Proposed State Laws For Breach Notification Could Reshape Incident Response Plans
State breach-notification laws continue to evolve, and legislatures are using 2026 sessions to tighten consumer protections and shift the civil liability landscape that often follows a cyber event. For businesses, the practical takeaway is that incident response planning increasingly needs to account not only for “whether notice is required,” but also for hard timelines, regulator-facing deliverables, and the cost of consumer support services. Several state laws have died without passing out of the legislature, including bills in Connecticut, Hawaii, and Oklahoma. However, we continue to watch two pending state laws on the East Coast. New Jersey – Assembly Bill 1852 New Jersey’s pending proposal is more about standardizing notice practices and ensuring ongoing consumer access to credit reporting. As introduced, the bill narrows permissible notice methods to written notice or electronic notice. It removes the existing substitute-notice pathway that many companies rely on when notice cos...