Data Breach Law: What Small Businesses Must Know

If your business collects customer names, Social Security numbers, credit card data, or even login credentials, you are holding information that state law requires you to protect. And if that information is ever exposed, every state has laws that tell you exactly what you must do next, and how fast you must do it.

The short version: get an incident response plan in place before something goes wrong. Cybersecurity compliance for small businesses is not just an IT issue, it is a legal one. Businesses that wait until after a breach to figure out their obligations end up paying more in fines, legal fees, and lost trust than those who prepare in advance. If you are not sure where your business stands, schedule a free consultation with our team.

How State Data Breach Laws Work

All 50 states now have data breach notification laws. While the details vary, the structure is consistent: if your business stores personal information and that information is exposed through a security breach, you must notify the people affected. In many states, you must also notify the state attorney general once the number of affected residents crosses a threshold.

These laws apply to any business that stores or manages computerized data containing personal details about state residents, regardless of where the business is physically located. If you have customers in a given state, that state's breach notification law applies to you.

What Counts as Personal Information

State definitions are broadly similar. "Personal information" typically means a person's first name or first initial and last name, combined with one or more of the following:

• Social Security number
• Driver's license or state ID number
• Financial account number, credit card number, or debit card number combined with any required security code, access code, or password that would allow access to the account
• Unique electronic identifier or routing code combined with a security code, access code, or password
• Unique biometric data such as a fingerprint, retina image, or other physical representation used for authentication

Some states go further. For example, Texas includes health-related information as defined under HIPAA. Other states cover login credentials for online accounts. The trend is toward broader definitions over time.

If the data is encrypted, redacted, or otherwise rendered unreadable, the notification requirement generally does not apply. But encryption only protects you if the keys were not also compromised.

When You Must Notify and Who Gets Notified

Most states require notification "as quickly as possible" or "without unreasonable delay." Some set hard calendar deadlines. Texas, for example, requires notification no later than 60 days after the business determines a breach occurred. Iowa uses the standard of "without unreasonable delay," which regulators will measure against the facts of each case.

Beyond notifying affected individuals, most states also require you to notify the state attorney general once the breach crosses a size threshold. In Iowa, that threshold is 500 affected residents. In Texas, it is 250. Other states set their own numbers. If law enforcement determines that notification would interfere with an active investigation, you may be able to delay, but once law enforcement gives the green light, the clock starts again immediately.

Penalties for Noncompliance

Penalties vary by state but can be severe. Iowa allows civil penalties of up to $40,000 per violation. Texas ranges from $2,000 to $50,000 per violation, with higher penalties for knowing or intentional failures. In a breach affecting thousands of records, those per-violation penalties stack quickly. Beyond fines, businesses face the cost of investigation, remediation, credit monitoring, and the reputational damage that follows a publicized breach. Some states, including Texas, also allow affected individuals to file private lawsuits for damages.

The Change Healthcare Warning

If you think data breach obligations are theoretical, consider what happened with Change Healthcare. In February 2024, a ransomware attack on this healthcare technology company exposed the personal and medical information of roughly 100 million people. It was the largest healthcare data breach in U.S. history.

The attack succeeded in part because of outdated systems, a lack of multi-factor authentication on a critical remote-access server, and no network segmentation to contain the spread. Once the attackers got in, they moved laterally through the network with minimal resistance.

Then came the notification failures. Affected individuals and state regulators were not notified for roughly four to five months after the breach, an extraordinary delay given the scale and sensitivity of the data involved. For a company handling sensitive health and financial data for over 100 million Americans, that delay drew intense scrutiny from Congress, state attorneys general, and federal regulators.

Why This Matters for Your Business

You do not need to be a Fortune 500 company to learn from Change Healthcare's mistakes. The core failures were basic: no multi-factor authentication, no segmentation, slow notification. These are exactly the kinds of problems that affect small and mid-size businesses too.

A dental office that stores patient records. A staffing agency that processes Social Security numbers. A retail shop that handles credit card transactions. All of these businesses hold the same categories of personal information that triggered Change Healthcare's obligations. And all of them face the same state-level notification requirements if that information is compromised.

Per-violation penalties of $40,000 or more are real, and they apply whether you are a national corporation or a ten-person company.

The Five Most Common Mistakes Businesses Make

After working with businesses across Iowa and Texas, we see the same patterns again and again. Here are the mistakes that create the most legal exposure.

1. Delaying Notification

Some business owners freeze when they discover a breach. They want to understand the full scope before saying anything. That instinct is understandable, but it can push you past your state's notification deadline, whether that is a hard 60-day window or a "without unreasonable delay" standard. Both outcomes increase your legal risk.

2. Having No Incident Response Plan

An incident response plan is a written document that tells your team exactly what to do when a breach is discovered: who to call, what to preserve, when to notify, and how to communicate. Without one, every decision gets made under pressure with no framework. That is when mistakes happen.

3. Ignoring Vendor and Third-Party Risk

Many breaches do not start inside your company. They start with a vendor, a cloud provider, or a software tool you rely on. If your contracts with those vendors do not include data security requirements, breach notification obligations, and indemnification provisions, you are exposed.

4. Assuming Encryption Solves Everything

Encryption is a strong safeguard, but only when implemented correctly. If the encryption keys are stored alongside the encrypted data, or if the keys themselves were compromised in the breach, the safe harbor does not apply. Courts and regulators will look at whether your encryption was meaningful, not just whether it existed on paper.

5. Not Knowing What Data You Actually Hold

You cannot protect what you do not know you have. Many businesses collect personal information through intake forms, payment processors, CRM systems, and employee records without maintaining a clear inventory. When a breach happens, they struggle to determine what was exposed, which delays notification and increases penalties.

If any of these patterns sound familiar, now is the time to address them. Our business law team can walk you through a compliance review tailored to your operations.

What a Data Breach Response Actually Looks Like

When a breach happens, here is what a well-prepared business does:

Skipping any of these steps, or doing them out of order, can create problems that are harder to fix later.

How Surge Helps Your Business Stay Compliant

At Surge, we provide flat-fee legal services to small and mid-size businesses, including compliance reviews, policy drafting, and breach response counsel. For data breach compliance specifically, that means three things.

Compliance Reviews

We review your current data handling practices, identify gaps in your security posture, and assess whether your notification procedures meet your state's requirements. This includes evaluating your vendor agreements and internal policies.

Breach Response Counsel

If a breach occurs, we guide you through the response process. That includes notification drafting, attorney general filings, coordination with forensic investigators, and managing communications with affected customers. Engaging legal counsel early also helps protect the investigation under attorney-client privilege.

Policy Drafting

We draft incident response plans, data retention policies, and cybersecurity vendor agreements that are tailored to your industry and your state's legal requirements. These documents are not templates pulled off the internet. They are built around how your business actually operates.

Our Momentum membership gives you unlimited email access to our legal team for ongoing questions. For businesses that need deeper support, our fractional general counsel service provides regular oversight of your compliance posture.

Take Action Before a Breach Forces Your Hand

State data breach laws are not suggestions. They carry real penalties, and regulators are paying closer attention every year. The businesses that come through a breach in the best shape are the ones that prepared before it happened.

If you collect customer data, process payments, store employee records, or work with vendors who handle sensitive information, you have obligations under state law. The question is whether you will meet those obligations on your terms or on a regulator's.

Book a free consultation with our team to discuss your data security compliance. We will help you understand where you stand and what steps to take next. You can also visit our pricing page to see our flat-fee compliance review options.