Which compliance regulation specifically requires organizations to report data breaches involving personal information of US residents?

Correct answer: State breach notification laws

Option A is correct because the United States does not have a single federal breach notification law; instead, all 50 states and several territories have enacted their own breach notification statutes that specifically require organizations to notify affected individuals and often regulators when personal information of US residents is compromised. Option B is wrong because PCI DSS is a payment card industry standard focused on protecting cardholder data, and while it has incident response requirements, it is not a government-mandated breach notification law for general personal information. Option C is incorrect because GDPR is a European Union regulation governing data protection and privacy of EU residents, not US residents specifically. Option D is wrong because HIPAA applies only to protected health information held by covered entities and their business associates, not to general personal information breaches across all industries.