All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands, have regulations that require private entities and/or government agencies to notify individuals of security breaches that might compromise their PII. When doing business (or research) in these localities, you should be aware of the local laws and responsibilities. These are accurate as of January 5, 2020. Subject to change without notice.
DigitalGuardian has a document that summarizes the rules for each locality. They include information on notification requirements, to individuals, to regulators, covered info, penalties, data breaches, and pending legislation.