50-State Breach-Notification Matrix

U.S. state breach-notification statutes are layered on top of, but not replaced by, the federal FTC Safeguards Rule (16 C.F.R. § 314.5). The federal layer requires notice to the FTC for the unauthorized acquisition of unencrypted customer information involving 500 or more consumers, within 30 days of discovery. The state layer requires notice to affected residents, and frequently to a state attorney general, banking department, or consumer-protection regulator, with substantial variation in trigger, deadline, content, and threshold.

Four conceptual fault lines structure the matrix:

1. Acquisition versus access.Some statutes are triggered only when personal information is “acquired” without authorization; others are triggered the moment the information is “accessed.” The difference matters in practice: a database that an attacker could have read but apparently did not download may not trigger an “acquisition” statute but may trigger an “access” statute. New York’s SHIELD Act and New Jersey are leading “access” jurisdictions; many others are “acquisition.” Several layer a risk-of-harm filter on top, exempting incidents where there is no reasonable likelihood of misuse.
2. Encryption safe harbor.Nearly every state exempts data that was encrypted, redacted, or rendered otherwise unusable — but the form of the safe harbor varies. Many statutes void the safe harbor if the decryption key was acquired in the same incident; some define “encryption” specifically (Massachusetts), some treat PCI-DSS-compliant payment data as encrypted (Nevada), and some include redaction or other rendering as equivalent. Hardline encrypts at rest by default in Supabase Postgres and Supabase Storage, encrypts in transit via TLS, and maintains separate access controls for keys; in any incident the Legal Lead documents the precise encryption posture against the state-specific definition.
3. AG notice cumulative with consumer notice. Where state AG notice is required, it is in addition to consumer notice, not in lieu of it. AG-notice thresholds (often 500 or 1,000 residents) are usually lower than substitute-notice thresholds. Some states require AG notice before consumer notice (Maryland, New Jersey’s State Police review); some require it concurrently (California, Connecticut, Montana); some require it after (Iowa, Louisiana). Vermont requires an initial preliminary notice to the AG within 14 business days of discovery, before consumer notice. The Legal Lead sequences correctly per the relevant matrix row.
4. Federal layer applies regardless.The FTC Safeguards Rule and any other applicable federal sectoral law (HIPAA, GLBA, SEC Reg S-P, CFPB enforcement actions) apply regardless of state requirements. The 30-day FTC clock at 16 C.F.R. § 314.5 runs from discovery and does not pause for ongoing investigation. Hardline files what it knows by day 30 and supplements rather than miss the clock.

The matrix below is sorted alphabetically. Each row captures the most operationally relevant facts as of v1 of this document. “ASAP” is a non-statutory shorthand for “most expedient time possible” or “without unreasonable delay” phrasing. Where a specific cap applies (e.g., 30, 45, 60 days), that cap is shown. Where the trigger event is shown as “Acquisition” or “Access,” the most common formulation in the relevant statute is summarized; the precise statutory language is what controls in any actual analysis.

A few themes recur across the matrix in ways that change how the Legal Lead structures an incident response in practice:

• Risk-of-harm filter.Roughly half of state statutes incorporate a risk-of-harm filter: notification is required only when the incident is “reasonably likely” to cause “material harm,” “identity theft or fraud,” or similar. These states (Alabama, Alaska, Arkansas, Colorado, Delaware, Indiana, Kansas, Maine, Maryland, Michigan, Mississippi, Missouri, Nebraska, New Mexico, North Carolina, Oklahoma, Utah, Virginia, West Virginia, Wyoming, among others) usually require a written risk assessment to substantiate any decision not to notify; that assessment is itself discoverable in subsequent litigation and is typically retained for five years. Hardline drafts the risk-of-harm analysis under privilege through the Legal Lead.
• Hard deadlines. A subset of statutes impose specific hard caps from discovery or determination: 30 days (Colorado, Florida, Maine, Washington); 45 days (Alabama, Arizona, Maryland, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Wisconsin); 60 days(Connecticut, Delaware, Louisiana, South Dakota, Texas). Other statutes use only “ASAP / without unreasonable delay” language. Where a 30-day state is in scope, the federal 30-day FTC clock and the state 30-day clock run in parallel and the Legal Lead schedules accordingly.
• Substitute notice. Most statutes allow substitute notice (statewide media plus website plus email-to-known-addresses) when direct notice is infeasible because of cost (typically $5,000 to $250,000), affected-population size (typically 50,000 to 500,000), or lack of contact info. Substitute notice does not relieve the obligation to provide AG notice. Hardline preserves contact info for every borrower and lender precisely so that direct notice remains feasible.
• Content requirements. California, Florida, Maryland, Massachusetts, North Carolina, Texas, and Washington each prescribe specific content for consumer or AG notices. Massachusetts is notably unusual in prohibiting certain content (nature of the breach, number affected) in consumer notice. Hardline maintains state-specific notice templates as appendices to the Incident Response Plan.
• Credit monitoring. Connecticut, Delaware, the District of Columbia, Massachusetts, and Pennsylvania (in defined circumstances) require offering credit monitoring or identity-theft prevention services to affected residents, typically for 12 to 24 months. Hardline pre-negotiates a master agreement with a credit-monitoring provider so that the offering can be stood up within hours of decision.
• CRA notice. A separate notice to the three nationwide consumer reporting agencies (Equifax, Experian, TransUnion) is required in several states when the breach exceeds 1,000 residents (Alabama, South Carolina, Wisconsin), 10,000 (Georgia), or other thresholds. CRA notice is generally not a substitute for AG notice.
• State-specific overlays.Several jurisdictions have non-breach-statute frameworks that nonetheless apply to security incidents: NY DFS Part 500 (23 NYCRR 500) for licensed financial institutions; Massachusetts WISP at 201 CMR 17.00; Illinois BIPA at 740 ILCS 14/ for biometric identifiers; Ohio Data Protection Act safe harbor; Utah Cybersecurity Affirmative Defense Act safe harbor; California Consumer Privacy Act private right of action under Cal. Civ. Code § 1798.150 for unencrypted PI; California SB 1386 history. These overlays may operate in parallel with or partially substitute for the headline breach statute. The Legal Lead checks the overlays as part of every state-specific analysis.
• Insurance-sector overlays.NAIC’s Insurance Data Security Model Law has been adopted (in slightly varying forms) in over twenty states. Hardline is not an insurance licensee, but counterparties to Hardline transactions may be, and the Legal Lead is alert to the possibility that a breach affecting an insurance licensee creates parallel notification rights on Hardline.

The FTC Safeguards Rule at 16 C.F.R. § 314.5, effective May 13, 2024, requires that a financial institution subject to the Rule notify the FTC, as soon as possible and no later than 30 days after discovery, of a notification event involving the unauthorized acquisition of unencrypted customer information of 500 or more consumers. The notification must include the elements set out at § 314.5(b): (a) the name and contact information of the reporting financial institution; (b) a description of the types of information involved; (c) the date or date range of the notification event, if the financial institution can reasonably determine it; (d) the number of consumers affected or potentially affected; (e) a general description of the notification event; and (f) whether any law-enforcement official has provided the financial institution with a written determination that notifying the public would impede a criminal investigation or cause damage to national security, and a means for the FTC to contact the official.

Hardline files via the FTC online portal. The 30-day clock is not paused by ongoing investigation. If the elements are not fully known by day 30, Hardline files what is known and supplements promptly. The Legal Lead documents the discovery date in the incident record contemporaneously to avoid later ambiguity about when the clock started.

Additional federal overlays may apply in specific circumstances: SEC Regulation S-P Rule 30 for SEC-registered broker-dealers and investment advisers (Hardline is neither, but lender counterparties may be); HIPAA Breach Notification Rule for PHI (not applicable to Hardline absent a material change in scope); CFPB enforcement authority under Dodd-Frank UDAAP for incidents involving consumer financial information; and the FTC’s general Section 5 UDAP authority over unfair or deceptive security practices.

This matrix is maintained by the Hardline Legal Lead in coordination with outside counsel. It is reviewed at least annually and after any material legislative or regulatory change in any covered jurisdiction. Items that have been the subject of recent or pending legislative activity (e.g., post-2023 amendments in Pennsylvania, post-2024 amendments in Minnesota, post-2022 amendments in Hawaii) are flagged for priority re-verification. Operational use of this matrix in any actual incident is preceded by a state-specific verification by counsel at the time of the incident, including pulling the current statutory text and checking any pending amendments or regulator guidance.

The matrix is published at /legal/breach-notification-matrix as part of Hardline’s broader legal documentation set and is referenced by Section 7 of the Incident Response Plan at /legal/incident-response § 7. Nothing in this matrix constitutes legal advice; nothing in this matrix creates a third-party right or a private right of action; nothing in this matrix modifies any contractual obligation owed by Hardline. The matrix is not a substitute for retaining counsel at the time of an actual incident.

• 1.0-draft (2026-05-10). Initial pre-launch draft. All 50 states + D.C. captured. Pending licensed-attorney review. Items requiring counsel re-verification before public reliance include: (a) the 2023–2024 amendments to Pennsylvania PIPA; (b) the 2024 amendments to Minnesota Stat. § 325E.61; (c) the 2022 amendments to Hawaii’s breach statute; (d) any 2025 amendments not yet captured; (e) the precise current FTC portal mechanics; (f) the current in-force cyber-insurance policy notice window.