Cyber Breach Notification Deadlines
A consolidated reference of the major cyber breach notification clocks that US organizations operate under. Last reviewed April 7, 2026.
Federal — United States
| Regulation | Deadline | Clock Trigger | Notify |
|---|---|---|---|
| SEC 8-K Item 1.05 | 4 business days | Determination of materiality | SEC via Form 8-K |
| HIPAA Breach Notification Rule | 60 days (individuals); 60 days (HHS if ≥500) | Discovery of breach | Individuals + HHS OCR + media (if ≥500 in state) |
| GLBA Safeguards Rule (FTC) | 30 days | Discovery of notification event affecting ≥500 consumers | FTC |
| CIRCIA (when effective) | 72 hours (substantial incident); 24 hours (ransomware payment) | Reasonable belief of covered cyber incident | CISA |
European Union
| Regulation | Deadline | Clock Trigger | Notify |
|---|---|---|---|
| GDPR Article 33 | 72 hours | Awareness of personal data breach | Lead DPA + concerned DPAs |
| GDPR Article 34 | Without undue delay | High risk to data subjects | Affected data subjects |
| NIS2 | 24 hours (early warning); 72 hours (full); 1 month (final) | Significant incident | National CSIRT / competent authority |
| DORA (financial entities) | Initial: as soon as possible; intermediate: 72 hours; final: 1 month | Major ICT incident | Competent authority |
US State Examples
| State | Deadline | Trigger |
|---|---|---|
| California (CCPA / 1798.82) | Without unreasonable delay | Discovery of unauthorized acquisition of PII |
| New York SHIELD Act | Most expedient time possible | Discovery of breach of private information |
| NY DFS Part 500 | 72 hours | Cybersecurity event with reporting to any supervisory body, or material harm |
| Texas (Bus. & Com. 521.053) | 60 days | Discovery of breach |
| Florida (FIPA) | 30 days | Discovery of breach |
| Illinois (PIPA) | Most expedient time possible, without unreasonable delay | Discovery of breach |
| Virginia (VA Code 18.2-186.6) | Without unreasonable delay | Discovery or notification |
| Colorado (CPA 6-1-716) | 30 days (residents); 30 days (AG if ≥500) | Discovery of breach |
Industry / Contractual
| Framework | Deadline | Clock Trigger |
|---|---|---|
| PCI DSS | Immediately | Suspected account data compromise |
| Cyber insurance (typical) | 24–72 hours | First awareness of potential claim |
| Customer DPAs (typical) | 24–72 hours | Security incident involving customer data |
Disclaimer: This table is a quick reference for planning and exercise purposes. It is not legal advice. Deadlines, exemptions, and triggers vary by jurisdiction and by fact pattern. Verify with counsel during any actual incident. For the operational workflow, see our Incident Response Playbook, SEC 96-Hour Notification, and GDPR 72-Hour Notification.