Who Must You Notify?
The answer depends on the scope and location of affected individuals. Use this decision tree:
1. Affected Individuals (Always)
You must notify every person whose personal data was compromised. Methods: email (preferred), postal mail, or substitute notice if contact info is unavailable.
Exception: If data was encrypted with a strong key that was NOT compromised, some laws exempt notification.
2. Regulators
GDPR: Notify your Data Protection Authority within 72 hours.
HIPAA: Notify HHS within 60 days.
US States: Notify the Attorney General (varies by threshold).
3. Credit Bureaus (If 1,000+ affected)
If the breach affects 1,000+ residents, notify the three major consumer reporting agencies: Equifax, Experian, TransUnion.
4. Media (HIPAA only, if 500+ affected)
HIPAA requires notifying "prominent media outlets" if a breach affects 500+ individuals in a state or jurisdiction.
Notification Timeline Matrix
These are the legally mandated deadlines. Real-world best practice: Notify as soon as you have confirmed the breach and can provide accurate information.
| Jurisdiction | Timeline (Individual) | Timeline (Regulator) | Threshold |
|---|---|---|---|
| GDPR (EU) | Without undue delay | 72 hours | Risk to rights/freedoms |
| HIPAA (US Healthcare) | 60 days | 60 days (HHS) | Unsecured PHI |
| California (CCPA) | "Without unreasonable delay" | AG if 500+ residents | Unencrypted PI |
| New York (SHIELD Act) | "Without unreasonable delay" | AG + DFS (if applicable) | Private info |
| Texas | 60 days | AG immediately | Sensitive PI |
| Florida | 30 days | 30 days (AG if 500+) | PI |
| Massachusetts | "As soon as practicable" | AG + Director | PI of MA residents |
| Washington | 30 days | AG if 500+ | PI |
β οΈ Note: This table shows 8 key jurisdictions. All 50 US states have breach notification laws with varying timelines (typically 30-90 days). Consult your legal counsel for state-specific requirements.
Notification Letter Templates
Use these templates as a starting point. Customize with your specific breach details. Always have your legal counsel review before sending.
Template 1: Individual Notification Letter
[Date]
Dear [Name],
We are writing to inform you of a data security incident that may have involved your personal information. We take the protection of your data very seriously and want to provide you with information about the incident, our response, and steps you can take to protect yourself.
What Happened:
On [Date], we discovered that an unauthorized party gained access to [System/Database]. We immediately launched an investigation with the assistance of cybersecurity experts.
What Information Was Involved:
The information that may have been accessed includes: [List specific data types: names, addresses, SSN, financial account numbers, etc.].
What We Are Doing:
- We have secured our systems and eliminated the vulnerability.
- We have notified law enforcement and are cooperating with their investigation.
- We are offering [12/24] months of free credit monitoring services through [Provider].
What You Can Do:
- Enroll in the free credit monitoring services (see enclosed instructions).
- Place a fraud alert or security freeze on your credit file.
- Monitor your account statements for suspicious activity.
For more information, please contact our dedicated helpline at [Phone Number], available [Hours]. We sincerely apologize for this incident and any inconvenience it may cause.
Sincerely,
[Name]
[Title]
[Company]
Template 2: Regulatory Notification (State AG)
[Date]
Office of the Attorney General
[State] Department of Justice
[Address]
Re: Notice of Data Security Incident
Dear Attorney General,
Pursuant to [State Statute], [Company Name] is providing notice of a data security incident that may have affected [Number] residents of [State].
Incident Summary:
On [Discovery Date], we discovered unauthorized access to [System]. The incident occurred between [Start Date] and [End Date]. We immediately engaged cybersecurity experts and law enforcement.
Data Elements Involved:
[List: SSN, driver's license, financial account numbers, etc.]
Number of Affected Residents: [Number] residents of [State]
Notification Timeline:
Individual notification letters were mailed on [Date], in compliance with [State Law]. A sample notification letter is enclosed.
Remedial Measures:
- Secured affected systems
- Engaged forensic investigators
- Offered free credit monitoring to affected individuals
- Implemented enhanced security controls
Please contact [Contact Name] at [Email/Phone] for additional information.
Sincerely,
[Name]
[Title]
Key Regulatory Contacts
GDPR (European Union)
Who: Your lead supervisory authority (based on main establishment)
When: Within 72 hours of discovery
California (CCPA)
Who: California Attorney General
When: Without unreasonable delay (if 500+ residents)
Credit Bureaus (1,000+ affected)
Equifax, Experian, TransUnion
Provide details of the breach, timing, and number of affected individuals.
Frequently Asked Questions
How quickly must I notify individuals of a data breach?
Timelines vary by jurisdiction. GDPR requires notification within 72 hours of discovery. Most US states require notification 'without unreasonable delay' (typically 30-45 days). HIPAA requires notification within 60 days. California (CCPA) requires notification without unreasonable delay.
What are the penalties for late breach notification?
Penalties are severe. GDPR fines can reach β¬20 million or 4% of global revenue. US state AGs can fine $2,500-$7,500 per affected resident. HIPAA penalties range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation type.
Do I need to notify regulators or just affected individuals?
Most laws require BOTH. You typically must notify: 1) Affected individuals, 2) State Attorney General (if residents affected), 3) Regulatory bodies (e.g., HHS for HIPAA, ICO for GDPR), and 4) Consumer reporting agencies if breach affects 1,000+ people.
Need Help Navigating Notifications?
Breach notification is complex and the penalties for mistakes are severe. Connect with IR firms that specialize in regulatory compliance and can handle multi-jurisdictional notifications.