Partner
When your business experiences a data breach, your first instinct is usually to stop the damage. This can be done by securing your systems and figuring out what went wrong. Now, from a legal standpoint, there is another urgent aspect you cannot afford to ignore: Whom do you need to notify, and how fast should that be done? Data breach laws are complex because they differ from one state to another, and in some cases, by country. So, if you serve customers across multiple jurisdictions and have been hit by a data breach, knowing whom to notify and when is critical.
A data breach occurs when someone gains unauthorized access to or discloses personal identifiable information (PII). This can happen through hacking, phishing emails, stolen devices, poorly configured software, or even human error. Any business that stores customer data, especially payment or identity information, is at risk of experiencing data breaches. Even if you run a small business, you are not immune to these risks.
When it comes to breach notification laws, they all hinge upon one thing: personal information. Personal information means a person’s first and last name combined with sensitive data about them. This may include a Social Security number, driver’s license, state ID number, financial account details, credit or debit card numbers, and even their health information. If this kind of information is exposed, as a business, you are legally obligated to notify the appropriate parties.
Generally, businesses must notify affected individuals without unreasonable delay if the data breach is likely to result in identity theft, fraud, or other harm. The only exception is when law enforcement requests a delay because notification could interfere with an ongoing investigation.
As mentioned earlier, breach notification laws vary by state and even by country. For example, California requires businesses to notify affected individuals within 30 days of discovering a breach. And if more than 500 California residents are affected, the business must submit a sample notification to the California Attorney General shortly after notifying consumers. In other states like Michigan, the law allows businesses to forgo notification if they determine the breach is unlikely to cause significant harm. Given this disparity, it is advisable to consult with a consumer data privacy and compliance attorney to advise you on the best course of action, based on your situation.
If your business handles data belonging to individuals in the European Union, the General Data Protection Regulation (GDPR) may apply. Under GDPR, a business must notify the appropriate authority within 72 hours of becoming aware of the breach if it presents a risk to people’s rights and freedom. If the risk is substantially high, you must also notify the affected individuals.
When a notification is required, the message must be clear and easy to understand. It should include the following:
A description of what the business has done to secure its systems
A contact number where customers can ask questions
A reminder to customers to stay alert for fraud or identity theft.
There is no single federal data breach notification law in the United States. Instead, sector-specific statutes impose breach notification requirements on particular industries. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule, 45 C.F.R. §§ 164.400–414, requires covered entities and business associates to notify affected individuals within 60 days of discovering a breach involving unsecured protected health information, to notify the Secretary of the Department of Health and Human Services, and to notify prominent media outlets when 500 or more residents of a single state or jurisdiction are affected. The Gramm-Leach-Bliley Act (GLBA) and implementing rules require financial institutions to notify customers of breaches involving sensitive financial information, with the FTC’s 2023 amendments to the GLBA Safeguards Rule requiring notification of the FTC within 30 days of discovering a breach affecting 500 or more customers.
The Federal Trade Commission has authority under FTC Act Section 5 to pursue enforcement against companies that fail to protect consumer data and then misrepresent the breach or delay notification unreasonably. While the FTC does not administer a general federal breach notification law, it has brought enforcement actions and can seek civil penalties for violations of sector-specific rules it enforces. Congress has debated comprehensive federal breach notification legislation for decades without enacting it, leaving the primary regulatory burden on state law—which creates a compliance matrix for multi-state businesses.
All 50 states, the District of Columbia, Puerto Rico, and several U.S. territories have enacted data breach notification laws. While they share common features, they differ in ways that matter for compliance. The key variables are: what constitutes a “breach” triggering notice (unauthorized acquisition of data, unauthorized access, or merely unauthorized disclosure?); what categories of personal information are covered (most states cover name combined with Social Security number, driver’s license number, financial account numbers with access credentials, and medical information; some states add biometrics, health insurance information, and username/password combinations); and what the notification deadline is. California, under Cal. Civ. Code § 1798.82, requires “expedient” notice with no specific deadline; New York under SHIELD Act requires notification in “the most expedient time possible and without unreasonable delay”; Florida requires notification within 30 days; and Colorado requires notification within 30 days of determining a breach occurred.
Some states also regulate notification content. California requires that notices sent to California residents include: a general description of what happened; the categories of personal information involved; what the business did to protect affected individuals; what individuals can do to protect themselves; contact information for the business; and contact information for major credit reporting agencies. Several states require providing free credit monitoring for a specified period when Social Security numbers were breached. Florida, Illinois, and New York impose additional content requirements that may differ from California’s template, requiring businesses to draft multiple state-specific versions of their breach notification letters.
Notification deadlines run from the date of “discovery” of the breach—a term most state laws define as when the business knew or reasonably should have known that a breach occurred. This standard creates a legal obligation to conduct prompt internal investigations when security alerts or anomalies suggest unauthorized access. Businesses that ignore threat alerts for weeks or months before investigating cannot argue that the discovery clock had not started. In addition, the investigation must be conducted with reasonable diligence: indefinitely characterizing an incident as “under investigation” to delay notification deadlines has drawn regulatory scrutiny from state attorneys general and the FTC.
Many notification statutes include a risk-of-harm safe harbor that excuses notification when the breached data is encrypted with industry-standard encryption and the encryption key was not also breached. However, this safe harbor is narrower than it appears. Data that is encrypted in transit but stored unencrypted, or data that is encrypted with weak or outdated algorithms, may not qualify. Businesses relying on encryption to avoid notification obligations should have documented, verified encryption standards and be prepared to demonstrate compliance to regulators who investigate the incident.
Many states require businesses to notify the state attorney general or a designated regulatory agency in addition to affected individuals. New York’s SHIELD Act requires notification to the New York AG when more than 500 New York residents are affected. California requires notifying the California AG when more than 500 California residents receive notification. Several states have AG-specific notification portals with their own formatting and content requirements. The GLBA’s 2023 amendment to the FTC Safeguards Rule requires non-bank financial institutions to file an electronic notification with the FTC within 30 days of a breach affecting 500 or more customers—even if individual customer notification is still pending.
Regulators treat AG notifications as early warning systems and may open investigations independently of any individual consumer complaint. State AGs have broad investigative authority under state consumer protection statutes and data breach laws to issue civil investigative demands for documents, data maps, security assessments, and communications related to the breach. Cooperation with AG investigations—responsive document production, clear communication, and credible remediation commitments—typically produces better outcomes than delay or obstruction. AGs have authority to seek civil penalties, injunctive relief, and, in some states, statutory damages on behalf of affected consumers.
The time to prepare for a data breach is before it happens. An incident response plan (IRP) should identify: a designated incident response team with defined roles; procedures for identifying, containing, and eradicating the threat; evidence preservation protocols to avoid spoliation; a decision tree for assessing whether the incident constitutes a notifiable breach under applicable law; template notification letters for individuals and regulators; and a public communications strategy. The IRP should be tested annually through tabletop exercises that simulate breach scenarios, including testing the notification workflow from discovery through final state AG reporting.
Retain experienced legal counsel as part of your IRP before a breach occurs. Retaining counsel after a breach has occurred means starting from scratch—finding attorneys, negotiating engagement terms, and getting them up to speed—while the clock is running. Counsel retained before a breach can structure the investigation under attorney-client privilege, which may protect internal forensic reports and legal memos from disclosure in subsequent litigation. In In re Capital One Consumer Data Security Breach Litigation, 488 F. Supp. 3d 374 (E.D. Va. 2020), the court addressed the conditions under which a forensic report prepared after a breach was or was not protected by privilege—a decision that underscores the importance of structuring breach investigations correctly from the outset.
If your business has experienced a data breach or is assessing its notification obligations, the privacy and data security attorneys at Revision Legal can help you respond quickly and correctly. Contact us through the form on this page or call (855) 473-8474. Our internet law practice handles breach response, regulatory notification, AG investigations, and incident response planning nationwide.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?