The primary sources archive is a collection of breach notification letters sent to various jurisdictions in the United States. These were gathered staff and volunteers through sponsorship funding and donations. Currently, a project is underway to accumulate more such notices via the Freedom of Information Act, and its various local and state legislative cousins.
If you're interested in getting involved in FOIA requests, please contact [email protected].
To see which states are able to be queried for data loss related information (via FOI equivalents), see our States Page.
Help Us Complete the Archives
We need your help classifying and associating these primary sources with Incidents and Organizations. 2852 / 2865 primary sources classified Help Now!
Primary Sources Sponsors
The organizations listed below have kindly sponsored the Primary Sources project. If your organization is interested in sponsoring the project as well, contact
659 primary sources
New York State Consumer Protection Board
New York State Consumer Protection Board collects breach reports per New York State law, but does not presently publish all reports on their website. Most of the primary sources collected have been courtesy of Chris Walsh's efforts, utilizing Freedom of Information legislation in New York State.
230 primary sources
North Carolina Department of Justice, Consumer Protection Division
North Carolina's Department of Justice, Consumer Protection Division collects data breach notifications from organizations per North Carolina law. Like New York, North Carolina does not post all reports online, and these reports are courtesy of Chris Walsh's efforts with Freedom of Information laws in North Carolina.
424 primary sources
Maryland Attorney General
Like Vermont and New Hampshire, Maryland posts data breach notifications on its website as a result of legislation. As a result, they are downloaded and archived here.
388 primary sources
New Hampshire Consumer Protection & Antitrust Bureau
The New Hampshire Consumer Protection & Antitrust Bureau has been placing the notifications that it receives, as a result of legislation in the state, on its website. Archives can be found here.
23 primary sources
Vermont Office of the Attorney General
The Vermont Office of the Attorney General receives data breach notifications per Vermont laws and regulations. These notifications are posted on their website. As a result, the notifications have been downloaded and archived here.
16 primary sources
California Office of Privacy Protection
While the California breach notice law does not create a centralized reporting agency, the California Office of Privacy Protection does occasionally receive notices from recipients. They have kindly agreed to provide them to the Archive.
435 primary sources
Maine Attorney General
Maine law requires notification to the Attorney General's Office in the event of a Data Loss Incident. The State also has Freedom of Information legislation, enabling us to request copies of these documents. The Open Security Foundation has collected these documents through Freedom of Information requests.
5 primary sources
Colorado Attorney General
Sources received from the Colorado Attorney General's Office came from Freedom of Information requests made by staff members. Colorado does not have centralized data loss incident reporting, so OSF does not expect to receive many sources from this state.
85 primary sources
Virginia Attorney General
Breach notifications from Virginia been provided to us by the good people at the Virginia Attorney General's office via Virginia Public Records requests. Notification to Virginia's AG is only required should the breach affect more than 1,000 residents, and if the breach was electronic.
8 primary sources
Nebraska Attorney General
Nebraska has no centralized data loss reporting, but does occasionally receive breach notifications from organizations voluntarily reporting. These have been FOIA'd by OSF, and are presented here.
70 primary sources
Hawaii Office of Consumer Protection
Hawaii primary sources were obtained via Public Records requests sent to the Hawaii office of Consumer Protection.
4 primary sources
Wisconsin Attorney General
Primary Sources obtained from Wisconsin were obtained via Public Records legislation in the state, via OSF volunteers.
4 primary sources
Michigan Attorney General
Primary Sources obtained from Michigan were obtained via Public Records legislation in the state, via OSF volunteers.
1 primary sources
Illinois Attorney General
Notifications from Illinois were seeded first by FOIA equivalent requests by OSF volunteers.
21 primary sources
Florida Attorney General
Primary Sources obtained from Florida were seeded via FOIA equivalent requests by OSF Volunteers for the 50 states project.
492 primary sources
Massachusetts Attorney General
These primary sources were acquired and paid for by OSF via open records requests
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.