All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have regulations that require private entities and/or government agencies to notify individuals of security breaches that might compromise their PII. When doing business (or research) in these localities, you should be aware of the local laws and responsibilities. These are accurate as of August 11, 2021. Subject to change without notice.
DigitalGuardian has a document that summarizes the rules for each locality. They include information on notification requirements, to individuals, to regulators, covered info, penalties, data breaches, and pending legislation.
IT Governance maintains a website on the Data Breach Notification Laws by State.
JUSTIA US Law provides free access to federal and state court decisions, codes, and regulations. They also provide the full text of the Annotated US Constitution, as well as recent dockets and selected case filings from the US federal district and appellate courts.
The National Conference of State Legislatures (NCSL) maintains a website of the Security Breach Notification Laws of all 50 states and territories.