ARTICLE
1 October 2025

2025 Breach Notification Law Update

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
Cyber-security continues to draw interest from lawmakers and regulators on a variety of fronts. Similar to the trends of 2024, there were relatively few updates to state data breach laws...
United States California New York Oklahoma Privacy
Amelia M. Gerlicher,Peter Hegel, and Oviett Worthington Wargula

State Updates, Security Mandates, and the Federal Regulatory Horizon

Overview

Cyber-security continues to draw interest from lawmakers and regulators on a variety of fronts. Similar to the trends of 2024, there were relatively few updates to state data breach laws but rather an evolving regulation of security measures in both state and federal laws. Three key trends emerge from these changes:

  • State interest in setting a deadline for breach notification, with the group of states requiring notice in 30 days expanding to include California and New York.
  • Increasing focus on security in state privacy laws, embedding obligations for reasonable safeguards and related cybersecurity requirements within broader privacy frameworks.
  • Wide-ranging and analytically different federal requirements from multiple federal agencies.

Regardless of a business's regulatory posture, staying abreast of these developments is critical. Below is a summary of some of the most important trends and proposed changes shaping the data breach and privacy landscape in 2025.

State Breach Laws Updates

Oklahoma

Oklahoma's Senate Bill 626 substantially revises the state's data breach notification law, effective January 1, 2026. Oklahoma had not previously revised its law since it came into effect in 2008, and each of the changes, while substantial, is in line with trends seen frequently in other states over the last few years.

  • Broadened Definition of Personal Information. The bill adds government-issued identification numbers, unique electronic identifiers, and biometric data to the types of information that trigger breach notification.
  • Attorney General (AG) Notification. Entities must notify the AG if a breach affects 500 or more residents within 60 days of notice to the individuals.
  • Revised Safe Harbors. The bill revises the language pertaining to entities exempt from the statute without materially affecting the scope of the exemptions, but it makes all exemptions subject to providing notice to the Oklahoma AG if more than 500 individuals are affected.

Additionally, entities that implement "reasonable safeguards"—defined as security policies and practices appropriate to the size and nature of the organization—can use this compliance as an affirmative defense against civil penalties. If reasonable safeguards are not in place but notice requirements are met, civil penalties are capped at $75,000 plus actual damages.

New York

On December 24, 2024, Governor Kathy Hochul signed an amendment to New York General Business Law § 899-aa creating a firm 30-day deadline for notifying affected New York residents once a breach of personal information is discovered. This requirement aligns New York with a handful of states—alongside Colorado, Florida, Maine, Washington, and very likely soon, California—with such a defined timeline. While the law retains the long-standing requirement that notices be made "in the most expedient time possible and without unreasonable delay," the 30-day cap purports to eliminate ambiguity about the outer bounds for compliance. The law also removes the provision that previously permitted delays for determining the scope of a breach and restoring system integrity, though exceptions for law enforcement needs remain.

The amendment also imposes parallel obligations on businesses that merely maintain–but do not own–personal data: they must now notify the data owner or licensee within 30 days of discovery, clarifying prior language that only required "immediate" notice.

The law also appeared to expand reporting requirements to include the New York Department of Financial Services (NYDFS) as a mandatory notification for all businesses reporting a breach. NYDFS regulates New York-licensed financial institutions, and it has its own relatively strict breach notification requirements. This caused a fair amount of confusion among nonregulated entities. Subsequently, on February 14, 2025, Governor Hochul signed S804 which clarified that notice to the NYDFS is required only when the breached entity qualifies as a "covered entity" under NYDFS regulations. In such cases, notification must also comply with the specific procedures and requirements set forth in those regulations.

California

In September 2025, California's legislature followed in New York's footsteps and passed SB 446, requiring disclosure of a data breach within 30 calendar days of discovery or notification of a data breach (excluding delays "to accommodate the legitimate needs of law enforcement" or delays that are "necessary to determine the scope of the breach and restore the reasonable integrity of the data system"). Because the bill faces no formal opposition, Governor Gavin Newsom is expected to sign this bill on or before October 12. The expected law also requires businesses or individuals notifying more than 500 California residents of a single breach to submit a sample copy of the notice to the AG within 15 calendar days of individual notification.

Other Relevant State Legislative Updates

Although only a few states revised their respective breach notification statutes, several other key trends are taking hold at the state and industry level that may affect an organization's security obligations.

  • Security Obligations in Comprehensive Privacy Laws. States are continuing to implement comprehensive data privacy laws, with new laws coming into effect in 2025 in Delaware, Iowa, Nebraska, New Hampshire, Minnesota, Tennessee, New Jersey, and Maryland, followed by Indiana, Kentucky, and Rhode Island in early 2026. It has been typical for these laws to include general security obligations as well as enhanced requirements for certain types of sensitive data. New Jersey and Minnesota have gone a step further, specifically requiring that data mapping be incorporated into security safeguards and written policies. Additionally, the California Privacy Protection Agency culminated a years-long effort and approved regulations for cybersecurity audits, which require certain businesses subject to the California Consumer Privacy Act to undergo detailed annual audits of their security programs designed to evaluate safeguards protecting personal information.
  • Qualified Safe Harbor Provisions. In addition to Oklahoma, Nebraska and Texas also added to the legal patchwork of safe harbor provisions. Nebraska's Legislative Bill 241 (LB241) establishes that private entities are immune from class action lawsuits arising from "cybersecurity events" (broadly defined) unless the entity's conduct was willful, wanton, or grossly negligent. The immunity applies only to class actions—not to individual suits or regulatory enforcement. Unlike most other state safe harbor laws, it does not require that the business comply with any particular cybersecurity framework in order to claim immunity. Lawmakers took the latter approach in Texas, where S.B. 2610 created a safe harbor for small businesses with fewer than 250 employees. Specifically, businesses that implement and maintain a cybersecurity program that "conform[s] to an industry-recognized cybersecurity framework"–including NIST, FedRAMP, the ISO 27000 series, and certain other frameworks specifically delineated in the law–will be shielded from exemplary (punitive) damages in data breach lawsuits.
  • Insurance Data Security Requirements. Continuing a multiyear trend of legislating insurance data security requirements, 2025 saw several states update or enact legislation specifically applicable to the insurance industry. Rhode Island's law establishing requirements for domestic insurance companies to implement information security programs became effective on January 1, 2025. Missouri and North Dakota also updated or enacted legislation requiring insurers and insurance producers to implement comprehensive cybersecurity and data protection programs. These laws mandate administrative, technical, and physical safeguards, regular risk assessments, and protocols for responding to cybersecurity events, with some requirements extending to third-party service providers.
  • Financial Institution Data Security Updates. In 2025 North Dakota and Nevada strengthened their regulatory frameworks for state-regulated financial institutions, requiring robust, risk-based cybersecurity programs. These updates mandate administrative, technical, and physical safeguards, regular risk assessments, continuous monitoring, and defined breach response procedures. Notably, under North Dakota's HB 1127, if a security breach affecting more than 500 consumers is discovered, financial institutions must notify the state's commissioner of financial institutions within 45 days.

The changes reflect a broader trend of states taking a proactive role in embedding clear and enforceable data security obligations for institutions that handle sensitive financial and personal information, complementing federal guidance.

Finally, on March 31, 2025, all of the PCI DSS 4.0 requirements became fully enforceable. The PCI DSS 4.0 framework requires businesses that handle payment card data to implement stronger cybersecurity controls, including multifactor authentication for broader user groups, authenticated vulnerability scanning, stricter password standards, and enhanced monitoring for malicious scripts on payment pages. While largely enforced via contract, some states have key exemptions or safe harbor protections based on PCI DSS compliance.

Federal Action

While momentum has been building around federal cybersecurity frameworks, recurring delays in rulemaking in several frameworks have slowed the rollout of major requirements that could reshape compliance obligations.

Bulk Data Transfer Rule (DOJ)

Earlier this year, the U.S. Department of Justice (DOJ) effected Executive Order 14117, otherwise known as the "Bulk Data Transfer Rule," in order to prohibit or restrict certain kinds of transactions in which U.S. persons' bulk sensitive personal data or U.S. government-related data could be accessed by or transferred to "countries of concern" or "covered persons." The rule defines "bulk" thresholds differently depending on the category of data (e.g. biometric data, personal health or financial information, precise geolocation, etc.), and it includes both "prohibited transactions" (not allowed at all) and "restricted transactions" (allowed only if specific data security and compliance requirements are met). The rule will be fully in effect by October 6.

DOJ, along with the Cybersecurity and Infrastructure Security Agency (CISA), issued FAQs, an Implementation and Enforcement Policy, and a compliance guide, helping organizations understand whether their activities fall under "covered data transactions" and assess whether they exceed the "bulk" threshold for various data types. The guidance also helped clarify definitions, exemptions, and the kinds of cybersecurity and due diligence obligations required when transactions are "restricted."

Regulation S-P (SEC)

On May 16, 2024, the Securities and Exchange Commission (SEC) finalized significant amendments to Regulation S-P, the primary federal rule governing how broker dealers, investment companies, registered investment advisers, and transfer agents protect nonpublic consumer information. Specifically, the revisions imposed broad customer notification obligations and incident response program requirements (summarized in our 2024 update) as well as some requirements related to service providers, data deletion, and recordkeeping. Although technically effective as of August 2, 2024, compliance deadlines are only now approaching: large entities must comply by December 3, 2025, whereas smaller entities have until June 3, 2026. Entities covered by the rule should be reviewing existing policies to assess and implement needed changes.

CIRCIA (CISA)

As we reported in 2022 and 2023, the enactment of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was meant to give the federal government earlier visibility into significant cyber threats so it can coordinate responses, share warnings, and strengthen national cybersecurity resilience. Under CIRCIA, certain "covered entities" in critical infrastructure sectors must report major cyber incidents to CISA within 72 hours of discovery and ransomware payments within 24 hours. Originally, CISA planned to issue a final rule by October 2025, but the Office of Management and Budget's Office of Information and Regulatory Affairs recently announced that the rule will now be delayed until May 2026.

HIPAA Security Rule (HHS)

In January 2025, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) issued a Notice of Proposed Rulemaking proposing to substantially revise the HIPAA Security Rule for the first time in a decade. As we further describe here, OCR is concerned about the growing prevalence and impact of security breaches and what it perceives as insufficient security among covered entities and business associates. The proposed changes enhance technical requirements in the rule, increase administrative requirements such as written assessments and policies, and increase accountability over business associates. The proposal has been criticized for increasing compliance burdens, particularly on smaller and less sophisticated entities, and for lacking clarity in some requirements. Comments were taken through March 7, and OCR has signaled that it expects to release the final rule in May 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Amelia M. Gerlicher
Amelia M. Gerlicher
Photo of Peter Hegel
Peter Hegel
Photo of Oviett Worthington Wargula
Oviett Worthington Wargula
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More