Following the enactment of the bill California S.B. 1386 in 2002, also known as California data security breach notification law, majority of US states adopted some form of mandatory data breach notification legislation. The experience with this type of legal instrument in the legal systems of the United States over the last decade and a half may therefore serve as a valuable case study for the general data breach notification obligation under Articles 33 and 34 of the General Data Protection Regulation 2016/679. The data breach notification obligation is for most data controllers a new obligatory requirement that presents a new challenge for monitoring of internal processes. Taking into consideration the proximity of the legal systems, similar economic realities, technological development and social values, the substantial record of data breach notification practice in the United States holds a sizeable potential for analysis and an opportunity for comparative transfer of relevant conclusion to help the implementation of the newly established GDPR general data breach notification obligation. There are on the other hand unavoidable differences in conceptual framework of this instrument between American and European approach as well as to some degree within the United States complex legal structure itself. Understanding these limitations is therefore an essential part of the analysis that is affecting the conclusion about the overall potential value of the lessons that can be learned. Beyond the historical developments of the institute, its interpretation and application are of special interest to the contribution the current challenges related to the boom of Internet of Things solutions and the influence this technological change has or may have on the purpose and function of the data breach notification obligation.