PCI Compliance27 May 202612 min read

50-State Data Breach Laws for Payment Firms

Every US state has a breach notification law, and they don't agree on much. Federal layers stack on top. If you take card payments across state lines, here's how to think about your obligations when something goes wrong.

By Paytia Editorial Team
50-State Data Breach Laws for Payment Firms

There's no single US federal data breach notification law. Instead, there are 50 state laws (plus the District of Columbia and US territories), several federal sector-specific layers, and a growing patchwork of class-action vehicles. If you take card payments from customers in multiple states — and most payment companies do — a breach triggers a notification puzzle that has to be solved fast.

This piece walks through how the state patchwork actually works, where the federal layers stack, which states are the hardest to deal with, and what payment companies can do upfront to make the puzzle smaller when something goes wrong.

The 50-state baseline#

A black and white view of the historic courthouse facade in Hampton, Virginia, showcasing classic architecture.

Every state has a data breach notification law of some kind. They all share a basic shape:

  • If "personal information" of a resident of the state is compromised, you have to tell that resident
  • You also have to tell the state Attorney General (in most states, above a threshold)
  • You have to tell consumer reporting agencies if the breach affects a large enough number of people
  • You generally have to do all of this "without unreasonable delay" — sometimes with a hard outer limit

What "personal information" means varies. The common core is name plus one of: Social Security number, driver's licence number, financial account number, or credit/debit card number with the access code. Some states add health information, biometric data, online account credentials, tax ID numbers, passport numbers, or other fields.

What "breach" means also varies. Most states define it as unauthorised acquisition of personal information. Some include unauthorised access even without acquisition. Some carve out encrypted data (no breach if the data was encrypted and the key wasn't compromised).

The states that matter most#

Some states drive more compliance work than others, because they're either bigger markets, faster on notification, or have a private right of action.

California. The CCPA gives consumers a private right of action for breaches of unencrypted, unredacted personal information, with statutory damages of $100 to $750 per consumer per incident. California also has the California Invasion of Privacy Act (CIPA), which covers call recording and has been used against payment companies in class actions over wiretap-style theories. Notification to residents is required without unreasonable delay; the state's data breach reporting site collects details on incidents affecting 500 or more California residents.

New York. The SHIELD Act of 2020 expanded New York's breach law and added a reasonable security requirement. Notification is required as quickly as possible and without unreasonable delay, with notification to the AG, the Department of State, and the State Police when 500 or more residents are affected. On top of that, NYDFS-licensed entities have their own 72-hour reporting clock under Part 500.

Illinois. The Biometric Information Privacy Act (BIPA) doesn't cover card data, but it covers fingerprints and other biometrics used for things like POS verification or employee timekeeping. BIPA has been a class-action goldmine — statutory damages of $1,000 per negligent violation and $5,000 per intentional violation, with the Illinois Supreme Court holding that each fingerprint scan can be a separate violation.

Massachusetts. Notification is required as soon as practicable and without unreasonable delay, with notice to the AG and the Office of Consumer Affairs and Business Regulation. Massachusetts also has 201 CMR 17.00, a written information security programme requirement that applies to anyone holding personal information about Massachusetts residents. The standards include encryption, access controls, training, and vendor management — many of the same boxes as the NYDFS rule.

Texas. HB 4, which took effect in 2024, requires notification within 60 days, with AG notification required when 250 or more Texans are affected. Texas previously had a 60-day clock with no AG notification threshold beyond a general report; the change brought the law in line with the more demanding states.

The federal layers#

State laws aren't the only game. Depending on what your business does, you may also be subject to:

  • HIPAA — for healthcare-related data. The HITECH Act added breach notification: 60 days to notify affected individuals, plus HHS OCR, plus the media if 500 or more residents of a state or jurisdiction are affected.
  • GLBA — for financial institutions covered by the Gramm-Leach-Bliley Act. The FTC's amended Safeguards Rule now includes a 30-day notification requirement to the FTC for incidents involving 500 or more consumers.
  • SEC rules — public companies have to disclose material cybersecurity incidents within four business days of determining materiality.
  • NYDFS — for entities licensed in New York, the 72-hour reporting requirement under Part 500.
  • CIRCIA — when CISA's rules are finalised, covered critical infrastructure entities will have to report incidents within 72 hours and ransomware payments within 24 hours.

The pattern across all of these is a tightening of timelines. A few years ago, "as soon as practicable" gave you weeks. Now you're looking at days, sometimes hours.

What payment companies actually face#

If you're a payment processor or a merchant handling card data, a breach typically involves a few overlapping work streams running at the same time:

  1. The card brand side. Visa, Mastercard, etc. require notification to your acquirer, who notifies them. Forensic investigation by a PCI Forensic Investigator (PFI) is often mandated. The card brands can require card reissuance and assess fines or chargebacks.
  2. The state notification side. 50 state notifications, in 50 different formats, on 50 different timelines. Specialist breach-response counsel and notification vendors exist precisely because this is hard to do well.
  3. The federal side. Whichever sector regulators apply to you.
  4. The class action side. Especially in California and Illinois. The plaintiff's bar is well organized and moves fast.
  5. The press and PR side. Often the most visible piece, but the one most people overestimate compared to the regulatory and litigation work.

Some recent settlements give a sense of where the numbers land:

  • T-Mobile — $350 million class action settlement in 2023 over a 2021 breach affecting tens of millions of customers, plus a separate $500 million commitment to security spending.
  • Equifax — $700 million settlement in 2019 covering FTC, CFPB, 50 state AGs, and a class action over the 2017 breach.

These are the marquee cases. Most breaches don't reach those numbers — but the median public-company breach in financial services costs tens of millions once notification, response, regulatory, and remediation costs are added up.

How to make breach response smaller#

The single biggest determinant of breach response cost is how much sensitive data you held that was actually compromised. That sounds obvious, but it has practical implications for how you design a payment workflow.

Things worth doing upfront:

  • Don't store what you don't need. The card data you don't have can't be breached. Tokenize everything, store nothing unencrypted, and have a retention policy with teeth.
  • Keep card data out of contact center systems. Call recordings, CRM notes, agent screen captures, and chat logs are common locations for card data to accumulate by accident. DTMF masking keeps the card digits out of the contact center entirely, which means a breach of the contact center doesn't become a card breach.
  • Encrypt at rest and in transit, with proper key management. Many state laws give you a safe harbour for encrypted data — but only if your encryption was actually meaningful and the keys weren't exposed.
  • Run incident response tabletops. The first time you discover the 50-state notification mechanics shouldn't be at 11pm on a Sunday.
  • Have breach counsel on retainer. Outside specialist counsel can structure your investigation under privilege and run the multi-state notification process. Doing this without specialist help in-house is painful.

Where Paytia fits#

Paytia is a PCI DSS Level 1 service provider, certified since 2016, with our US base in New York. We've handled more than $500 million in card payments through our DTMF-masking platform.

Our role in the breach-prevention story is narrow but useful: we take card data out of your phone payment workflow. Card numbers never sit in your call recordings, never appear on your agent screens, and never land in your CRM. If your contact center systems are compromised — phishing, ransomware, insider misuse — the card data isn't part of what's stolen, because it wasn't there in the first place.

That doesn't replace your wider breach-response programme. You still need encryption, monitoring, incident response, counsel, and notification mechanics. But it does shrink the blast radius of the most common attack types, which is one of the few things that actually moves the needle on breach response cost.

If you want to talk through what a phone-payment workflow looks like when card data is kept out of your environment, get in touch with our New York team.

One more thing: cyber insurance is doing the underwriting#

Cyber insurance carriers have effectively become a second regulator over the last five years. Premiums have moved sharply, capacity has tightened, and the underwriting questionnaires now ask in detail about MFA, EDR, backup integrity, network segmentation, and — increasingly — how you handle sensitive data flows like phone payments. If you can't show that card data is contained, you'll see it in the price.

It's worth aligning your breach-prevention story with what your carrier asks about. The same controls that lower your premium tend to reduce the size of a breach if one does happen.

The bottom line#

The state breach-notification patchwork isn't going to consolidate any time soon. Several bills have been floated in Congress over the years, but nothing's moved. Build your payment workflow assuming the patchwork is permanent, and assume the timelines will keep tightening. The cheapest breach is the one where the data wasn't there to begin with.

Related Articles

TCPA Compliance for Payment CallsGuide
PCI Compliance

TCPA Compliance for Payment Calls

TCPA exposure for payment-related calls is one of the most expensive compliance risks in US contact centers — $500 to $1,500 per call, uncapped, class-action eligible. Here's what the law actually says about collections calls, payment reminders, MFA-via-SMS and the rest.

Read more →
CCPA for Payment Processors: A Practical Guide
PCI Compliance

CCPA for Payment Processors: A Practical Guide

The California Consumer Privacy Act treats card data as personal information. If you've got Californian customers and any of three threshold triggers apply, you owe them rights you might not have built for yet. Here's what changes for payment workflows.

Read more →
NYDFS 23 NYCRR 500 for Payment Companies
PCI Compliance

NYDFS 23 NYCRR 500 for Payment Companies

If New York's Department of Financial Services has authorized your business, 23 NYCRR 500 sets the cybersecurity bar — and the 2023 and 2024 amendments raised it significantly. Here's what's in scope, what's new, and where phone payments fit in.

Read more →

Ready to take secure payments?

Book a demo with our team. We'll show you DTMF masking live, talk through PCI DSS scope reduction, and put together pricing based on your call volume.

PCI DSS Level 1
Cyber Essentials Plus
Book a demoContact us

Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia