This is a difficult question.  Snell & Wilmer have launched an interactive data breach notification site to help organizations answer this question. No doubt the site is marketing tool, but this law firm is contributing to the community.

Here is excerpt from S& W:

By clicking on a state, you will see a summary of the key features of its notification statute; highlights include PII and breach definitions, respectively, along with notification requirements, including the circumstances in which the state Attorney General’s Office or a similar consumer protection agency is required to be notified as well as timing requirements for the notifications to individuals. We’ve also included links to both the data breach statutes themselves and relevant state agency websites.  Additionally, the second tab on the Data Breach Map provides a visual summary for those states that require notification when PII has merely been accessed as compared to those states that only require notification when PII has been acquired.

The Takeways

• Ensure and invest in your relationship with peers in compliance and privacy departements
• Ensure that you cyber incident and management team is aware of data breach notification requirements and has incorporated these timelines into their playbooks
• Ensure that you socialize data breach notification requirements and timelines with your IT peers.