US breach notification laws: what they cost you
Breach notification in the United States is governed by a 50-state patchwork, not a single federal law. Each state defines what counts as a breach, sets a deadline to notify affected residents, and sets a threshold above which the state attorney general must also be told. Because you must follow the law of every affected resident\'s home state, a breach touching customers nationwide effectively binds you to the strictest applicable rule. The direct cost is the per-record cost of producing and sending each notice, plus credit or identity monitoring for the people who enroll, plus a baseline of legal and forensic work. This guide explains the patchwork, references the deadlines and attorney-general thresholds in a few representative states, and shows how to size the bill with the breach notification cost calculator. It is informational, not legal advice.
Why there are fifty laws, not one
The United States has never passed a general federal breach-notification statute. Instead, beginning with California in 2003, every state enacted its own law, and they do not agree on the details. They differ on what kinds of data trigger notice, on what counts as a "breach," on whether a risk-of-harm analysis can excuse notification, on how quickly you must act, and on when the state attorney general or consumer-protection office must be looped in. Sector rules layer on top: HIPAA for protected health information and the Gramm-Leach-Bliley framework for financial institutions impose their own notification duties in parallel.
The practical effect is that the obligation is driven by where your affected individuals live, not where your business sits. A small firm in one state that serves customers across the country must satisfy the laws of every state those customers reside in. In a multistate breach you end up bound by the union of all the requirements — the earliest deadline, the broadest definition of covered data, and every applicable attorney-general filing.
Deadlines and attorney-general thresholds: a few representative states
The figures below are published statutory references drawn from a representative sample of state laws; they are not the full 50-state set, and the details change, so always verify the current text via the NCSL summary and the statute itself.
- California (Cal. Civ. Code §1798.82): notice "without unreasonable delay"; the attorney general must be notified when a single breach affects more than 500 California residents.
- New York (GBL §899-aa, SHIELD Act): notice "without unreasonable delay"; AG and other state agencies must be notified above roughly 500 affected residents.
- Texas (Tex. Bus. & Com. Code §521.053): a hard 60-day outer deadline; AG notification when the breach affects at least 250 Texas residents.
- Florida (Fla. Stat. §501.171): one of the strictest timelines — notice within 30 days; the Department of Legal Affairs must be told when more than 500 residents are affected.
- Massachusetts (Mass. Gen. Laws ch. 93H): notice "as soon as practicable," with regulators effectively notified even at very low resident counts.
Even this short list shows the trap: notify nationwide and you must meet Florida\'s 30-day clock and Texas\'s and Florida\'s AG thresholds and California\'s, simultaneously. The strictest deadline governs your timeline; the lowest threshold governs which regulators you must file with.
The anatomy of the cost
Notification is one of the five components of total breach cost — and, importantly, usually one of the smaller ones, well under a tenth of the operational total. But it scales directly with the number of affected people, and for a small business it is the most predictable and controllable slice. It has three parts.
The per-record notice cost
Each affected person must be identified and contacted, typically by mail and often by email or substitute notice as well. On a per-record basis this includes data processing to determine who was affected, printing and postage, and call-center capacity for the inevitable inquiries. Individually small, it adds up quickly across tens of thousands of records.
Credit and identity monitoring
This is the largest variable cost. Whether mandated by a state for certain data types or offered voluntarily to limit churn and litigation, monitoring is priced per enrolled person per year. The key driver is the take-up rate — the share of notified people who actually enroll, which is typically a small minority. You pay for enrollees, not for everyone notified, so a realistic take-up rate makes a large difference to the total. The calculator models this explicitly.
Baseline legal and forensic work
Beneath the per-record costs sits a fixed floor: counsel to determine your obligations across the relevant states, and the forensic work to establish the scope of affected records. Like the rest of breach response, this part is largely fixed and therefore weighs more heavily, per record, on a small breach.
Estimating your notification bill
Put the three parts together and the structure is the same fixed-plus-variable shape as breach cost overall: a fixed legal baseline plus a per-record notice cost plus monitoring for the enrolled minority. The breach notification cost calculator takes your record count and applies representative per-record and monitoring costs at a typical enrollment rate to produce a planning estimate. Because the monitoring take-up rate and per-notice cost are the biggest levers, they are the figures worth pressure-testing against quotes for your own situation.
How notification cost relates to statutory penalties
Notification cost is the operational cost of complying with the law — the price of doing what the statute requires. It is distinct from the statutory penalties that can follow a breach, such as the CCPA private right of action in California, where statutory damages run from $100 to $750 per consumer per incident, or the administrative penalties a state AG can pursue. Those are estimated separately with the CCPA/CPRA exposure calculator and the rest of the compliance-cost tools, and explained in the penalties guide. Keeping the two separate avoids double-counting: notification is what you spend to comply, penalties are what you may owe if you did not.
What to take away
For a small business, the most useful facts are these: there is no single deadline, so plan for the strictest one your customer base implies; the attorney-general thresholds mean even modest breaches can trigger regulator filings; and the cost is dominated by monitoring uptake and a fixed legal floor rather than by the notices themselves. Treat the calculator\'s output as a planning figure, verify the current statutory details with primary sources, and consult qualified counsel for your specific obligations.
Frequently asked questions
Is there a single US federal breach notification law?
No. For most businesses, breach notification in the United States is governed by a patchwork of laws in all 50 states plus several territories, each with its own definitions, deadlines and attorney-general reporting thresholds. Sector-specific federal rules exist on top of that — notably HIPAA for health data and the GLBA/FTC rules for financial data — but there is no general-purpose federal statute that pre-empts the state laws.
How fast do I have to notify people after a breach?
It varies by state. Several states require notice "without unreasonable delay," while others set hard outer limits — for example 30 days in Florida and Colorado, 45 days in Ohio, and 60 days in Texas. Because you must comply with the law of every affected resident's state, you are effectively bound by the strictest applicable deadline.
What does breach notification actually cost?
The direct cost is roughly the per-record cost of producing and sending each notice, plus credit or identity monitoring for the share of people who enroll, plus a baseline of legal and forensic work. The breach notification cost calculator sizes this from your record count.
Do I have to offer free credit monitoring?
A handful of states require it in defined circumstances (for example, where Social Security numbers are involved), and many businesses offer it voluntarily to limit churn and litigation regardless of whether it is mandated. It is typically the largest variable cost in the notification process.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.