The nonprofit released its 2025 Data Breach Report Thursday, and it found that data breach notices may now give the public part of the story, increasingly leaving out details like root causes and specific systems disruptions. The report also noted that the downward transparency trend is shaped in part by uneven state laws and recent legal interpretations that allow for lingering timelines and fewer details.
“We have a handful of states that have very explicit data breach requirements: what must be included, strict timelines and mandatory remediation. They’re very robust,” said James E. Lee, president of the ITRC. “But most states don’t require enough information to be included in breach notices, and even states with strong laws often don’t enforce them, either because they lack a mechanism or the resources.”
All 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have data breach notification laws that require private businesses — and, in most cases, government entities — to notify individuals when personally identifiable information is exposed, according to the National Conference of State Legislatures.
Thirty-four states have laws that require reporting to a state agency, such as an attorney general’s office. Across the U.S., laws vary on how many individuals must be impacted to trigger notification. For example, the number in Oregon is at least 250 people; in Pennsylvania, 500; and in Alabama, 1,000.
That gap between what is required and what is disclosed becomes more visible in large, vendor-driven incidents that affect public-sector systems nationwide. The report found that victims are paying closer attention to breach notices and want clearer, actionable information: 75 percent want a plain-language list of the specific data compromised, such as identification numbers, financial accounts or login credentials, as well as a high-level explanation of how the breach occurred.
The issue is significant in the public sector, Lee said, where residents must interact with government agencies that hold their personal data.
The largest compromise listed in the ITRC report involved PowerSchool, an educational software vendor used by school systems across the U.S. The breach was discovered on Dec. 28, 2024, and reported publicly by Jan. 29, 2025. The educational software company sent out more than 71.9 million victim notices. The initial investigation, however, didn’t reveal the full scope of the attack and its victims. More than 100 school districts are now involved in related litigation.
Lee said that incidents like PowerSchool illustrate how supply chain breaches can complicate disclosure, as investigations continue and the scope of compromised data evolves.
“The reality is, they’re a victim, as well as all of the people whose information was compromised,” Lee said. “But that’s a great example of the kind of threats we face when you have a very diverse, very large supply chain … They certainly acknowledge that there was a problem, and they worked with the schools.”
The report frames the challenge as a shared one, noting that clearer and more consistent information after a breach becomes increasingly important as incidents continue to become more frequent and affect any number of people.
