Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws
Notification: Attorney General and State Agency Notice
About two-thirds of states require notice to the attorney general/state agency, often above a numeric threshold (commonly 250 to 1,000 people). Vermont's 14 business days is the shortest enumerated AG timeframe; Maryland, New Hampshire, and New Jersey require AG notice BEFORE notifying individuals.
Roughly half of these states attach a threshold (number of state residents or individuals affected) before AG/agency notice is required, typically from a low of 250 to a high of 1,000.
- Most common timing: notice as soon as possible, often mirroring the affected-party deadline
- Several states require AG notice no later than or simultaneous with notice to affected parties
- Vermont has the shortest enumerated timeframe: within 14 business days of discovery or when notifying individuals, whichever is sooner
- Maryland, New Hampshire, and New Jersey require AG/state notice prior to notifying affected parties
- A minority of states set no timing requirement for AG notice
Most states require AG/agency notice only if, after investigation, the breach has harmed consumers or is reasonably likely to do so. Notice may go by letter or email; some states require specific online forms.