• Events and Webinars
  • Resources
    • Blog
    • Case Studies
    • News
    • Newsletter
    • Infographics
    • Papers
    • Posters
    • Video
  • Careers
    • Careers at HBS
    • Open Positions
    • Student Opportunities
  • About HBS
    • About Us
    • Leadership
    • Locations
    • Partners
    • Green Initiatives
  • Events and Webinars
  • Resources
    • Blog
    • Case Studies
    • News
    • Newsletter
    • Infographics
    • Papers
    • Posters
    • Video
  • Careers
    • Careers at HBS
    • Open Positions
    • Student Opportunities
  • About HBS
    • About Us
    • Leadership
    • Locations
    • Partners
    • Green Initiatives
HBS logo
HBS Logo
  • Infrastructure
    • CLOUD

      • Cloud Solutions
      • Public Cloud
      • Hybrid Cloud
      • Infrastructure as a Service
      • Cloud Security Solutions
      • Backup, Replication and Disaster Recovery
      • HBS Cloud Hosting Services

      DATA CENTER

      • Data Center Solutions
      • Traditional Data Center
      • Hyperconverged
      • Colocation
      • Directory Services
      • Cloud Email and Calendar Solutions

      NETWORK AND ACCESS

      • Network Infrastructure
      • Enterprise Mobility
      • Wireless Solutions
      • SD-WAN
      • Structured Cabling
      • Staff Augmentation
      Data Center Solutions blue gradient background badge with white text
  • Managed Services
    • MANAGED ONE

      • Managed One Overview
      • Managed Backup and Disaster Recovery
      • Managed Email and Collaboration Security
      • Managed Firewall

       

      • Managed HaaS and SaaS
      • Managed IT Help Desk
      • Managed Network and Server Monitoring

      HBS + PARTNER SOLUTIONS

      • HBS Secure with Verkada
      • HBS Collaborate with Webex
      • Managed XDR
      HBS Managed One Megamenu Graphic
  • Modern Workplace
    • MICROSOFT

      • Microsoft Licensing Management
      • Microsoft Modern Workplace
      • Microsoft Copilot
      • Microsoft Fabric
      • Microsoft Funding Opportunities

       

      • Dynamics 365 Business Central
      • Dynamics 365
      • Dynamics GP

      COLLABORATION

      • Audio Visual
      • Unified Communication Solutions
      • HBS Collaborate with Webex
      HBS Collaborate with Webex blue gradient background badge
  • Professional Services
    • ADVISORY

      • Virtual CISO
      • Virtual CIO
      • Project Management
      • IT Business Consulting

      ENGINEERING SERVICES

      • Staff Augmentation

      AI & ANALYTICS

      • Artificial Intelligence
      • AI Advance
      • AI Predict
      • AI Assist
      • Data Management and Analytics
      • Microsoft Copilot
      • Microsoft Fabric

      APPLICATION INNOVATION

      • Website Development
      • Application Development

      DOCUMENT MANAGEMENT

      • Document Management Services
      • Document and Check Scanners
      Discover your AI Readiness blue gradient background with white text. Bottom right photo of young man in glasses smiling while looking at laptop. Red to green temperature gauge png
  • Security
    • CYBERSECURITY

      • Managed XDR
      • Penetration Testing
      • Vulnerability Scanning
      • Email Security Services
      • Digital Forensics and Incident Response
      • Backup, Replication and Disaster Recovery
      • Firewalls
      • Cloud Security Solutions

       

      • Virtual CISO
      • Virtual Security Team
      • Virtual Security Engineer
      • Cybersecurity Risk Assessment
      • Governance and Compliance
      • SOC 2
      • CMMC
      • Managed Security Awareness Training

      PHYSICAL SECURITY

      • Security Solutions
      • HBS Secure with Verkada
      Cybersecurity Risk Assessment Megamenu Graphic
  • Search
Contact Us
Blog

How to Handle Data Breach Notifications

  • Updated: July 2, 2026
  • Read time: 12 min
data breaches

When you discover a hacker has accessed your systems, the scramble is on. Nobody’s first instinct is to suggest, “Let’s tell all our customers what just happened.” But as tempting as it is to bury a breach, that approach has a couple of serious drawbacks:

  1. Any good public relations consultant will tell you that the best way to manage bad news is to get ahead of it and drive the narrative.
  2. Staying silent is probably illegal.

Data breach notification laws now cover all 50 states, Washington D.C., Puerto Rico, and the U.S. Virgin Islands. And they’re getting stricter. Several states have moved to firm 30-day deadlines. Federal regulators—including the FTC, SEC, and CISA—have added their own layers on top. The landscape that existed in 2020 looks nothing like the one businesses face today.

Understanding your obligations before a breach happens is the only way to meet them after one does.

What Are Data Breach Notification Laws

Data breach notification laws require businesses to alert affected individuals (and in many cases, regulators) when a security incident exposes protected personal information. The specific requirements vary by state and industry, but the core obligation is the same: if protected data was compromised, you have a duty to disclose it.

These laws exist because timely notification gives people a chance to act. A customer who learns their Social Security number was exposed can freeze their credit, monitor for fraud, and file an alert with the IRS before real damage occurs.

The challenge for businesses is the sheer variation in how these laws are written. Timing requirements, covered data types, notification content, and who must be notified all differ by jurisdiction and industry. And because most organizations operate across multiple states—or serve customers in states where they aren’t headquartered—the compliance picture is rarely simple.

The Notification Landscape Has Changed Significantly

CISA Incident Reporting System login page on a blue portal, with a Start Incident Reporting Form button and a Sign-In with Login.gov option

The “Wild West” description used to accurately capture state breach notification law. It still applies in some ways, but the trend is much clearer than it used to be: stricter timelines, broader coverage, and more active enforcement.

Here’s what’s changed in recent years:

30-day deadlines are becoming the standard. California’s SB 446 took effect January 1, 2026, requiring notification within 30 calendar days of discovery. New York followed with its own 30-day mandate. Colorado and Florida have maintained similar timelines. More states are expected to follow.

Regulators now have mandatory notification requirements too. Many states now require businesses to notify the state attorney general—not just affected consumers—when a breach exceeds a certain threshold. New York, Pennsylvania, California, and others have added this requirement in recent years.

Federal agencies are expanding their rules. The SEC amended Regulation S-P in 2024, requiring broker-dealers, investment companies, and registered investment advisers to notify customers of breaches affecting their information. CIRCIA—the Cyber Incident Reporting for Critical Infrastructure Act—established new federal incident reporting requirements for critical infrastructure organizations, with final rules expected in 2026.

Penalties are significant … and growing. Florida imposes fines of $1,000 per day for the first 30 days of non-compliance, climbing to $50,000 per 30-day period after that. Delaware sets penalties at up to $10,000 per violation. Colorado caps aggregate fines at $500,000.

Which Businesses Are Subject to Breach Notification Requirements?

Nearly every business that collects or stores personal information has notification obligations somewhere. The healthcare and financial services industries face the most complex requirements because they hold the most sensitive data. But the common assumption that small businesses are exempt is wrong.

Notification laws do not have a size threshold. A company with 10 employees has the same disclosure obligations as one with 10,000 if the breach involves protected data. And small businesses are increasingly targeted precisely because they tend to have fewer defenses.

Industries with additional layers:

  • Healthcare: HIPAA’s Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services, and for breaches affecting 500 or more people, local media. Businesses handling electronic health records that fall outside HIPAA coverage may also be subject to the FTC’s Health Breach Notification Rule.
  • Financial services: SEC Regulation S-P now requires financial firms to notify customers when their information is compromised. State insurance regulators have added their own requirements for insurance licensees.
  • Critical infrastructure: CIRCIA imposes federal cyber incident reporting obligations on sectors including energy, healthcare, water systems, and communications.

If you aren’t sure which rules apply to your business, that’s the first thing to find out. It’s a question for legal counsel, not a general internet search.

What Triggers a Data Breach Notification?

Person using a laptop and smartphone with floating security icons and a red system warning badge, signaling a cybersecurity alert

This is where things can get complicated pretty quickly. The answer depends on what data was accessed, what state law applies, and whether the data was encrypted.

Not every breach requires notification. The key question isn’t whether someone got into your system. It’s whether they accessed protected data, and whether that data was encrypted. Many states provide safe harbors when compromised data was properly encrypted at the time of the breach. A hacker who extracts an encrypted file may not trigger notification requirements. A hacker who walks out with plaintext names and Social Security numbers almost certainly does.

The difference between accessible and accessed also matters. A digital forensics team can often determine exactly what the attacker saw, touched, and exfiltrated. If protected data was exposed but not accessed, some states don’t require notification while others do. Your forensics team’s findings will shape your legal obligations more than almost any other factor.

What data counts as protected? Most state laws focus on personally identifiable information (PII): names combined with Social Security numbers, driver’s license numbers, financial account numbers, medical information, or login credentials. A name alone rarely triggers notification. A name paired with an unencrypted account number typically does.

Third-party breaches create the same obligations. If a vendor you work with is breached and your customers’ data is exposed as a result, your notification obligations are the same as if your own systems had been attacked. Third-party involvement in breaches has grown sharply: Verizon’s 2026 Data Breach Investigations Report found it doubled in a single year. Your obligations don’t shrink because the breach originated elsewhere.

Data Breach Notification Laws by State

Every state has its own breach notification statute. The specific requirements of timelines, covered data, notification content, and who must be notified vary considerably. There are a few key patterns:

Timing: Most states use language like “without unreasonable delay” or set specific windows. States with firm deadlines include California (30 days), New York (30 days), Colorado (30 days), Florida (30 days), and others. Several states use 45- or 60-day windows. A few leave timing ambiguous.

Attorney general notification: An increasing number of states require businesses to notify the state AG, often when the breach affects 500 or more residents. Pennsylvania, New York, Oklahoma, and California are among those with this requirement.

Credit monitoring: Some states require businesses to offer free credit monitoring when certain types of data are exposed, particularly Social Security numbers.

Conflict of laws: Businesses operating across state lines face overlapping obligations. Which state’s law applies depends on factors like where data is stored, where affected customers are located, and who controls the data. A company headquartered in one state with customers in 20 others may face notification obligations under multiple statutes simultaneously.

Your First Steps When a Breach Happens

Screenshot of an email inbox with a highlighted unread message: 'Important notice regarding your account security' from Meridian Bank, plus a red 'View steps to protect yourself' button on the page.

The best breach responses are built before the breach occurs. When a breach does happen, time is your most constrained resource.

  1. Secure your systems. Take affected systems offline as quickly as possible. However, don’t turn machines off before forensic experts arrive. Powering down destroys evidence. Disconnect affected devices from the network instead. Change credentials for all affected accounts. Closely monitor entry and exit points across your environment.
  2. Call your forensics team. Your digital forensics team will capture system images, trace the attacker’s path, identify what was accessed, and document what happened. Their findings directly determine your notification obligations. Contact them early, and if you don’t have an established relationship with a forensics firm, build one now.
  3. Get legal counsel on the phone immediately. Some breach notification deadlines start as soon as you discover the breach. In some cases, windows are as short as 72 hours. Your attorney can help you understand which laws apply, what your disclosure obligations are, and how to protect communications under privilege.
  4. Notify law enforcement. Report the breach to your local police department immediately. If local law enforcement isn’t familiar with cybercrime investigations, escalate to the FBI or U.S. Secret Service. For mail theft, contact the U.S. Postal Inspection Service. Law enforcement may also be able to coordinate with forensic investigators.
  5. Assess your insurance coverage. Your cyber insurance policy likely has its own reporting requirements and timelines. Notify your carrier early. Failing to report promptly will probably affect your coverage.
  6. Build your communications plan. Develop messaging for every affected audience: customers, employees, business partners, and regulators. Be accurate and direct. Don’t withhold details that might help people protect themselves because that creates both ethical and legal exposure.

What a Breach Notification Must Include

State laws typically specify what a notification must contain. General best practices from the FTC, which applies when requirements don’t specify otherwise, include:

  • A clear description of what happened
  • The date of the breach (if known)
  • What information was involved
  • How the stolen information has been used (if known)
  • What steps you’ve taken to contain the breach
  • What you’re doing to protect affected individuals going forward
  • Contact information for a designated point person at your organization
  • Resources for affected individuals including credit bureau contacts, how to place a fraud alert or credit freeze, and links to IdentityTheft.gov

For breaches involving Social Security numbers, the FTC recommends strongly encouraging affected individuals to place a free fraud alert or credit freeze on their credit files. When this type of information is exposed, affected individuals can become targets for tax identity theft and new-account fraud.

Consult with law enforcement before sending notifications. In some cases, premature disclosure can impede an active investigation. Law enforcement can advise on timing without extending your legal deadline.

What Happens If You Fail to Notify?

Headlined news release: OCR settles for

Civil penalties from state attorneys general. State AGs have broad authority to enforce breach notification laws. Fines vary by state but can escalate quickly, especially when non-compliance is willful or notification was significantly delayed.

Federal enforcement. The FTC takes action against companies that make false or misleading statements about their security practices, or that fail to meet federal obligations. The SEC has similar authority for regulated financial entities. CISA can pursue enforcement under CIRCIA for critical infrastructure organizations.

Private civil lawsuits. When businesses fail to notify customers as required, those customers may bring suit if they suffer harm as a result. A customer who had their identity stolen has a credible claim that delayed disclosure caused their injury.

Enforcement actions and class-action lawsuits following data breaches have grown sharply. And the IBM Cost of a Data Breach Report found that average breach costs in the United States reached $10.22 million—a record high driven in part by rising regulatory fines and escalating detection costs.

Build Your Response Before You Need It

The clearest lesson from breach response work is this: businesses that respond well had already prepared. They had a forensics team on retainer. They had legal counsel familiar with their industry and the states where they operate. They had a communications plan with draft notification letters ready to populate.

A solid incident response plan should include:

  • Defined roles and responsibilities for your breach response team
  • A pre-established relationship with a digital forensics firm
  • Qualified legal counsel with privacy and cybersecurity expertise
  • A cyber insurance policy with appropriate coverage and clear reporting procedures
  • Draft notification templates for customers, regulators, and business partners
  • A documented process for assessing what data was accessed and what laws apply

The scramble after a breach is not the time to figure any of this out. Organizations that treat preparation as optional discover—at the worst possible moment—that it wasn’t.

Don’t wait until the worst moment to start your response plan. Schedule a conversation with HBS before that happens.

Related Content

Laptop Incident Response Graphic

How to Create an IT Incident Response Plan

Learn how to create an effective IT incident response plan with these guidelines, including links to key standards and templates.

Learn More »
Incident Response Testing Levels Graphic

How to Test Your Cybersecurity Incident Response Plan

Here’s how to choose the right test in order to confirm that your cybersecurity incident response plan actually works like you think it will.

Explore More »
Incident Response Tabletop Exercise Scenarios

Incident Response Tabletop Exercise and Scenarios

Enhance your cybersecurity with our realistic tabletop exercises. Practice incident response and identify plan changes with our sample scenarios.

Read More »
  • Compliance, Data Safety, Governance, Incident Response, Policies
Blog

Connect:

[email protected]  |  800.236.7914

HBS logo

HQ | 1700 Stephen Street
Little Chute, WI 54140
Locations

HBS Remote Support | Service & Technical Support | E-Bill Portal
Standard Terms & Conditions | Cookie Policy | Privacy Policy | Onboarding Form | End User Agreements | E-Bill FAQ | Site Map
Any purchase is governed by the HBS Standard Terms and Conditions.
©2026 Heartland Business Systems. All rights reserved.

Halo from HBS
This chat may be recorded as described in our Privacy Policy.