Breach Notification Requirements: Every Deadline You Need to Know
Breach notification requirements are the legal obligations that compel organizations to inform regulators, affected individuals, and sometimes law enforcement when personal data has been compromised. In the United States alone, all 50 states plus the District of Columbia, Guam, Puerto Rico, and the US Virgin Islands have enacted breach notification laws, each with different definitions of personal information, different notification triggers, and different deadlines. Layer on federal requirements from the SEC, HIPAA, GLBA, and FISMA, plus international frameworks like GDPR and PIPEDA, and you face a matrix of overlapping obligations that must be tracked in parallel from the moment a breach is confirmed.
Missing a single deadline can result in regulatory fines, private litigation, and loss of cyber insurance coverage. This guide consolidates the major notification frameworks into a single reference. For real-time deadline tracking during an active incident, the IR-OS regulatory deadlines tracker calculates applicable deadlines based on the data types involved and the jurisdictions affected.
What are the major federal breach notification deadlines?
| Regulation | Applies To | Deadline | Notify Whom | Penalty Range |
|---|---|---|---|---|
| SEC Item 1.05 (8-K) | Public companies | 96 hours (4 business days) from materiality determination | SEC + investors | Enforcement action, shareholder suits |
| HIPAA Breach Notification Rule | Covered entities, BAs | 60 days from discovery (individuals); annual for <500; immediate for >500 to HHS | HHS OCR, affected individuals, media (if >500 in a state) | $100 -- $1.9M per violation category |
| GLBA / FTC Safeguards Rule | Financial institutions | As soon as reasonably practicable, no later than 60 days | FTC, affected customers | FTC enforcement, consent orders |
| FISMA / OMB M-17-12 | Federal agencies | 1 hour (major incident to CISA); 72 hours (breach assessment to Congress) | CISA, Congress, OMB, affected individuals | Congressional oversight, IG investigation |
| CIRCIA (2024) | Critical infrastructure | 72 hours (covered incident); 24 hours (ransom payment) | CISA | Subpoena authority for noncompliance |
For a detailed walkthrough of the SEC requirement, see SEC 96-Hour Breach Notification: What Public Companies Must Do.
How do US state breach notification laws differ?
State breach notification laws vary across five key dimensions: definition of personal information, notification trigger, deadline, content requirements, and whether the state attorney general must be notified in addition to affected individuals. The trend is clearly toward shorter deadlines and broader definitions of personal information.
| State / Territory | Deadline | AG Notice Required | Notable Provisions |
|---|---|---|---|
| California (CCPA/CPRA) | Most expedient time possible | Yes (if >500 residents) | Broadest PII definition; private right of action for data breaches |
| Colorado | 30 days | Yes | One of the fastest state deadlines |
| Connecticut | 60 days | Yes | Includes biometric and health data triggers |
| Florida | 30 days (individuals); 30 days (AG) | Yes (if >500 residents) | Fines up to $500K for failure to notify |
| Illinois (PIPA) | Most expedient time possible | Yes | Biometric data under BIPA has separate requirements |
| Maine | 30 days | Yes | Requires credit monitoring if SSN involved |
| New York (SHIELD Act) | Most expedient time possible | Yes | Broadened PII to include biometric, email + password |
| Texas | 60 days | Yes (if >250 residents) | AG can bring action; penalties up to $250K per violation |
| Virginia (VCDPA) | 60 days | Yes | Consumer data protection act layered on top of breach law |
| Washington | 30 days | Yes | Includes health data; AG can impose $7,500 per violation |
This table represents a representative selection. All 50 states have enacted breach notification laws. For the complete state-by-state reference, the National Conference of State Legislatures (NCSL) maintains the authoritative database.
What are the international breach notification deadlines?
| Framework | Jurisdiction | Deadline | Notify Whom |
|---|---|---|---|
| GDPR Article 33/34 | EU / EEA | 72 hours to DPA; without undue delay to data subjects (if high risk) | Supervisory authority, affected data subjects |
| UK GDPR | United Kingdom | 72 hours to ICO | ICO, affected data subjects |
| PIPEDA | Canada | As soon as feasible | Privacy Commissioner, affected individuals |
| LGPD | Brazil | Reasonable time (ANPD recommends 2 business days) | ANPD, affected data subjects |
| NDB Scheme | Australia | 30 days (assessment); as soon as practicable (notification) | OAIC, affected individuals |
| POPIA | South Africa | As soon as reasonably possible | Information Regulator, affected data subjects |
For the complete GDPR notification walkthrough, see GDPR 72-Hour Breach Notification: What You Actually Have to Do.
What triggers the notification clock to start?
The trigger is the single most important detail in any notification law, and it varies significantly across jurisdictions. Getting it wrong -- either starting the clock too late or too early -- creates legal exposure in both directions.
- Discovery-based triggers -- Most US state laws start the clock when the organization discovers or should have discovered the breach through reasonable diligence. This means the clock can start even if you have not yet confirmed the scope.
- Awareness-based triggers -- GDPR starts the clock when the data controller becomes "aware" of a personal data breach, which the Article 29 Working Party guidance interprets as the moment the controller has a reasonable degree of certainty that a security incident has occurred.
- Materiality-based triggers -- The SEC's Item 1.05 starts the clock at the point the company determines that the incident is material, which adds a judgment layer that discovery-based triggers do not have.
How do you track parallel notification obligations during a live incident?
A single breach affecting customers across multiple states and countries can trigger dozens of parallel notification obligations, each with its own deadline, content requirements, method of delivery, and regulatory recipient. Tracking this manually on a spreadsheet during the chaos of an active incident is how organizations miss deadlines.
The process requires three things:
- Jurisdiction mapping -- Identify every jurisdiction where affected individuals reside, where data was processed, and where the organization has regulatory obligations.
- Deadline calculation -- For each jurisdiction, determine the applicable trigger event, calculate the deadline from that trigger, and convert to a calendar date with a buffer.
- Content matrix -- Each jurisdiction specifies what the notification must contain. Some require a description of the data elements involved, others require a description of remediation steps, and several require specific contact information for credit monitoring services.
The IR-OS regulatory deadlines tracker automates this workflow. When an incident is classified, it identifies applicable jurisdictions based on affected data types and resident locations, calculates all deadlines, and generates jurisdiction-specific notification drafts for Legal review.
The penalty for late notification is not just regulatory fines. It is the loss of credibility with customers, the loss of insurance coverage for notification costs, and the plaintiff's attorney who will argue that the delay demonstrates negligence.
For authoritative regulatory text, consult the NCSL breach notification law database for US state laws and the GDPR Article 33 text for EU obligations.
Never miss a notification deadline
IR-OS calculates every applicable notification deadline the moment a breach is confirmed, tracks progress against each one, and generates jurisdiction-specific notification drafts.
Start free