Primary Sources Archive

The primary sources archive is a collection of breach notification letters sent to various jurisdictions in the United States. These were gathered staff and volunteers through sponsorship funding and donations. Currently, a project is underway to accumulate more such notices via the Freedom of Information Act, and its various local and state legislative cousins.

If you're interested in getting involved in FOIA requests, please contact curators@datalossdb.org. To see which states are able to be queried for data loss related information (via FOI equivalents), see our States Page.

Primary Sources Sponsors

The organizations listed below have kindly sponsored the Primary Sources project. If your organization is interested in sponsoring the project as well, contact

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions. Every day our patented data-centric, policy-based, centrally-managed software protects the data on over 5 million devices worldwide to ensure security compliance, protect brands and enhance IT and end-user productivity. Learn more about intelligent data security for privacy compliance and avoid the damaging impact of security breaches.

659 primary sources

New York State Consumer Protection Board

New York State Consumer Protection Board collects breach reports per New York State law, but does not presently publish all reports on their website. Most of the primary sources collected have been courtesy of Chris Walsh's efforts, utilizing Freedom of Information legislation in New York State.

230 primary sources

North Carolina Department of Justice, Consumer Protection Division

North Carolina's Department of Justice, Consumer Protection Division collects data breach notifications from organizations per North Carolina law. Like New York, North Carolina does not post all reports online, and these reports are courtesy of Chris Walsh's efforts with Freedom of Information laws in North Carolina.

370 primary sources

Maryland Attorney General

Like Vermont and New Hampshire, Maryland posts data breach notifications on its website as a result of legislation. As a result, they are downloaded and archived here.

369 primary sources

New Hampshire Consumer Protection & Antitrust Bureau

The New Hampshire Consumer Protection & Antitrust Bureau has been placing the notifications that it receives, as a result of legislation in the state, on its website. Archives can be found here.

23 primary sources

Vermont Office of the Attorney General

The Vermont Office of the Attorney General receives data breach notifications per Vermont laws and regulations. These notifications are posted on their website. As a result, the notifications have been downloaded and archived here.

16 primary sources

California Office of Privacy Protection

While the California breach notice law does not create a centralized reporting agency, the California Office of Privacy Protection does occasionally receive notices from recipients. They have kindly agreed to provide them to the Archive.

377 primary sources

Maine Attorney General

Maine law requires notification to the Attorney General's Office in the event of a Data Loss Incident. The State also has Freedom of Information legislation, enabling us to request copies of these documents. The Open Security Foundation has collected these documents through Freedom of Information requests.

5 primary sources

Colorado Attorney General

Sources received from the Colorado Attorney General's Office came from Freedom of Information requests made by staff members. Colorado does not have centralized data loss incident reporting, so OSF does not expect to receive many sources from this state.

85 primary sources

Virginia Attorney General

Breach notifications from Virginia been provided to us by the good people at the Virginia Attorney General's office via Virginia Public Records requests. Notification to Virginia's AG is only required should the breach affect more than 1,000 residents, and if the breach was electronic.

8 primary sources

Nebraska Attorney General

Nebraska has no centralized data loss reporting, but does occasionally receive breach notifications from organizations voluntarily reporting. These have been FOIA'd by OSF, and are presented here.

70 primary sources

Hawaii Office of Consumer Protection

Hawaii primary sources were obtained via Public Records requests sent to the Hawaii office of Consumer Protection.

4 primary sources

Wisconsin Attorney General

Primary Sources obtained from Wisconsin were obtained via Public Records legislation in the state, via OSF volunteers.

4 primary sources

Michigan Attorney General

Primary Sources obtained from Michigan were obtained via Public Records legislation in the state, via OSF volunteers.

1 primary sources

Illinois Attorney General

Notifications from Illinois were seeded first by FOIA equivalent requests by OSF volunteers.

21 primary sources

Florida Attorney General

Primary Sources obtained from Florida were seeded via FOIA equivalent requests by OSF Volunteers for the 50 states project.

281 primary sources

Massachusetts Attorney General

These primary sources were acquired and paid for by OSF via open records requests