How to Handle a Data Breach: State Notification Requirements

Every State Has a Breach Notification Law

Unlike comprehensive privacy laws, which only about half the states have enacted, all 50 states plus Washington D.C., Guam, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws. If your e-commerce business experiences a data breach, you almost certainly have notification obligations — and potentially in every state where affected customers reside.

What Counts as a Data Breach?

Most state breach notification laws are triggered when there is unauthorized access to or acquisition of unencrypted personal information that creates a reasonable likelihood of harm to the affected individuals.

The definition of "personal information" for breach notification purposes typically includes:

• Name combined with one or more of the following:
  • Social Security number
  • Driver's license or state ID number
  • Financial account number with access credentials (PIN, password, security code)
  • Credit or debit card number with security code or expiration date
  • Health or medical information
  • Biometric data
  • Username/email with password or security questions

Some states have expanded definitions. California, for example, includes tax ID numbers, passport numbers, and health insurance information.

Important for e-commerce: If your store is breached and customer names plus credit card numbers (with CVVs or expiration dates) are exposed, you have a breach notification obligation in virtually every state.

Notification Timelines

This is where state laws diverge significantly:

States with Specific Deadlines

• Colorado — 30 days (one of the strictest)
• Florida — 30 days
• Ohio — 45 days
• Washington — 30 days
• Oregon — 45 days
• Texas — 60 days
• Virginia — 60 days
• California — "Most expedient time possible, without unreasonable delay" (no specific number, but courts interpret this as roughly 45-60 days)
• New York — "Most expedient time possible" (similar to California)
• Connecticut — 60 days

The "Without Unreasonable Delay" Standard

Many states use the phrase "without unreasonable delay" rather than a specific number of days. In practice, regulators interpret this as meaning you should notify as soon as you have enough information to do so — typically within 30 to 60 days of discovering the breach.

Best practice: Aim to notify within 30 days of confirming a breach. This satisfies even the strictest state deadlines and demonstrates good faith.

Who Must Be Notified?

Depending on the state and the size of the breach, you may need to notify:

1. Affected individuals — Required by every state. Must be in writing (postal mail or email, depending on the state)
2. State Attorney General — Many states require notification to the AG, especially for breaches affecting large numbers of residents (California requires AG notification for breaches affecting 500+ residents)
3. Consumer reporting agencies — Required when the breach affects a large number of residents (typically 500-1,000+, depending on the state)
4. State-specific agencies — Some states require notification to particular agencies (e.g., New York requires notification to the Department of State)

What Must the Notification Include?

At minimum, breach notifications should include:

• Description of the incident — What happened, in plain language
• Types of information compromised — What categories of personal data were affected
• Date or estimated date of the breach — When the breach occurred and when it was discovered
• What you are doing about it — Steps taken to address the breach and prevent future incidents
• What consumers should do — Recommended protective actions (monitor credit reports, change passwords, etc.)
• Contact information — How affected individuals can reach you for more information
• Credit monitoring offer — Not required by every state, but offering free credit monitoring (typically 12-24 months) is considered best practice and may be required when SSNs or financial data are exposed

Your Breach Response Playbook

Hour 0-24: Contain and Assess

1. Contain the breach — Stop the unauthorized access immediately. Disconnect compromised systems if necessary.
2. Preserve evidence — Do not wipe or rebuild systems before forensic evidence is collected.
3. Activate your incident response team — Internal stakeholders, legal counsel, and if needed, external forensic investigators.
4. Begin documenting everything — Time-stamped records of what happened, what you discovered, and what actions you took.

Day 1-7: Investigate

1. Determine scope — What systems were affected? What data was accessed? How many records?
2. Identify affected individuals — Which customers' data was compromised and in which states do they reside?
3. Engage forensic experts — For significant breaches, hire a qualified forensic firm to investigate the root cause and confirm the scope.
4. Consult legal counsel — Determine your notification obligations based on the types of data and states involved.

Day 7-30: Notify

1. Draft notifications — Prepare notification letters/emails that meet the requirements of all applicable state laws.
2. Notify state attorneys general — File required notices with AGs in states that require it.
3. Notify affected individuals — Send notifications via the method required by each state's law.
4. Set up a response center — Prepare customer service staff to handle calls and questions from affected individuals.
5. Notify consumer reporting agencies — If thresholds are met, notify credit bureaus.

Day 30+: Remediate

1. Fix the vulnerability — Ensure the root cause is remediated so the same breach cannot recur.
2. Update security measures — Implement additional security controls based on lessons learned.
3. Review vendor relationships — If the breach originated with a vendor, review and update your DPA and security requirements.
4. Document the response — Create a comprehensive record of the entire incident and response for regulatory and legal purposes.

Special Considerations for E-Commerce

• Payment card breaches have additional obligations under PCI DSS and card brand rules, separate from state law
• If you use a payment processor like Stripe or PayPal, the processor may handle card data breach notification — but you are still responsible for other personal data
• Cyber insurance can cover breach response costs (forensics, notification, credit monitoring, legal fees) — consider purchasing a policy before you need it
• Your platform's breach is your breach — If Shopify, WooCommerce hosting, or a plugin vendor is breached and your customer data is exposed, you still have notification obligations to your customers

Cost of a Data Breach

For context on why preparation matters:

• The average cost of a data breach in the United States is over $9 million (IBM Cost of a Data Breach Report)
• Notification costs alone can run $1-3 per affected individual at scale
• State AG investigations can result in fines and consent decrees with ongoing compliance obligations
• Class action lawsuits are common following large breaches, adding legal defense costs and potential settlements