How to Assess Third-Party Risk: A Practical Framework
Third-Party Risk Risk Management
What Is Third-Party Data Risk? Third-party data risk is the chance that an external vendor will cause a security …
Learn what notification laws require and how to stay compliant after a breach.
• GDPR gives you 72 hours from discovery to notify regulators. The SEC gives public companies four business days. HIPAA allows 60 days. Miss these deadlines and the fines multiply
• Not every breach triggers notification. The threshold depends on what data was exposed and whether affected people are at real risk of harm. Knowing your jurisdiction’s trigger is the first step
• Penalties for late notification are getting steeper. Meta paid €1.2 billion under GDPR. British Airways paid £20 million. State attorneys general are increasingly aggressive too
• The notification clock starts when you discover the breach, not when it happened. Credential monitoring often catches exposed passwords before they’re used, letting you prevent the breach entirely. No breach means nothing to notify about
Every US state now has its own data breach notification law. GDPR gives you 72 hours. The SEC gives public companies four business days. Miss a deadline and the fines can dwarf the breach itself.
The rules vary by jurisdiction, but the stakes are universal. Late or incomplete notification leads to regulatory fines and lawsuits. The reputation damage lasts even longer.
Most security teams know they need to send notifications. Fewer know exactly who to tell and when. That’s where compliance breaks down.
This guide covers notification timelines, penalties for getting it wrong, and how to prepare before a breach forces your hand.
Contents
What Is a Data Breach Notification?
When personal data gets compromised, you don’t just have a security problem. You have a legal obligation.
Data breach notification is the legal requirement to inform affected individuals and regulators when unauthorized parties access personal data. The specific rules vary by jurisdiction, but nearly every country and all 50 US states now have some form of mandatory notification law.
Not every security incident triggers notification requirements. The threshold depends on what data was exposed and whether affected people are at real risk of harm.
Most laws define “personal data” as information that can identify someone: names paired with Social Security numbers, financial account details, or medical records. If your breach only exposed encrypted data and the keys weren’t compromised, many jurisdictions won’t require notification.
But when the threshold IS met, the clock starts ticking fast. How fast depends on where your affected users live.
How Fast Do You Have to Notify?
This is the question that matters most during an active breach. The timelines are strict and the penalties for missing them are real.
GDPR – 72 hours. You must notify your supervisory authority within 72 hours of becoming aware of a breach that risks individuals’ rights and freedoms. If you can’t provide full details in 72 hours, you can submit in phases, but the initial notification can’t wait. Meta paid €1.2 billion in 2023 partly for data handling violations. British Airways was fined £20 million after a breach that exposed 400,000 customers’ payment details.
SEC – 4 business days. Since December 2023, public companies must disclose material cybersecurity incidents within four business days of determining the incident is material. This applies to the breach’s impact on your business, not just data exposure.
HIPAA – 60 days. Healthcare organizations must notify HHS and affected individuals within 60 days of discovering a breach affecting 500+ people. If fewer than 500 people are affected, you can report annually. HIPAA penalties range up to $2.13 million per violation category per year.
US state laws – varies widely. Some states specify exact timeframes:
- Florida – 30 days to notify individuals, 30 days to notify the AG
- Colorado – 30 days to notify individuals
- Connecticut – 60 days
- Most states – “without unreasonable delay” or “as expeditiously as possible” with no specific number
The strictest deadline that applies to you is the one that matters. If you have customers in Florida and Europe, you’re working against GDPR’s 72 hours, not Florida’s 30 days.
Who Do You Have to Notify?
The answer depends on your jurisdiction and the severity of the breach.
Breach notification rule refers to the specific regulation within a framework like HIPAA or GDPR that defines when notification is required, who must be notified, and the penalties for non-compliance. Each framework has its own rule with different thresholds and timelines.
Affected individuals. Almost every notification law requires you to tell the people whose data was exposed. The notification must explain what happened and what they should do to protect themselves (change passwords, monitor credit, etc.).
Regulators. Under GDPR, you notify your supervisory authority. Under HIPAA, you notify HHS. In the US, most states require notification to the state Attorney General. Some states only require AG notification when the breach exceeds a threshold (typically 500+ affected residents).
Law enforcement. If criminal activity is suspected, you should notify law enforcement. Some regulations require it. Even when it’s optional, early law enforcement involvement can help with investigation and sometimes satisfies regulatory requirements.
Credit reporting agencies. Several state laws require notification to credit bureaus when a breach exceeds a certain size (often 1,000+ residents). This triggers fraud alerts that help affected individuals.
Your cyber insurer. This isn’t a legal notification requirement, but your insurance policy almost certainly requires prompt notification. Late notification to your insurer can be grounds for claim denial.
What Are the Penalties for Late or Missing Notification?
Regulators have made it clear that notification failures are treated as seriously as the breach itself. Sometimes more seriously.
GDPR enforcement examples:
The Meta and British Airways fines mentioned above are just the headline cases. Smaller companies get fined too – the pattern is consistent. Regulators look at whether you detected the breach quickly and notified on time.
GDPR fines can reach 4% of global annual revenue or €20 million, whichever is higher. The notification violation is separate from the underlying security failure, meaning you can be fined twice – once for the breach and once for how you handled it.
HIPAA enforcement:
The HHS Office for Civil Rights has issued penalties exceeding $100 million in total across HIPAA breach cases. Fines scale with negligence – from $141 per violation for unknowing infractions to seven figures for willful neglect.
State AG enforcement:
US state attorneys general are increasingly aggressive about breach notification enforcement. Several states have expanded their AG’s authority to bring actions for notification failures. Multi-state investigations are becoming common.
Class-action exposure:
Late notification also increases your exposure to class-action lawsuits. Plaintiffs’ attorneys argue that delayed notification prevented affected individuals from protecting themselves. The longer the delay between breach and notification, the stronger their case.
How Do You Prepare for Notification Requirements Before a Breach?
The worst time to figure out your notification obligations is during an active breach. Prepare now.
Know your jurisdictions. Map where your customers and employees live. If you have EU customers, GDPR applies. If you store patient data, HIPAA applies. If you have customers in all 50 states, you’re subject to 50 different notification laws. Identify the strictest deadline that applies to you and treat it as your target.
Build notification templates. Draft notification letters for individuals and regulatory filings before you need them. During a breach, your legal team should be filling in specifics, not starting from scratch. Include templates for different data types (financial data vs. health records vs. credentials).
Establish your legal contacts. Know which regulators to call in each jurisdiction. Have outside counsel identified and on retainer. Know your cyber insurer’s notification requirements and claims process.
Detect breaches faster. The notification clock starts at discovery, not when the breach actually happened. A breach that went undetected for six months still gives you the full notification window from the moment you find it. But those six months of undetected access make the breach worse and more expensive.
Dark web monitoring catches stolen credentials early, often before attackers exploit them. In many cases, finding exposed credentials lets you reset passwords and prevent the breach entirely. No breach means nothing to notify about.
Test your response plan. Run tabletop exercises that include the notification process. Time how long it takes your team to draft notifications and get legal approval. If your rehearsal takes longer than your shortest deadline, you have a problem to fix. See our data breach response checklist for the full process.
The fastest way to reduce notification pressure is to catch breaches before they happen. Book a demo to see how Breachsense monitors the dark web for your organization’s exposed credentials.
Data Breach Notification FAQ
A data breach notification is a formal communication that you’re legally required to send when unauthorized parties access personal data. Depending on your jurisdiction, you may need to notify affected individuals and regulatory authorities. The notification must explain what happened, what data was involved, and what affected people should do to protect themselves.
It depends on the regulation. GDPR requires notification to supervisory authorities within 72 hours of discovery. The SEC requires public companies to disclose material breaches within four business days. HIPAA allows 60 days. US state laws vary widely, from 30 days to ‘without unreasonable delay.’ Always check the strictest jurisdiction that applies to you.
No. Most laws set a threshold based on the type of data exposed and the risk of harm. If encrypted data is breached and the encryption keys weren’t compromised, many jurisdictions don’t require notification. If only non-sensitive data was accessed, the threshold may not be met. The rules vary by jurisdiction.
GDPR fines can reach 4% of global annual revenue or €20 million. HIPAA penalties go up to $2.13 million per violation category per year. US state attorneys general can bring enforcement actions with their own penalties. Beyond fines, late notification increases your exposure to class-action lawsuits. See our guide on data breach compliance for details.
At minimum: what happened, when you discovered it, what data was involved, and what affected individuals should do to protect themselves. GDPR specifically requires you to name your data protection officer and describe the likely consequences of the breach.
The notification clock starts when you discover the breach, not when it actually happened. But a breach that goes undetected for months causes far more damage, which makes the notification harder and the regulatory scrutiny worse. Dark web monitoring catches exposed credentials early. In many cases you can reset passwords and prevent the breach before it starts.
