A data breach or cyber incident triggers a cascade of legal obligations that most businesses are not prepared for. Within hours or days of discovering a security incident, you may be required to notify federal regulators, state attorneys general, affected individuals, law enforcement, and in some cases foreign regulators — each with its own definition of what constitutes a reportable incident, its own timeline for notification, and its own consequences for failure to comply. Getting these notifications right, on time, is one of the most urgent legal tasks a business faces in the wake of a security event.
This section covers the full landscape of security incident and data breach notification law in the United States, from the foundational state breach notification statutes that apply to almost every business to the sector-specific federal requirements that apply to financial institutions, healthcare organizations, government contractors, and critical infrastructure operators. The pages here explain what each framework requires, when it applies, and what the practical compliance obligations look like in the hours and days after an incident is discovered.
State Breach Notification Laws: The Baseline
All fifty states and most U.S. territories have enacted data breach notification laws that require businesses to notify affected residents when their personal information is compromised in a security incident. These laws share a common structure — define a triggering event, specify what information is covered, establish who must be notified and when, and impose penalties for non-compliance — but they differ significantly in their details. The definition of personal information, the timeline for notification, the threshold for triggering notification (some require notification only when harm is likely; others require it any time covered data is acquired by an unauthorized person), and the specific content required in notice letters all vary by state.
For a business with customers in multiple states — which describes virtually every online business and most businesses of any size — compliance requires mapping the incident to every state where affected individuals reside and satisfying the most demanding requirements of each. State attorneys general actively enforce these laws, and class action plaintiffs’ lawyers have made data breach notification a fertile area of litigation.
Federal Sector-Specific Requirements
Layered on top of state breach notification laws are federal sector-specific requirements that apply to certain types of businesses and certain types of data. Financial institutions subject to the Gramm-Leach-Bliley Act must comply with the FTC Safeguards Rule’s incident notification requirements, which impose a thirty-day notification obligation to the FTC when a security breach affects five hundred or more customers. Banking institutions supervised by the OCC, FDIC, or Federal Reserve face notification requirements under the banking agencies’ joint computer-security incident notification rule, which requires notification to the primary federal regulator within thirty-six hours of determining that a notification incident has occurred.
Healthcare organizations and their business associates subject to HIPAA face breach notification requirements under the HIPAA Breach Notification Rule, which requires notification to affected individuals within sixty days of discovering a breach, notification to the Department of Health and Human Services, and for breaches affecting five hundred or more individuals in a state or jurisdiction, notification to prominent media outlets. The New York Department of Financial Services cybersecurity regulation imposes its own incident reporting requirements on covered financial entities. And publicly traded companies must now comply with the SEC’s cyber incident disclosure rules, which require prompt Form 8-K disclosure of material cybersecurity incidents.
CIRCIA and Critical Infrastructure
The Cyber Incident Reporting for Critical Infrastructure Act, enacted in 2022, will create new mandatory cyber incident reporting obligations for critical infrastructure entities once CISA finalizes implementing regulations. CIRCIA will require covered entities to report significant cyber incidents to CISA within seventy-two hours and ransom payments within twenty-four hours. The definition of covered entity and covered incident is still being finalized through rulemaking, but businesses in the sixteen critical infrastructure sectors — including financial services, healthcare, energy, transportation, and communications — should expect to be subject to CIRCIA’s requirements and should be building reporting capabilities now.
Building a Notification-Ready Incident Response Program
The worst time to figure out your notification obligations is in the immediate aftermath of a security incident, when the pressure to act quickly conflicts with the need to understand complex legal requirements. Businesses that have mapped their notification obligations in advance — identifying which federal and state laws apply to their data and operations, establishing the internal processes for incident detection and classification, building relationships with outside counsel and forensic investigators before they are needed, and maintaining up-to-date contact information for required regulatory notifications — can meet their legal deadlines without sacrificing the investigation needed to understand the scope of the incident.
What This Section Covers
The pages in this section address the full range of security incident notification requirements: state attorney general notification obligations, the SEC cyber incident disclosure rules, NYDFS cybersecurity reporting requirements, GLBA and FTC Safeguards Rule reporting, banking agency notification rules, CMS incident reporting, NCUA credit union notification requirements, government contracting cyber incident reporting, and CIRCIA. Each page explains the specific legal requirements, timelines, and practical compliance obligations that businesses in the relevant sector face.