Latest Installment of our Mintz Matrix!

By Morgan Ungrady-Johnson, Cynthia J. Larose

Please visit here to visit our Mintz Matrix page with the latest edition of the Mintz Matrix, which is a 50-state resource we have maintained since 2009 to break down and summarize requirements of U.S. state data breach notification laws. State governments continue to update their statutes as sharing of personal data remains an ever-present feature of everyday life, and the Mintz Matrix is designed to be a comprehensive resource for organizations and for practitioners trying to understand the contours of data breach notification obligations across the United States.

Since every state has its own version of a data breach notification statute, we monitor developments around the country and regularly update the Mintz Matrix. Only two states have modified their data breach notification statutes since our last update:

  • California amended Statute 1798.82 to include a specific time frame in which individuals or businesses that conduct business in California and that own or license computerized data that contains personal information must notify impacted persons. The law previously stated that they must be notified without unreasonable delay, which the amendment has modified to within 30 days of discovery or notification of the breach. The notification may be delayed to accommodate law enforcement.

    The amendment further requires that the Attorney General must be notified within 15 calendar days of notification to impacted persons, if one breach impacted more than 500 California residents, whereas the law previously did not include a specific timeline.

    This amendment easily passed through the legislature as lawmakers viewed the modification as necessary to ensure that individuals can quickly act to adequately protect themselves and their personal information that was the subject of the breach. The amendment will become effective January 1, 2026.
  • Oklahoma amended Title 24, §§ 162–166 to expand the definition of personal information and alter the timing requirements. Personal definition now includes biometric identifiers and unique electronic account credentials. The amendment also modified the existing statute with a new requirement that individuals or entities must notify the Attorney General within 60 days of consumer notifications when the breach impacted 500 or more Oklahoma residents.

The amendment also allows entities to potentially avoid civil penalties if they can demonstrate that they used “reasonable safeguards” to prevent such breaches.

Subscribe To Viewpoints

Published

    • Viewpoint Topics

  • Privacy & Cybersecurity

    • Professionals

  • Morgan Ungrady-Johnson
  • Cynthia J. Larose

    • Related Practices

  • Privacy & Cybersecurity

    • Authors

    Morgan Ungrady-Johnson

    Morgan Ungrady-Johnson

    Associate

    Morgan M. Ungrady-Johnson is an Associate at Mintz who advises clients on corporate and securities law, governance, licensing transactions, and general corporate matters.
    Cynthia J. Larose

    Cynthia J. Larose

    Member / Co-chair, Privacy & Cybersecurity Practice

    Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.