The Legal Obligation to Report a Data Breach

A data breach can be devastating — not just technically, but legally. Once personal information is compromised, organizations face a web of notification obligations that vary by jurisdiction, industry, and the type of data involved. Acting too slowly, or failing to notify at all, can compound the damage with regulatory fines and civil liability.

This guide breaks down what you need to know about data breach notification laws in the United States and beyond.

Is There a Federal Breach Notification Law in the US?

There is no single, comprehensive federal data breach notification law in the United States. Instead, breach obligations arise from a patchwork of:

  • Sector-specific federal laws (e.g., HIPAA for healthcare, GLBA for financial institutions, the FTC Act for general consumer protection)
  • State laws — all 50 US states have enacted their own breach notification statutes
  • International regulations such as the EU's GDPR

This fragmentation means businesses operating in multiple states or countries must track and comply with multiple overlapping requirements simultaneously.

Key Elements Found in Most Breach Notification Laws

1. What Triggers a Notification Obligation?

Most laws are triggered when there is unauthorized access to — or acquisition of — "personal information." What counts as personal information varies but typically includes:

  • Social Security numbers
  • Financial account numbers combined with security codes or passwords
  • Driver's license or state ID numbers
  • Medical or health insurance information
  • Login credentials (username + password combinations)

Many newer state laws have expanded this list to include biometric data, geolocation, and browsing history.

2. Who Must Be Notified?

Notification obligations typically run in two directions:

  • Affected individuals: Those whose personal information was compromised.
  • Regulators/authorities: State attorneys general, the FTC, HHS (for HIPAA), or data protection authorities (for GDPR).

Some states also require notifying consumer reporting agencies if a breach affects a large number of residents.

3. How Quickly Must You Notify?

Notification timelines vary widely:

  • GDPR: 72 hours to notify the supervisory authority after becoming aware of a breach
  • HIPAA: 60 days from discovery; 60-day rule also applies to individuals; media notice if over 500 residents in a state
  • State laws: Typically range from "expedient" or "reasonable time" to specific windows like 30, 45, or 60 days

What Should a Breach Notification Contain?

A proper notification to affected individuals should generally include:

  1. A description of the incident and what happened
  2. The types of personal information involved
  3. Steps taken to investigate and secure the breach
  4. What the organization is doing to protect affected individuals going forward
  5. Contact information for further questions
  6. Instructions on how individuals can protect themselves (e.g., credit monitoring)

Building a Breach Response Plan

The worst time to figure out your legal obligations is in the middle of an active breach. Organizations should develop an Incident Response Plan (IRP) that includes:

  • Designated response team with clear roles
  • Legal counsel contact (internal or external) specializing in privacy law
  • A mapped list of applicable notification laws based on customer locations
  • Pre-drafted notification templates
  • Relationships with forensic investigators and PR crisis communicators

Consequences of Non-Compliance

Failing to meet breach notification obligations can result in regulatory investigations, enforcement actions, and significant fines. Under GDPR, penalties for inadequate breach handling can reach up to €10 million or 2% of global annual turnover. State attorneys general in the US have actively pursued companies that delayed or avoided required notifications.

Final Takeaway

Breach notification is not optional — it's a legal requirement with tight timelines. Proactive planning, clear internal procedures, and staying current with evolving state and international laws are your best defenses against compounding a security incident with a legal crisis.

This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.