The Race Against Time After a Data Breach

A data breach is every organization's nightmare. Customer data exposed, regulatory obligations triggered, reputational damage mounting by the hour. In the critical hours and days following a breach, one of the most urgent tasks is determining your notification obligations — who must be notified, what must the notice contain, and most critically, by when. Getting these answers wrong compounds the breach with regulatory penalties that can dwarf the breach's direct costs.

Global data breach notification laws have proliferated rapidly. As of 2026, over 140 countries have enacted mandatory breach notification legislation. Each has different triggers, timelines, content requirements, and penalties. This guide maps the landscape for organizations operating internationally.

GDPR: The 72-Hour Gold Standard

Under Article 33 of the GDPR, controllers must notify the relevant supervisory authority of a personal data breach "without undue delay and, where feasible, not later than 72 hours after having become aware of it." The 72-hour clock starts when the controller has "a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised" — not when the investigation is complete.

The notification must include: (1) the nature of the breach including categories and approximate number of data subjects and records; (2) the name and contact details of the Data Protection Officer; (3) the likely consequences of the breach; and (4) the measures taken or proposed to address the breach and mitigate adverse effects. Where all information is not available simultaneously, it may be provided in phases without undue further delay.

If the breach is likely to result in a "high risk to the rights and freedoms of natural persons," the controller must also communicate the breach to the affected individuals without undue delay (Article 34). Exceptions apply if the controller has implemented appropriate technical and organizational protection measures that rendered the data unintelligible (e.g., encryption), subsequent measures ensure the high risk is no longer likely to materialize, or individual communication would involve disproportionate effort (in which case public communication is required).

Penalties: up to €10 million or 2% of global annual turnover for notification failures (Article 83(4)), separate from penalties for the underlying security failure.

United States: The Patchwork of State Laws

The US has no single federal data breach notification law (though comprehensive federal legislation has been proposed repeatedly). Instead, all 50 states plus DC, Guam, Puerto Rico, and the US Virgin Islands have enacted their own laws. While they share basic features, the differences are numerous and critical.

Key variations among US state laws:

  • Definition of "personal information": All states include name plus SSN, driver's license, or financial account number. Some states add: biometric data, medical information, health insurance ID, passport number, taxpayer ID, digital signatures, email address with password, and genetic data. California's definition is the broadest.
  • Notification deadline: Most states require notification "without unreasonable delay" (vague). Some set specific deadlines: Florida (30 days), Colorado (30 days), Washington (45 days), and California (the most detailed — notification "in the most expedient time possible and without unreasonable delay").
  • Harm threshold: Some states require notification only if the breach is reasonably likely to cause harm. Others (including California) require notification for any breach of unencrypted personal information regardless of harm assessment.
  • Regulator notification: Many states require notification to the state Attorney General (often simultaneously with consumer notification, sometimes with a threshold — e.g., 500+ residents in California, 1,000+ in some states).
  • Credit monitoring requirements: California, Connecticut, and Delaware require the breached entity to offer free credit monitoring services (12-24 months) in certain circumstances.

California's CCPA/CPRA provides a private right of action for consumers whose personal information is breached due to the business's failure to implement reasonable security procedures. Statutory damages of $100-$750 per consumer per incident, plus actual damages and injunctive relief.

Other Major Jurisdictions

  • Canada (PIPEDA): Mandatory breach notification since 2018. Organizations must notify the Privacy Commissioner, affected individuals, and potentially other organizations. The test: "real risk of significant harm." Record-keeping required for all breaches regardless of risk level.
  • Brazil (LGPD): Notification to the ANPD (National Data Protection Authority) and affected individuals within a "reasonable timeframe." The ANPD may require broader public disclosure in serious cases.
  • Japan (APPI): Mandatory notification to the Personal Information Protection Commission and affected individuals for breaches likely to harm individual rights and interests.
  • Australia (Privacy Act): Mandatory notification where a breach is likely to result in "serious harm." The OAIC (regulator) must be notified, and affected individuals must be notified with recommendations for protective steps.
  • India (DPDP Act 2023): Mandatory notification to the Data Protection Board and affected individuals. Details are evolving as the Board publishes regulations.

What Every Data Breach Notice Must Contain

While variations exist, the gold standard notice includes: (1) a description of what happened (in plain language — no technical jargon); (2) the types of personal information involved; (3) the steps the organization has taken to contain the breach and prevent recurrence; (4) the steps affected individuals should take to protect themselves (monitor accounts, place fraud alerts, freeze credit); (5) contact information for questions (toll-free number, website, email); and (6) information about free credit monitoring or identity theft protection if being offered.

Generate Data Breach Notifications with LegalNoticeGenerator.com

Our AI generates jurisdiction-compliant data breach notifications for 200+ countries. From GDPR to US state-specific notices, get properly formatted notifications that satisfy regulatory requirements. Free to start — be prepared before the breach happens.