Compliance

Breach Notification

The legal requirement to inform affected individuals, regulators, and other parties when personal data has been compromised in a security breach.

Also known as:Data Breach NoticeSecurity Breach Notification

What is Breach Notification?

Breach notification is the process of informing affected parties when a security incident results in unauthorized access to personal or sensitive data. Most privacy regulations mandate specific notification requirements with defined timelines.

Regulatory Requirements

GDPR (EU)

  • 72-hour notification to supervisory authority
  • "Without undue delay" to affected individuals
  • For high-risk breaches

HIPAA (US Healthcare)

  • 60 days to affected individuals
  • 60 days to HHS (500+ individuals)
  • Annual report for smaller breaches

CCPA (California)

  • "Expedient" notification
  • No specific timeline
  • "Most expedient time possible"

State Breach Laws

  • Vary by state
  • Typically 30-60 days
  • Different definitions of breach

Notification Contents

Required Information

  • Nature of the breach
  • Types of data affected
  • Timeline of events
  • Steps being taken
  • Contact information
  • Protective measures individuals can take

Notification Process

  1. Identify and Confirm

    • Validate the breach
    • Assess scope and impact

  2. Contain and Investigate

    • Stop ongoing exposure
    • Forensic analysis

  3. Assess Requirements

    • Determine applicable laws
    • Identify notification obligations

  4. Notify

    • Regulators (if required)
    • Affected individuals
    • Other parties (credit bureaus, etc.)

  5. Document

    • Record all actions
    • Maintain evidence
Previous

Blue Team

Next

Business Continuity