What Is Breach Notification?

Breach notification is the legally mandated process of informing affected individuals, government regulators, and in some cases the media that a data security incident has compromised personal or protected information. The obligation arises from a patchwork of state laws, federal sector-specific rules, and foreign regulations, each with its own trigger thresholds, timing requirements, and content standards. For firms in data breach response, the notification phase is where legal exposure crystallizes: done correctly, it limits liability; done late or incompletely, it invites regulatory enforcement and civil litigation.

How Breach Notification Works in Practice

The Trigger: What Constitutes a Breach

A breach is not every security incident. Most statutes define it as unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information. The definition of "personal information" varies by jurisdiction. California's Civil Code section 1798.82 covers names combined with Social Security numbers, driver's license numbers, financial account numbers, medical information, or health insurance information.

Other states add biometric data, tax identification numbers, or login credentials. The Health Insurance Portability and Accountability Act (HIPAA), 45 CFR 164.404, uses a separate standard for protected health information: unauthorized access, use, or disclosure that poses a significant risk of financial, reputational, or other harm to the individual.

Determining whether a breach has occurred is a judgment call that falls to the breached entity's legal counsel, often with input from forensic investigators. The firm you run may be retained to make this determination, or to challenge a client's overly narrow conclusion that no breach occurred.

The Clock: Notification Timelines

Once a breach is confirmed, the countdown begins. State laws range from "without unreasonable delay" to specific day limits. California requires notification to affected residents "in the most expedient time possible and without unreasonable delay," not to exceed 60 days from discovery. New York's General Business Law section 899-aa imposes a similar standard. The HIPAA Breach Notification Rule, 45 CFR 164.408, demands notification to affected individuals within 60 days of discovery, to the Secretary of Health and Human Services without delay (and annually for breaches affecting fewer than 500 individuals), and to prominent media outlets for breaches affecting more than 500 residents of a state or jurisdiction.

The European Union's General Data Protection Regulation (GDPR), Article 33, imposes a 72-hour window for notification to supervisory authorities, with a separate obligation to inform data subjects "without undue delay" where high risk is involved. For firms with multinational clients, these timelines run concurrently and may conflict.

The Recipients: Who Must Be Told

The notification pyramid has three tiers. Affected individuals sit at the base: they receive direct notice by mail, email, or telephone, depending on the scale of the breach and the contact information available. State attorneys general or designated regulators form the second tier, often receiving notice in parallel or shortly after individual notice. The third tier, media notification, applies only to large-scale breaches under specific statutes and is designed to reach individuals whose contact information was compromised.

The content of notices is prescribed. California requires specific elements: the date of the breach, the types of information involved, steps taken to protect individuals from further harm, and contact information for the breached entity. HIPAA notices must include a brief description of the breach, the types of information involved, steps individuals should take, what the covered entity is doing to investigate and prevent recurrence, and contact procedures. Many states now require offer of credit monitoring or identity theft protection services when Social Security numbers or financial account numbers are involved.

Why Breach Notification Matters to the Firm Owner

For a data breach response firm, notification is the revenue event that follows the forensic investigation. The client, often a general counsel or chief information security officer facing board pressure, needs the notification executed correctly and documented defensively. Your firm's role may be to draft notices, manage vendor relationships for printing and mailing, interface with regulators, or advise on the timing and content decisions that limit liability.

The economics are straightforward and recurring. A single breach affecting 100,000 individuals generates substantial work: legal review of notice content, coordination with call center vendors, management of credit monitoring enrollment, and response to individual inquiries. Breaches affecting millions trigger media notice requirements and regulatory scrutiny that multiply the workload. The notification phase also creates downstream engagement: regulatory defense, civil litigation, and remediation of information security practices.

Mistakes in this phase are costly and visible. A notification sent to the wrong address list exposes the client to additional claims. A notice that understates the scope of compromised information may be challenged as deceptive. A missed deadline opens the door to state attorney general enforcement and private litigation under state consumer protection laws. Your firm's reputation depends on precision in execution.

Where Practitioners Get It Wrong

The "No Harm" Misconception

A common and expensive error is the assumption that notification is unnecessary if the breached entity can show no actual misuse of compromised data. Most state statutes do not require proof of harm to trigger the notification obligation. The unauthorized acquisition of covered data types is sufficient. Under HIPAA, the burden shifts: the covered entity must demonstrate that there is a low probability the information has been compromised, based on a risk assessment of four factors specified in 45 CFR 164.402. Firms that advise clients to delay notification pending evidence of misuse are often creating liability, not preventing it.

The Multi-State Maze

Practitioners frequently apply a single standard across all affected individuals, typically the strictest state's requirements, to avoid analyzing each jurisdiction separately. This is administratively efficient but may over-disclose in ways that increase litigation exposure. Conversely, applying a least-common-denominator approach misses state-specific requirements, such as Colorado's mandate to notify the attorney general within 30 days for breaches affecting 500 or more residents, or Maine's requirement for notice to the state police. The correct approach is jurisdiction-by-jurisdiction analysis, automated where possible through breach notification platforms, with legal review of edge cases.

The Vendor Liability Gap

Many breach response firms outsource printing, mailing, and call center operations to specialized vendors. The contracts with these vendors often lack adequate indemnification and data security provisions. If the vendor mishandles the notification list, or if the call center operators provide incorrect information to affected individuals, the breached entity will look to your firm for recourse. Firms that do not negotiate these contracts with the same rigor applied to client engagements are assuming unquantified liability.

Related Terms

A practitioner in data breach response should also understand incident response, the broader operational process that precedes and encompasses notification; chain of custody, the forensic protocol for preserving evidence that supports the breach determination; and root cause analysis, the method for identifying the vulnerability that enabled the breach.

Business interruption is the insurance and operational concept that often runs parallel to breach response for significant incidents. These terms appear in the same client engagements, and fluency across them distinguishes a transactional vendor from a trusted advisor.

If you run a data breach response practice, the ROI Wire program for crisis and forensic firms connects your firm to general counsel and risk managers who are evaluating breach response retainers before an incident occurs. For more terms in this division, return to the Crisis and Forensic glossary hub.