Breach Notification Laws and Obligations

The EU General Data Protection Regulation, in force since May 2018, established the most widely referenced breach notification framework globally. Article 33 requires a data controller to notify its competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. The clock starts not when the breach occurs, but when the controller becomes aware of it. This distinction matters in practice: a controller may take reasonable time to confirm that an incident is indeed a personal data breach before the 72 hours begin, but awareness is assessed objectively. Wilful ignorance does not pause the clock.

Not every breach triggers a notification. The obligation is conditional: notification is required unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. A controller that concludes no notification is required must document that risk assessment. Article 34 adds a second obligation, directed at individuals rather than regulators: if a breach is likely to result in a high risk to individuals' rights and freedoms, those individuals must be notified directly, without undue delay, in clear and plain language.

The 72-hour deadline is commonly misunderstood as requiring a complete and final notification. GDPR allows phased notification: a controller may submit an initial notification with what is known at the time and follow up with additional information as the investigation proceeds. The supervisory authority must be told if information is being provided in phases. This is operationally important because thorough forensic investigation of a complex breach typically takes longer than 72 hours.

The United States has no single comprehensive federal breach notification law. California enacted the first US state breach notification law in 2002 (SB 1386), and all 50 states, the District of Columbia, and several US territories have followed with their own statutes. The result is a patchwork in which the same breach may trigger different notification requirements depending on which state's residents are affected, what categories of data were involved, and whether sector-specific federal rules also apply.

State laws share a common structure: they define covered personal information (typically name plus a financial account number, Social Security number, driver's license number, or similar identifier), establish a notification trigger (usually unauthorised access to or acquisition of the covered data), set a deadline (ranging from 30 to 90 days in most states, though some allow reasonable time), and specify who must be notified (affected residents, often the state attorney general for breaches above a threshold number of individuals, and sometimes consumer reporting agencies). California's Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), add a private right of action for certain data breaches, creating litigation exposure on top of regulatory risk.

The SEC's 2023 rules deserve particular attention for publicly traded companies. A breach that meets the materiality standard, roughly, one that a reasonable investor would consider important to their investment decision, must be disclosed in an 8-K filing within four business days of the determination of materiality. This is not a 72-hour clock from breach discovery; it is a four-business-day clock from the internal determination of materiality. General counsel and the CISO must coordinate closely on when that determination is made.

India's Digital Personal Data Protection Act 2023 (DPDP Act), which received presidential assent in August 2023 and is being brought into force in stages, establishes the primary breach notification framework for India. The Act requires Data Fiduciaries to notify the Data Protection Board of India and each affected Data Principal of any personal data breach, in a form and manner prescribed by the central government. As of mid-2026, detailed rules specifying the notification timeline and required content are specified under the DPDP Rules. The Act itself provides that significant Data Fiduciaries, a category to be notified by the central government based on volume of data processed and potential risk, face heightened obligations including mandatory appointment of a data protection officer.

Before the DPDP Act, breach notification obligations for entities in India arose primarily from the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 under the IT Act 2000. Those rules required a body corporate to notify individuals of a breach of sensitive personal data but lacked a specific timeline and did not require regulator notification. The DPDP Act represents a significant upgrade in the notification regime, bringing it closer to international standards.

Sector-specific rules add to the general DPDP framework. The Reserve Bank of India requires regulated entities (banks, NBFCs, payment system operators) to report cyber incidents including data breaches to the RBI within six hours of detection, under the RBI Master Direction on Information Technology Governance, Risk, Controls and Assurance Practices (2023). This is one of the shortest notification windows of any framework globally. The Securities and Exchange Board of India (SEBI) requires market intermediaries to report cybersecurity incidents within six hours of detection to SEBI and CERT-In. CERT-In itself, under its 2022 directions, requires all entities to report incidents to CERT-In within six hours.

The most operationally difficult step in breach notification is the trigger assessment: deciding whether an incident crosses the threshold that activates a notification obligation. Organisations with multi-jurisdictional data processing must run this assessment separately for each applicable framework, because the answer may differ. A breach of encrypted financial data may not trigger individual notification under GDPR (encryption safe harbour) but may still require supervisory authority notification. The same breach may trigger mandatory notification under a US state law that does not include an encryption carve-out.

The IR team's forensic investigation output, specifically the scope of affected data, the categories of individuals affected, and the likely means of access, feeds directly into the legal team's trigger assessment. A common mistake is to delay starting the legal analysis until the forensic investigation is complete. In practice, the forensic scope estimate and the legal analysis must run in parallel. Legal teams should receive interim forensic reports, even preliminary ones with uncertainty ranges, as soon as they are available, because the notification deadline is running.

For the individual notification obligation under GDPR Article 34, the threshold is higher: the breach must be likely to result in high risk. The European Data Protection Board's Guidelines 9/2022 provide a risk-assessment matrix. Factors include the type of data (special category data such as health or biometric data attracts higher risk), the number of individuals affected, the ability of affected individuals to identify themselves at risk, and whether the data is encrypted or pseudonymised. Most organisations build a standardised breach assessment form that captures these factors and produces a documented risk conclusion.

GDPR Article 33(3) specifies the minimum content of a supervisory authority notification: a description of the nature of the breach including categories and approximate numbers of data subjects and records concerned; the name and contact details of the data protection officer or other contact; the likely consequences of the breach; and the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects. Most supervisory authorities provide online notification forms that map to these requirements.

Individual notifications under GDPR Article 34 must be delivered in clear and plain language and must include the name and contact details of the DPO or contact point, the likely consequences of the breach, and the measures taken or proposed to address it including measures to mitigate adverse effects. The Article 34 notification should also include specific recommendations for what the individual can do to protect themselves, for example, changing passwords, monitoring financial statements, or placing a fraud alert with credit agencies.

US state law notifications follow a broadly similar model but with jurisdictional variations. Many states prescribe specific statutory language that must appear in the notice. California's notification law requires a specific format and mandates that the notice be written in plain language and include a title in at least 10-point type reading 'Notice of Data Breach'. New York's SHIELD Act requires notification to include the categories of personal information that were, or are reasonably believed to have been, acquired by a person without valid authorisation. Organisations with national US operations commonly maintain a notification template library that contains jurisdiction-specific versions, enabling rapid assembly of compliant notices.

Timing and method of individual notification also vary. Email is generally acceptable under GDPR and most US state laws, but only to individuals for whom the organisation holds a valid email address. For others, paper mail, prominent website posting, or (in some US jurisdictions) statewide media notification may be required. Some frameworks permit substitute notification, posting a notice on the organisation's website and notifying major statewide media, when the cost of individual notification would exceed a statutory threshold or when contact information is not available for a substantial portion of affected individuals.

GDPR's penalty structure for breach notification failures has two tiers. Under Article 83(4), failure to notify the supervisory authority, or late notification, can attract fines of up to 10 million euros or 2 percent of the organisation's total worldwide annual turnover of the preceding financial year, whichever is higher. If the failure also involves a separate substantive GDPR infringement, for example inadequate security measures that caused the breach, the higher tier under Article 83(5) applies: up to 20 million euros or 4 percent of global turnover. Regulators across the EU have imposed substantial fines for late or absent breach notification. The Irish Data Protection Commission fined Meta 265 million euros in 2022 partly for breach notification failures.

Under India's DPDP Act, the Data Protection Board can impose financial penalties of up to 250 crore rupees (approximately 30 million US dollars) per instance of non-compliance for failure to notify a breach, under Schedule 1 of the Act. For breaches that constitute a failure of a significant Data Fiduciary's additional obligations, the penalty can reach 200 crore rupees for that category of violation. These are maximum amounts; the Board is required to consider the gravity of the violation, the degree of cooperation, and the remedial action taken before determining the actual penalty.

In the US, state attorneys general have enforcement authority over state breach notification laws and have used it actively. New York's attorney general has issued guidance and brought enforcement actions against organisations for late notification and inadequate security. The FTC has pursued enforcement under Section 5 of the FTC Act (unfair or deceptive practices) against companies that failed to notify consumers of breaches promptly. HIPAA enforcement by the HHS Office for Civil Rights has resulted in multi-million dollar settlements for notification failures: the 2021 Scripps Health breach settlement and the Advocate Aurora Health resolution are examples. Beyond regulatory fines, breach notification failures generate litigation exposure, insurance coverage disputes, and reputational damage that typically exceed the regulatory penalty itself.