Proposed State Laws For Breach Notification Could Reshape Incident Response Plans

State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event.

For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but also for hard timelines, regulator-facing deliverables, and the cost of consumer support services.

Several state laws have died without passing out of the legislature, including bills in Connecticut, Hawaii, and Oklahoma. However, we continue to watch two pending state laws on the East Coast.

New Jersey – Assembly Bill 1852

New Jersey’s pending proposal is more about standardizing notice practices and ensuring ongoing consumer access to credit reporting.

As introduced, the bill narrows permissible notice methods to written notice or electronic notice. It removes the existing substitute-notice pathway that many companies rely on when notice costs are high or when contact information is incomplete.

The proposal is also more prescriptive about content. It requires breach notices to include contact information, including a toll-free telephone number, of a customer representative of the business or public entity who shall be available to give the customer information on:

• What information has been compromised, and potential consequences of the breach of security
• How the company or public entity is addressing the breach
• What steps the customer may take to safeguard their information, and
• Notification that the customer has access to free credit reports

The toll-free telephone number would be a larger lift than most state breach notice requirements.

Beyond disclosure, the bill would impose a substantive consumer-support obligation: for six months after notification, the business or public entity must provide access to independent credit reports from a consumer reporting agency and pay the associated fees for the access cadence described in the bill.

Finally, the bill includes a cost-allocation provision under which a third party maintaining records on behalf of another entity would be responsible for reimbursing the principal for notification and credit-report access costs, which will be significant for businesses that outsource data processing.

New York – Senate Bill 3078

New York’s proposal is comparatively targeted, but it could have meaningful cost implications after incidents, especially for consumer-facing organizations. The bill would require that, when the notifying person or business was the source of the breach, the notice must include an offer of appropriate identity theft prevention and mitigation services at no cost for at least 12 months, along with the information necessary for the individual to accept the offer. If passed, New York would join several other states, including California, Connecticut, Delaware, Maryland, Pennsylvania, and the District of Columbia, that require such services.

In practice, businesses should expect that determining whether they were “the source” may require careful factual analysis in multi-party ecosystems, including vendor-hosted environments and shared platforms, and should consider establishing internal criteria for that determination.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.