2026

### Ransomware Gap
Only CT and NJ require notification based on access alone (no exfiltration needed). Most states require actual acquisition/exfiltration of data.

### Strictest Timelines
- 1 hour: FISMA (federal agencies)
- Immediate: PCI DSS, China PIPL, Mexico
- 24h: TSA pipelines; EU NIS2 early warning
- 72h: EU GDPR, EU NIS2 detailed, UK GDPR, South Korea PIPA, Turkey KVKK, CIRCIA (pending)
- 30 days: CA, FL, ME, NY, WA, CO; GLBA to FTC; SEC S-P

## Related Tools
- IR Cost Calculator: https://ircost.breached.company/
- IR Maturity Assessment: https://ir.breached.company/
- PII Classification Tool: https://pii.compliancehub.wiki/
- Biometric Privacy Tracker: https://biometric.myprivacy.blog/
- Privacy Rights by State: https://privacyrights.compliancehub.wiki/
- Children's Privacy Rights: https://childrenprivacyrights.com/
- Generate Policy: https://generatepolicy.com/
- CISO DIY: https://ciso.diy/
- Cyber Policy Shop: https://cyberpolicy.shop/
- CyberAgent Exchange: https://cyberagent.exchange/
- CISO Marketplace: https://cisomarketplace.com/
- Part of the CyberAdX Network: https://cyberadx.network/

## Disclaimer
This tool is for informational purposes only and does not constitute legal advice. Requirements change frequently. Always verify with official sources and qualified legal counsel.