Primary Sources Archive

The primary sources archive is a collection of breach notification letters sent to various jurisdictions in the United States. These were gathered staff and volunteers through sponsorship funding and donations. Currently, a project is underway to accumulate more such notices via the Freedom of Information Act, and its various local and state legislative cousins.

If you're interested in getting involved in FOIA requests, please contact [email protected]. To see which states are able to be queried for data loss related information (via FOI equivalents), see our States Page.

Help Us Complete the Archives

We need your help classifying and associating these primary sources with Incidents and Organizations.
2852 / 2865 primary sources classified
Help Now!

Primary Sources Sponsors

The organizations listed below have kindly sponsored the Primary Sources project. If your organization is interested in sponsoring the project as well, contact

Search Primary Sources

All primary sources have been scanned with Optical Character Recognition (OCR), and the contents have been indexed in this search engine.


659 primary sources

New York State Consumer Protection Board

New York State Consumer Protection Board collects breach reports per New York State law, but does not presently publish all reports on their website. Most of the primary sources collected have been courtesy of Chris Walsh's efforts, utilizing Freedom of Information legislation in New York State.


Browse This Data Source | Visit External Source Site | Search This Data Source:


230 primary sources

North Carolina Department of Justice, Consumer Protection Division

North Carolina's Department of Justice, Consumer Protection Division collects data breach notifications from organizations per North Carolina law. Like New York, North Carolina does not post all reports online, and these reports are courtesy of Chris Walsh's efforts with Freedom of Information laws in North Carolina.


Browse This Data Source | Visit External Source Site | Search This Data Source:


424 primary sources

Maryland Attorney General

Like Vermont and New Hampshire, Maryland posts data breach notifications on its website as a result of legislation. As a result, they are downloaded and archived here.


Browse This Data Source | Visit External Source Site | Search This Data Source:


388 primary sources

New Hampshire Consumer Protection & Antitrust Bureau

The New Hampshire Consumer Protection & Antitrust Bureau has been placing the notifications that it receives, as a result of legislation in the state, on its website. Archives can be found here.


Browse This Data Source | Visit External Source Site | Search This Data Source:


23 primary sources

Vermont Office of the Attorney General

The Vermont Office of the Attorney General receives data breach notifications per Vermont laws and regulations. These notifications are posted on their website. As a result, the notifications have been downloaded and archived here.


Browse This Data Source | Visit External Source Site | Search This Data Source:


16 primary sources

California Office of Privacy Protection

While the California breach notice law does not create a centralized reporting agency, the California Office of Privacy Protection does occasionally receive notices from recipients. They have kindly agreed to provide them to the Archive.


Browse This Data Source | Visit External Source Site | Search This Data Source:


435 primary sources

Maine Attorney General

Maine law requires notification to the Attorney General's Office in the event of a Data Loss Incident. The State also has Freedom of Information legislation, enabling us to request copies of these documents. The Open Security Foundation has collected these documents through Freedom of Information requests.


Browse This Data Source | Visit External Source Site | Search This Data Source:


5 primary sources

Colorado Attorney General

Sources received from the Colorado Attorney General's Office came from Freedom of Information requests made by staff members. Colorado does not have centralized data loss incident reporting, so OSF does not expect to receive many sources from this state.


Browse This Data Source | Visit External Source Site | Search This Data Source:


85 primary sources

Virginia Attorney General

Breach notifications from Virginia been provided to us by the good people at the Virginia Attorney General's office via Virginia Public Records requests. Notification to Virginia's AG is only required should the breach affect more than 1,000 residents, and if the breach was electronic.


Browse This Data Source | Visit External Source Site | Search This Data Source:


8 primary sources

Nebraska Attorney General

Nebraska has no centralized data loss reporting, but does occasionally receive breach notifications from organizations voluntarily reporting. These have been FOIA'd by OSF, and are presented here.


Browse This Data Source | Visit External Source Site | Search This Data Source:


70 primary sources

Hawaii Office of Consumer Protection

Hawaii primary sources were obtained via Public Records requests sent to the Hawaii office of Consumer Protection.


Browse This Data Source | Visit External Source Site | Search This Data Source:


4 primary sources

Wisconsin Attorney General

Primary Sources obtained from Wisconsin were obtained via Public Records legislation in the state, via OSF volunteers.


Browse This Data Source | Visit External Source Site | Search This Data Source:


4 primary sources

Michigan Attorney General

Primary Sources obtained from Michigan were obtained via Public Records legislation in the state, via OSF volunteers.


Browse This Data Source | Visit External Source Site | Search This Data Source:


1 primary sources

Illinois Attorney General

Notifications from Illinois were seeded first by FOIA equivalent requests by OSF volunteers.


Browse This Data Source | Visit External Source Site | Search This Data Source:


21 primary sources

Florida Attorney General

Primary Sources obtained from Florida were seeded via FOIA equivalent requests by OSF Volunteers for the 50 states project.


Browse This Data Source | Visit External Source Site | Search This Data Source:


492 primary sources

Massachusetts Attorney General

These primary sources were acquired and paid for by OSF via open records requests


Browse This Data Source | Visit External Source Site | Search This Data Source:

Sponsored By: Rbs Zecurion
Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation requires authorization and potential licensing arrangements. For more information, please e-mail [email protected] with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2014, Open Security Foundation, All Rights Reserved.