Breach Notification Trigger Thresholds: 20-State Chart

One breach can trigger 20 different state rules at the same time. In this chart, I compare Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, and Maryland so you can see three things fast: what starts notice, what data counts, and when notice is due.
Here’s the short version: some states trigger notice on access, others on acquisition, and others only after a risk-of-harm review. Deadlines range from 30 days to 60 days, while several states use “without unreasonable delay” instead of a fixed date. Regulator notice also changes by state, with common reporting lines at 500+ or 1,000+ affected residents.
If I were using this chart during incident response, I’d focus on:
- Trigger wording: access, acquisition, or likely misuse
- Harm review: whether notice can be skipped after an internal review
- Covered data: basics like SSNs and account numbers, plus extras like biometrics, medical data, or login credentials
- Consumer deadline: often 30, 45, or 60 days
- State reporting: whether the AG or another agency must be told, and when
- Recordkeeping rules: some states require written no-harm files kept for 3 to 5 years
Quick Comparison
| State | Main Trigger Type | Consumer Notice Timing | Regulator Notice |
|---|---|---|---|
| Alabama | Acquisition | 45 days from discovery | AG at 1,000+ |
| Alaska | Breach of system with personal info | Without unreasonable delay | AG required |
| Arizona | Harm-based | 45 days after determination | AG at 1,000+ |
| Arkansas | Acquisition + harm exception | Without unreasonable delay | AG at 1,000+ |
| California | Acquisition or believed acquisition | 30 days | AG at 500+ |
| Colorado | Acquisition + misuse review | No later than 30 days after determination | AG at 500+ |
| Connecticut | Access or acquisition + harm review | No later than 60 days after discovery | AG notice required |
| Delaware | Acquisition + harm review | No later than 60 days after determination | AG at 500+ |
| Florida | Access | 30 days after determination | AG at 500+ |
| Georgia | Acquisition | Without unreasonable delay | No AG notice |
| Hawaii | Access + acquisition + harm review | Without unreasonable delay | No AG notice |
| Idaho | Acquisition + misuse review | As soon as possible | AG only for public agencies |
| Illinois | Acquisition | Without unreasonable delay | AG at 500+ |
| Indiana | Acquisition + fraud/ID theft risk | No later than 45 days after discovery | AG notice tied to harm finding |
| Iowa | Misuse review | Without unreasonable delay | AG at 500+ |
| Kansas | Investigation + misuse review | Without unreasonable delay | No AG notice |
| Kentucky | Acquisition + ID theft/fraud risk | Without unreasonable delay | AG usually required |
| Louisiana | Acquisition + harm exception | 60 days from discovery | AG within 10 days after resident notice |
| Maine | Breach involving personal info | 30 days from determination | AG/regulator required |
| Maryland | Acquisition + misuse review | No later than 45 days | AG before consumer notice |
This article is best used as a side-by-side triage guide. If you’re dealing with a multistate incident, the first job is to sort states by trigger, deadline, and AG notice rule before the clocks start running.
State Data Breach Notification Laws: 20-State Quick Reference Chart
1. Alabama
Trigger standard
Alabama requires notice after an unauthorized acquisition of computerized personal information. If a processor discovers the issue, it must promptly notify the owner or licensee. After that trigger, consumer notice must go out within 45 days of discovery.
Harm threshold: There is no separate harm threshold.
Covered data
Computerized personal information.
Consumer notice deadline
45 days from discovery [1][2].
AG notice rules
Alabama also sets a higher reporting threshold at the state level. If 1,000 or more Alabama residents are affected, the business must notify the Alabama Attorney General and consumer reporting agencies [2].
| Requirement | Alabama Rule |
|---|---|
| Consumer notice deadline | 45 days from discovery [1][2] |
| AG notification threshold | 1,000+ affected residents [2] |
| Consumer reporting agency notice | Required if 1,000+ affected residents [2] |
| Statute | SB 318 [2] |
sbb-itb-e766981
Episode 94 - Breach Notification: Definitions, Triggers, and Scope
2. Alaska
Alaska uses a broad trigger and does not set a fixed deadline.
Trigger standard
Alaska requires notice when a system that contains personal information is breached [2].
Harm threshold: There is no separate harm threshold.
Covered data
In Alaska, personal information means an individual's first name or first initial and last name, combined with one or more unencrypted data elements:
- Social Security number
- Driver's license or state ID number
- Financial account numbers, including credit or debit card numbers, along with any needed security codes or access codes
Notice timing
Alaska requires notice without unreasonable delay after discovery [2].
AG notice rules
Notice to the regulator is tied to the breach itself, not to a set number of affected Alaska residents. Attorney General notice is required [2].
| Requirement | Alaska Rule |
|---|---|
| Statute | AS 45.48.010 |
| Notice timing | Without unreasonable delay after discovery |
| AG notification | Required |
3. Arizona
Arizona uses a harm-threshold rule. In plain English, that means a company doesn’t have to send notice for every single breach. Notice is required only when the breach is reasonably likely to cause substantial economic loss. So Arizona is narrower than a rule that kicks in the moment personal information is acquired.
Trigger standard
Notice is required only if a reasonable investigation by the business, a third-party forensic auditor, or law enforcement finds that the breach resulted in, or is reasonably likely to result in, substantial economic loss to affected individuals [4]. That’s the key dividing line in Arizona: not the breach by itself, but the likelihood of financial harm.
Covered data
Arizona covers unencrypted, unredacted computerized personal information. This includes a person’s name plus one of the following [4]:
- Social Security number
- Driver's license or state ID number
- Financial account number with an access code
- Online credentials that allow account access
Notice timing
Affected individuals must be notified within 45 days after the breach is determined [4].
AG notice rules
If more than 1,000 individuals are affected, the business must notify the Arizona Attorney General and the Director of the Arizona Department of Homeland Security in writing within 45 days. These reports are generally confidential [4].
| Requirement | Arizona Rule |
|---|---|
| Statute | ARS 18-552 |
| Trigger | Harm-threshold; no notice if substantial economic loss is not reasonably likely |
| Individual notice deadline | 45 days after determination |
| AG notification threshold | More than 1,000 individuals |
| Max civil penalty | $500,000 per breach or series of related breaches [4] |
4. Arkansas
Arkansas requires notice after unauthorized acquisition of computerized data that compromises personal information, unless a reasonable investigation finds no reasonable likelihood of harm. For exit prep, two diligence flags matter most: the written no-harm record and the 5-year retention rule.
Trigger standard
A breach is triggered by the unauthorized acquisition of computerized data that compromises personal information [6]. If the company decides notice is not required, it needs to keep the written determination and the records behind it for 5 years. Those records must also be given to the Attorney General within 30 days of a written request [7].
Covered data
Arkansas covers a first name or first initial plus last name when paired with:
- Social Security number
- Driver's license number or Arkansas ID number
- Financial account number or card number with any code or data needed for access
- Medical information
- Biometric data, including fingerprints and faceprints
This rule applies to medical information in either electronic or physical form [6]. That detail matters because it shapes both the notice call and the Attorney General reporting timeline.
Notice timing
Notice must go out without unreasonable delay [7].
AG notice rules
The Arkansas Attorney General must be notified if more than 1,000 individuals are affected [6][7]. That notice must be sent at the same time affected individuals are notified, or within 45 days after the company decides there is a reasonable likelihood of harm, whichever comes first [7].
| Requirement | Arkansas Rule |
|---|---|
| Statute | Arkansas Code § 4-110-105 [7] |
| Trigger | Risk of harm; no notice required if no reasonable likelihood of harm [6] |
| Individual notice deadline | Without unreasonable delay [7] |
| AG notification threshold | More than 1,000 individuals [6][7] |
| AG notification deadline | Same time as individual notice or within 45 days of harm determination, whichever occurs first [7] |
| Record retention | 5 years for written breach determinations [7] |
| Criminal penalty | Knowing and willful violations are Class A misdemeanors [6] |
5. California
California is a low-threshold, fast-deadline state. It uses a broad definition of personal information, and the outside limit for notice is 30 days.
Trigger standard
Notice is required when unencrypted personal information is acquired, or is reasonably believed to have been acquired, by an unauthorized person [2]. Unauthorized access by itself does not trigger the law. There needs to be actual acquisition of the data, or a reasonable belief that acquisition happened.
Covered data
Covered data includes biometric identifiers, medical and health information, and online account credentials [2][1].
Notice timing
Notice must go out within 30 days, at the latest [2][1]. That's one of the shortest state deadlines.
AG notice rules
If more than 500 California residents are affected, the company must electronically submit a sample notice to the Attorney General [2][1].
| Requirement | California Rule |
|---|---|
| Statute | CA Civil Code § 1798.82 [2] |
| Trigger | Acquisition of unencrypted personal information [2][1] |
| Individual notice deadline | Within 30 days, at the latest [2][1] |
| AG notification threshold | 500+ affected residents [2][1] |
| Covered data highlights | Biometrics, medical info, online credentials [2][1] |
| Dedicated regulator | California Privacy Protection Agency (CPPA) [1] |
| Private right of action | Yes [1] |
For exit prep, the private right of action can increase litigation risk, and the CPPA adds another layer of regulator exposure.
6. Colorado
Colorado moves fast. The state gives organizations 30 days to notify consumers, but notice doesn't turn on acquisition alone. It turns on whether the facts point to misuse that happened, or is reasonably likely to happen.
Trigger standard
Colorado requires notice after the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. Once a covered entity learns of a potential breach, it must run a prompt, good-faith investigation. If that review shows the data was not misused and is not reasonably likely to be misused, notice is not required.
That no-misuse finding is the big hinge here. If the investigation doesn't support it, the notice duty kicks in.
Covered data
Colorado covers a first name or first initial plus last name when paired with unencrypted:
- Social Security number
- Driver's license or ID number
- Student, military, or passport ID
- Medical information
- Health insurance ID
- Biometric data
The law also covers account credentials, such as a username or email address plus a password, and financial account numbers when access codes are also involved [8][9].
Notice timing
Individual notice is due without unreasonable delay and no later than 30 days after the breach determination.
AG notice rules
For diligence, the key question is whether the investigation supports a no-misuse finding.
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Any affected resident, unless misuse is not reasonably likely | Without unreasonable delay; no later than 30 days after determination [8][9] |
| Attorney General notice | 500 or more Colorado residents affected | Same as individual notice deadline [8][9] |
| Nationwide consumer reporting agencies | More than 1,000 Colorado residents affected | Without unreasonable delay [8][9] |
The Colorado Attorney General requires breach reports affecting 500 or more residents to be submitted through its online Data Breach Reporting Form [8].
7. Connecticut
Connecticut uses the same harm-based approach as Colorado, but with one big difference: there's a firm 60-day outer limit. Notice has to go out without unreasonable delay, and no later than 60 days after the breach is discovered.
Trigger standard
The duty to notify starts when there is unauthorized access to, or acquisition of, electronic records or computerized data that includes personal information. After a prompt investigation and consultation with law enforcement, notice is not required if the breach is not reasonably likely to cause harm to affected people. Data that was encrypted and made unreadable or unusable is also exempt [10][11].
Covered data
Connecticut's list of covered data goes well beyond a simple name-plus-SSN rule. It covers names combined with SSNs, taxpayer ID numbers, IRS Identity Protection PINs, driver's license numbers, passport and military ID numbers, medical and health insurance information, biometric data, precise geolocation, and online account credentials [10][11].
If the breach involves a Social Security number or taxpayer identification number, the business has to provide 24 months of free identity theft protection and mitigation services to affected Connecticut residents [10][11].
AG notice rules
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Any affected CT resident, unless harm is not reasonably likely | No later than 60 days after discovery [1][10][11] |
| Attorney General notice | No separate resident-count trigger | No later than the time individual notice is sent [2][10][11] |
Connecticut requires notice to the Attorney General at the same time as, or before, notice goes to affected residents [2][10][11]. Insurance licensees also have to notify the Insurance Commissioner within 3 business days after determining that a cybersecurity event occurred [11].
8. Delaware
Like Connecticut, Delaware uses a harm exception. But the 60-day clock starts at breach determination, not discovery [13].
Trigger standard
In Delaware, a breach means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information [12][13]. Notice isn't required if, after an appropriate investigation, the business reasonably decides the breach is unlikely to cause harm to affected individuals.
The encryption safe harbor is fairly narrow. It applies to encrypted information if the encryption key was not reasonably believed to have been acquired, or if the key could not make the information readable or usable [12][13]. Delaware also says there is no breach when an employee or agent acquires personal information for a legitimate purpose, unless that information is later used or disclosed without authorization [13].
For diligence, two points matter most: the harm exception and the narrower safe harbors.
Covered data
Delaware covers a resident's name plus:
- SSN
- Driver's license number
- Financial account number with access code
- Passport number
- Biometric data
- Medical or health insurance information
All are covered under the statute [12][13]. If an SSN is involved, the business must offer one year of free credit monitoring unless the no-harm exception applies [12][13].
Notice timing
Notice must go out without unreasonable delay and no later than 60 days after the breach determination [13]. In practice, that means you should document the determination date clearly.
AG notice rules
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Affected Delaware residents, unless harm is unlikely | No later than 60 days after determination [12][13] |
| Attorney General notice | More than 500 affected Delaware residents | No later than when individual notice is sent [2][12][13] |
| Credit reporting agency notice | More than 500 affected Delaware residents | No later than when individual notice is sent [2] |
9. Florida
Florida doesn't use a separate harm test before notice is required. The trigger is unauthorized access to personal information, and the 30-day notice clock starts once that access is identified. For exit prep, that short timeline leaves little room for slow forensics or drawn-out internal debate.
Trigger standard
Florida's trigger is unauthorized access to personal information. There is no separate harm analysis. The big takeaway is simple: once unauthorized access is identified, the 30-day clock starts.
Covered data
Covered data: personal information under Florida's statute.
Notice timing
Florida requires individual notice within 30 days of breach determination [1][2]. Law enforcement may delay notice if it would impede a criminal investigation [5]. It makes sense to flag Florida systems early if customer or employee data may have been exposed, because the notice window is tight.
AG notice rules
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Affected Florida residents | Within 30 days of breach determination [1][2] |
| Attorney General notice | More than 500 affected Florida residents | Same time as individual notice [3] |
| Maximum penalty | Up to $500,000 per breach [2] | - |
Next: Georgia.
10. Georgia
Georgia is also an acquisition-based state. But it has one rule that stands out: processors must alert the data owner within 24 hours of discovery. It also does not require a filing with the Attorney General.
Trigger standard
Georgia requires notice when there is an unauthorized acquisition of computerized data that contains personal information. There is no separate harm test.
Covered data
Georgia covers a first name or first initial plus last name when combined with unencrypted or unredacted:
- Social Security numbers
- Driver's license or state ID numbers
- Account or card numbers that can be used without extra credentials
- Passwords, PINs, or access codes [14]
Medical information, health insurance information, and biometric identifiers are not covered [14].
Georgia also covers those same data elements on their own if they could be used for identity theft [14].
Notice timing
Georgia requires notice without unreasonable delay [2][5]. In plain English, that means notice should go out fast while the company figures out scope and works through remediation.
AG notice rules
Georgia does not require notice to the Attorney General [2]. For deal work and exit prep, the big diligence flag is the 24-hour processor-to-owner notice rule: processors must notify the data owner within 24 hours of discovery [14]. If a breach affects more than 10,000 Georgia residents, the company must also notify nationwide consumer reporting agencies [14].
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Affected individuals | Without unreasonable delay [2][5] |
| Nationwide consumer reporting agency notice | More than 10,000 Georgia residents [14] | Required |
| Processor notice to data owner | Any breach [14] | Within 24 hours of discovery [14] |
| Attorney General notice | Not required [2] | - |
11. Hawaii
Hawaii’s law applies to personal information in both computerized files and paper records. It also uses a harm-based acquisition trigger. In plain English, that means two questions matter most when you decide whether notice is required:
- Was the data actually acquired?
- Did that access create a risk of harm through actual or likely misuse?
For diligence, document both points clearly.
Trigger standard
Hawaii requires notice when unauthorized access to and acquisition of unencrypted or unredacted personal information creates a risk of harm through actual or likely misuse.
Covered data
Hawaii covers a first name or first initial plus last name combined with an unencrypted or unredacted:
- Social Security number
- driver's license or Hawaii ID card number
- financial account or credit or debit card number with a required security code or password
Notice timing
Notice is due without unreasonable delay after discovery [2].
Regulator notice rules
Hawaii does not require notice to the Attorney General [2]. Instead, once the resident threshold is met, notice shifts to consumer-protection and credit-reporting channels.
| Requirement | Threshold | Deadline |
|---|---|---|
| Individual notice | Affected individuals | Without unreasonable delay [2] |
| Consumer Protection notice | More than 1,000 residents [15] | Required |
| Nationwide credit reporting agency notice | More than 1,000 residents [15] | Required |
| Insurance Commissioner notice | 250 or more affected consumers (insurance licensees) [15] | Within 3 business days of determination [15] |
| Attorney General notice | Not required [2] | - |
12. Idaho
Idaho uses a harm-based model. One detail matters a lot here: Attorney General reporting is limited to public agencies.
Trigger standard
Idaho applies a harm threshold. Notice is required only when unauthorized acquisition materially compromises the security, confidentiality, or integrity of data, and a good-faith investigation finds that misuse has happened or is reasonably likely to happen [16][17].
That means not every breach leads to notice. If misuse is not reasonably likely, notice is not required. Still, the investigation and its conclusion should be documented.
Covered data
Idaho covers a resident's first name or first initial plus last name when paired with any of these unencrypted data elements [16][17]:
- Social Security number
- Driver's license or Idaho identification card number
- Account, credit card, or debit card number combined with a required security code or password
Encrypted data is generally outside the scope of the law [17].
Notice timing
Notice must be sent as soon as possible, without unreasonable delay [16][17]. Law enforcement can ask for a delay if notice would impede a criminal investigation [17].
AG notice rules
This reporting split can matter during exit prep. Public agencies must notify the Idaho Attorney General after a breach. Commercial entities do not have a general Attorney General notice duty under the statute [17].
| Requirement | Applies To | Deadline |
|---|---|---|
| Individual notice | All covered entities | As soon as possible, without unreasonable delay |
| Attorney General notice | Public agencies only | Not specified |
| Commercial AG notice | Not required | - |
13. Illinois
Illinois is a broad-trigger, fast-notice state, and the Attorney General reporting line is easy to spot.
Trigger standard
Illinois law kicks in when there's an unauthorized acquisition of computerized data that includes personal information. The state also treats unauthorized third-party acquisition or use in a broad way, with no separate materiality test layered on top. [18]
Covered data
Illinois covers more than the usual basics. That includes biometric data, medical and health insurance information, and login credentials such as a username or email address plus a password or security-question answer. [18]
Notice timing
Individual notice must go out in the most expedient time possible and without unreasonable delay. [18]
AG notice rules
If a breach affects 500 or more Illinois residents, you must notify the Illinois Attorney General. That notice should be sent as soon as possible, and no later than consumer notice. For HIPAA-covered entities, the rule is tighter: notify the Illinois Attorney General within 5 business days after notifying HHS. [18]
| Requirement | Detail |
|---|---|
| Individual notice timing | Most expedient time possible; without unreasonable delay [18] |
| AG notice threshold | 500 or more Illinois residents affected [18] |
| AG notice timing | As soon as possible; no later than consumer notice [18] |
| HIPAA entity AG timing | Within 5 business days of notifying HHS [18] |
| Encryption safe harbor | Applies unless encryption keys were also acquired [18] |
Next, Indiana shifts back to a narrower acquisition-based trigger.
14. Indiana
Indiana keeps the acquisition-based trigger, but the key detail is the harm test.
Trigger standard
Indiana's law applies when there is an unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Notice is required only if the entity knows or should know the acquisition could lead to identity deception, identity theft, or fraud against an Indiana resident. Indiana also covers paper records copied from electronic files. [20]
Covered data
That harm test applies only to the data elements Indiana treats as personal information. Under Indiana law, personal information includes:
- Social Security number by itself
- Name combined with a driver's license number, state ID number, or a financial account or card number with any required security code
Medical information, biometric data, and online login credentials are not explicitly covered under Indiana's general breach notification statute.
Notice timing
Individual notice must go out without unreasonable delay, and no later than 45 days after discovery. [1][19] Delay is allowed only for law-enforcement requests or the time needed to restore system integrity and define the scope of the incident.
AG notice rules
AG reporting turns on both the harm finding and the number of residents affected. Send AG notice to DataBreach@atg.in.gov using the required form, unless there is no likely harm. [2][20] If there is no likely harm, no AG notice is due, but the finding should be documented. AG notice must be sent prior to or simultaneously with consumer notice. [2] If more than 1,000 Indiana residents are affected, the entity must also notify all nationwide consumer reporting agencies. [20]
| Requirement | Indiana Rule |
|---|---|
| Harm threshold | Risk of identity deception, theft, or fraud [19] |
| Individual notice deadline | Without unreasonable delay; max 45 days [1][19] |
| AG notice timing | Prior to or simultaneous with individual notice [2] |
| CRA notice threshold | More than 1,000 Indiana residents affected [20] |
| Civil penalty | $150,000 per deceptive act [20] |
15. Iowa
Iowa follows the same risk-based pattern seen in a few other states, but here the reporting threshold depends on how many Iowa residents are affected.
Trigger standard
Iowa uses a risk-of-misuse trigger. Notice is required after discovery unless an appropriate investigation shows misuse is not reasonably likely. In plain English, that means you need to investigate first, then decide whether the facts support holding notice back. For diligence, keep the investigation memo and the resident-count analysis on file.
Covered data
Covered data means computerized data that contains personal information.
Notice timing
Consumer notice must go out without unreasonable delay. Iowa does not set a fixed deadline, so your timeline matters. Document each step of the investigation so you can show why the notice timing was reasonable.
AG notice rules
If more than 500 Iowa residents are affected, you must notify the Attorney General and nationwide consumer reporting agencies. That’s why it helps to track resident counts early. Once you cross the 500-resident mark, both notice duties apply.
| Requirement | Iowa Rule |
|---|---|
| Trigger standard | Misuse not reasonably likely after investigation [1] |
| Individual notice deadline | Without unreasonable delay [1] |
| AG notification threshold | More than 500 Iowa residents [2] |
| CRA notification threshold | More than 500 Iowa residents [2] |
| Statutory authority | Iowa Code § 715C.2 |
16. Kansas
Kansas takes a narrower approach than some other states. Notice is required only after a good-faith, reasonable, prompt investigation shows that misuse happened or is reasonably likely [21][22]. For exit prep, that puts the spotlight on two diligence items: the investigation memo and the resident-count check.
Trigger standard
Once a breach is discovered, the entity has to conduct a good-faith, reasonable, and prompt investigation. Notice is required only if that review finds that misuse occurred or is reasonably likely [21][22].
Kansas also has a safe harbor for encrypted or redacted data [23].
Covered data
Kansas covers a resident's name when paired with any of the following [21][23]:
- Social Security number
- Driver's license number or state ID number
- Financial account number, credit card number, or debit card number, if combined with a required security code, access code, or password
Medical data and biometric data are not covered [23].
Notice timing
Notice must be sent without unreasonable delay, while still allowing for law enforcement needs, breach scoping, and system restoration work [21].
Kansas also allows substitute notice if either of these thresholds is met [23]:
- The cost of direct notice would exceed $100,000
- The affected class is more than 5,000 consumers
AG notice rules
Kansas does not require notice to the Attorney General [22].
| Requirement | Kansas Rule |
|---|---|
| Trigger standard | Discovery plus a good-faith investigation; notice only if misuse occurred or is reasonably likely [21][22] |
| Individual notice deadline | Without unreasonable delay [21] |
| AG notification | Not required [22] |
| CRA notification threshold | More than 1,000 consumers notified at one time [21][22] |
| Encryption safe harbor | Yes [23] |
| Statutory authority | KS Stat. §§ 50-7a01, 50-7a02 [23][2] |
Next: Louisiana shifts the comparison to a different trigger and reporting pattern.
17. Kentucky
Kentucky uses a narrower harm test than states that trigger notice based on misuse alone. Here, notice is required only when unauthorized acquisition of unencrypted, unredacted computerized data actually causes identity theft or fraud, or when the entity reasonably believes it will cause identity theft or fraud against a Kentucky resident [24].
That narrower trigger changes the diligence work. For exit prep, document the no-harm determination. If the entity makes and documents that finding, Kentucky law does not require notice to either the Attorney General or affected individuals [24].
Covered data
Under KRS § 365.732, personal information means a resident's first name or first initial and last name combined with:
- a Social Security number
- a driver's license number
- a financial account number or credit/debit card number with any required security code or password
The general statute does not expressly include biometrics.
Because the trigger is tight, the key diligence question is simple: does the breach create a real risk of identity theft or fraud?
Notice timing
Individual notice must be sent in the most expedient time possible and without unreasonable delay [2].
AG notice rules
Kentucky generally requires notice to the Attorney General, but that duty does not apply if the entity has a documented no-harm determination [24]. If more than 1,000 Kentucky residents receive notice, the entity must also notify nationwide consumer reporting agencies without unreasonable delay [2].
| Requirement | Kentucky Rule |
|---|---|
| Trigger standard | Unauthorized acquisition + actual or reasonably believed risk of ID theft/fraud [24] |
| Individual notice deadline | Most expedient time possible; without unreasonable delay [2] |
| AG notification | Required unless no-harm determination is documented [24] |
| CRA notification threshold | >1,000 residents notified [2] |
| Insurance regulatory notice | 3 business days if 250+ residents affected [24] |
| Encryption safe harbor | Yes |
| Statutory authority | Ky. Rev. Stat. § 365.732 |
Insurance licensees must notify the Commissioner of Insurance within 3 business days if a cybersecurity event affects 250 or more Kentucky residents [24].
18. Louisiana
Louisiana is close to Kentucky here, but with one big difference: it sets a hard 60-day cap. The state uses an acquisition trigger, allows a harm exception, and still expects notice to go out within that 60-day window [25][26][1].
Notice is required when personal information was, or is reasonably believed to have been, acquired by an unauthorized person [25][26]. But there’s an off-ramp. If a reasonable investigation shows there is no reasonable likelihood of harm to Louisiana residents, notice does not have to be sent [25][26].
From a diligence angle, a few items stand out: the written no-harm file, the five-year retention rule, and the Attorney General notice content rule.
Trigger standard
"Notification as provided in this Section shall not be required if after a reasonable investigation, the person or business determines that there is no reasonable likelihood of harm to the residents of this state." - Louisiana Revised Statutes Tit. 51, § 3074 [25]
If a business uses the no-harm exception, it must keep the written determination and the records behind it for five years [25][26]. And if the Attorney General asks for that determination in writing, the business has 30 days to provide a copy [25].
Covered data
Louisiana defines personal information as a resident’s first name or first initial and last name, combined with any of the following [26]:
- Social Security number
- Driver's license or state ID number
- Financial account number or credit/debit card number, along with any security code needed to use the account
- Passport number
- Biometric data
Biometric data includes fingerprints, voice prints, and retina or iris scans used to authenticate identity [26]. Louisiana also applies this law to paper records, not just electronic data [2].
Notice timing
"The notification... shall be made in the most expedient time possible and without unreasonable delay but not later than sixty days from the discovery of the breach." - Louisiana Revised Statutes Tit. 51, § 3074 [25]
This is a firm deadline: 60 days from discovery [25][1]. If notice is delayed because of law enforcement needs or because the business is still assessing the scope of the breach, written notice of that delay must be sent to the Attorney General before day 60 [25].
AG notice rules
Louisiana requires notice to the Attorney General within 10 days after resident notice goes out [26]. That notice must include the names of affected residents [26]. In plain terms, the resident notice list becomes part of the reporting record.
| Requirement | Louisiana Rule |
|---|---|
| Trigger standard | Unauthorized acquisition; no notice if there is no reasonable likelihood of harm [25][26] |
| Individual notice deadline | 60 days from discovery [25][1] |
| AG notification deadline | Within 10 days of resident notification [26] |
| AG notice content | Must include names of affected residents [26] |
| No-harm documentation retention | 5 years [25][26] |
| Encryption safe harbor | Yes; encrypted or redacted data are excluded [26] |
| Private right of action | Yes, for actual damages [26] |
| Statutory authority | La. Rev. Stat. Ann. §§ 51:3071–51:3077 [26] |
19. Maine
Maine moves even faster here: consumers must be notified within 30 days. The state also uses a broad trigger, which means the bar for notice can be lower than some teams expect.
Trigger standard
Maine requires notice for a breach of security involving personal information [5]. There isn't a separate harm test layered on top. In plain terms, the trigger can come from unauthorized acquisition, release, or use of personal information [5][27].
That shifts the focus. Instead of spending time trying to prove actual misuse, teams need to look at whether the incident could create identity-theft risk. Maine also has a stand-alone data rule. Notice can be required for stand-alone data that can support identity theft [27]. For exit prep, that usually means one thing: could this incident support identity theft?
Covered data
Maine's general definition of personal information includes a person's first name or first initial and last name combined with:
- Social Security number
- Driver's license or state ID number
- Account or debit/credit card numbers that can be used without additional information
- Account passwords or PINs [27]
Biometric and medical data don't appear in the general statute, but they are covered for insurance licensees.
Notice timing
Maine requires consumer notice within 30 days of determination [2].
AG notice rules
Notice must go to the Attorney General, or to the Department of Professional and Financial Regulation for regulated entities [27].
| Requirement | Maine Rule |
|---|---|
| Trigger standard | Breach of security involving personal information [5] |
| Risk-of-harm qualifier | No separate harm test |
| Stand-alone data rule | Yes; identity-theft-capable data can trigger notice even without a name [27] |
| Individual notice deadline | 30 days from determination [2] |
| AG/regulator notice | Required; regulated entities notify the Department of Professional and Financial Regulation instead [27] |
| Statutory authority | 10 MRSA § 1348 [2] |
20. Maryland
Maryland uses a harm-based approach, with one extra wrinkle: you also need to report to the AG before sending consumer notices. The state applies a risk-of-misuse test and sets a hard outer limit of 45 days.
Trigger standard
Maryland defines a breach as the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information held by the business [28]. Notice is required unless the business reasonably decides that the breach does not create a likelihood that personal information has been or will be misused [28].
Once the breach is discovered, the business must promptly investigate whether misuse is likely [28]. If it decides notice is not required, it must keep records of that decision for 3 years [28].
Covered data
Maryland's covered data includes health information, insurance policy numbers, biometric data, genetic information, and email-account credentials, including a username or email address plus a password or security answer [28][2].
Notice timing
Individual notice must go out as soon as reasonably practicable, and no later than 45 days after discovery or notice [28][2]. If a business maintains the data but does not own it, it must notify the owner or licensee as soon as practicable, but no later than 10 days after discovery [28].
If law enforcement allows a delay, notice must be sent within 7 days after clearance if the original 45-day window has already passed [28].
AG notice rules
For exit prep, the AG packet matters just as much as the investigation memo. The AG notice must include the number of affected residents, the timing and method of the breach, the remediation steps already taken or planned, and a sample consumer notice [28].
| Requirement | Maryland Rule |
|---|---|
| Trigger standard | Unauthorized acquisition compromising security, confidentiality, or integrity [28] |
| Risk-of-harm qualifier | Yes - no notice required if misuse is not likely [28] |
| Individual notice deadline | As soon as reasonably practicable, no later than 45 days [28][2] |
| Vendor-to-owner deadline | No later than 10 days after discovery [28] |
| AG notification timing | Before consumer notice [28] |
| Record retention (no-notice decision) | 3 years [28] |
FAQs
Which states use access instead of acquisition as the trigger?
Most state data breach notice laws define a breach as the unauthorized acquisition of sensitive personal information. The source material backs that up: many states use that standard.
It does not spell out which states use a broader access-based trigger. To answer that, you’d need a state-by-state review of each statute, because the definitions differ and can change over time.
How do I handle one breach that affects residents in multiple states?
There’s no one-size-fits-all approach here. You need to follow the laws of each state where the affected people live.
Review each state’s rules for timing, notice content, and Attorney General reporting. Some states give a set deadline, while others say notice must go out without unreasonable delay. Document your investigation and harm assessment for each state, and consult legal counsel.
When can a no-harm review let me skip notice?
You may skip notice if you promptly conduct a good-faith investigation and determine the breach is not reasonably likely to cause substantial harm to affected individuals.
In most cases, you must document that risk assessment in writing and keep those records for the time period required under state law. In some states, you may also need to coordinate with law enforcement or report your findings to the Attorney General.



