Data Breach Notification Requirements

Legal Definition

A data breach is the unauthorized acquisition, access, use, or disclosure of protected information that compromises the security, confidentiality, or integrity of such information.

Types of Data Breaches

• Unauthorized Access: External attacker or unauthorized insider gains access to protected data
• Data Exfiltration: Data is copied, transferred, or stolen from systems
• Accidental Disclosure: Data unintentionally exposed or sent to wrong recipient
• Lost or Stolen Devices: Laptop, phone, or storage media containing protected data
• Ransomware: Data encrypted and potentially exfiltrated by attackers
• Insider Threat: Employee intentionally accesses or discloses unauthorized data
• Third-Party Breach: Vendor or partner experiences breach affecting company data

Personally Identifiable Information (PII)

Information that identifies or can be used to identify an individual:

• Full name with any of: SSN, driver's license, financial account, credit card, passport
• Email address combined with password or security question answers
• Biometric data (fingerprints, facial recognition, retina scans)
• Medical records and health information
• Date of birth, mother's maiden name, place of birth
• Government-issued identification numbers

Protected Health Information (PHI)

Under HIPAA, includes:

• Medical records and diagnoses
• Treatment information and prescriptions
• Lab results and medical images
• Insurance information related to healthcare
• Any health information linked to identifiable individual

Financial Information

• Credit card numbers and CVV codes
• Bank account numbers and routing numbers
• Payment card data (subject to PCI-DSS)
• Financial statements and tax records
• Investment account information

Proprietary and Confidential Business Data

• Trade secrets and intellectual property
• Non-public financial information
• Strategic business plans
• Customer lists and contracts
• Employee confidential information

Step 1: Initial Discovery and Containment

Upon discovering a potential breach:

1. Immediately contain the breach to prevent further data exposure
2. Preserve evidence (do not delete logs or modify systems)
3. Document the discovery timeline and initial findings
4. Notify IT Director and Security Manager immediately
5. Activate incident response team

Step 2: Preliminary Assessment

Within first 24 hours, determine:

• What data was accessed or exfiltrated? Types of information, number of records
• Who was the attacker? External threat, insider, accidental
• How did the breach occur? Attack vector, vulnerability exploited
• When did the breach occur? Start date, duration, discovery date
• How many individuals are affected? Count of unique affected persons
• What is the risk of harm? Likelihood and severity of impact to individuals

Step 3: Legal and Regulatory Analysis

Engage Legal and Compliance teams to determine:

• Which regulations apply based on data types and affected individuals
• Whether notification is legally required
• Notification deadlines under applicable laws
• Who must be notified (regulators, individuals, media, etc.)
• Content requirements for notifications
• Whether law enforcement should be involved

Step 4: Risk Assessment

Evaluate the likelihood and severity of harm to individuals:

Is Notification Required?

1. Was protected data accessed or exfiltrated?
   • No → Likely not a breach requiring notification (document assessment)
   • Yes → Continue to next question
2. Was the data encrypted with secure encryption?
   • Yes, and encryption keys not compromised → May have safe harbor exception in some jurisdictions
   • No, or keys also compromised → Continue to next question
3. Does the breach affect 500+ individuals?
   • Yes → Notification almost certainly required under multiple laws
   • No → Continue to next question
4. Is there a low risk of harm to individuals?
   • Yes, and documented risk assessment supports this → Some regulations may not require notification
   • No, or uncertain → Notification likely required

Important: Even if not legally required, consider notification as a best practice for transparency and maintaining trust.

Critical Deadlines

Required Elements in Individual Notifications

All notifications to affected individuals must include:

1. Date of Notice: When the notification is being sent
2. Description of Incident: What happened, in plain language
3. Types of Data Involved: What information was accessed or acquired
4. Date of Breach: When incident occurred or was discovered
5. Actions Taken: Steps company has taken to investigate and secure data
6. Contact Information: How affected individuals can reach company with questions
7. Recommended Actions: Steps individuals should take to protect themselves
8. Resources Provided: Credit monitoring, identity theft protection, etc.
9. Regulatory Contact: Information on filing complaints with regulators (if required)

Sample Notification Letter Template

Structure of notification letter:

• Subject Line: "Important Notice Regarding Your Information"
• Opening: Direct statement that a data security incident occurred
• Body Paragraphs:
  • What happened and when
  • What information was involved
  • What we are doing about it
  • What you can do to protect yourself
• Services Offered: Credit monitoring enrollment details
• Contact Information: Dedicated hotline and email
• Closing: Apology and commitment to security

Individual Notification Methods

Substitute Notice Requirements

Used when individual contact information is unavailable or notification cost exceeds specified amounts:

• Conspicuous posting on company website homepage for 90 days
• Notification to major statewide media (if required by state law)
• May include email notification if addresses available

Federal Agencies

• SEC: Form 8-K filing within 4 business days if material (public companies)
• HHS Office for Civil Rights: Via breach reporting portal within 60 days (HIPAA breaches)
• FTC: Depending on applicable regulations (e.g., Safeguards Rule, COPPA)
• FBI IC3: File complaint at ic3.gov for significant cybercrimes

State Attorneys General

Many states require notification to state AG:

• Typically when 500+ state residents affected
• Timing varies by state (often same as individual notification)
• Usually via email to designated breach notification address
• Include copy of notification letter sent to individuals

Credit Reporting Agencies

Some states require notification to credit bureaus when breach affects 1,000+ residents:

• Experian
• Equifax
• TransUnion

International Regulators

• GDPR: Report to lead supervisory authority via online portal within 72 hours
• Other Countries: Comply with local data protection authority requirements

Breach Response Team

External Resources

• Outside Counsel: Specialized data breach attorneys
• Forensic Investigators: Third-party cybersecurity firms
• Credit Monitoring Service: Vendor to provide identity protection
• Notification Vendor: Company to handle mass mailing
• PR Firm: Crisis communications specialists
• Cyber Insurance Carrier: Coverage and claims support

Credit Monitoring and Identity Protection

Industry standard offerings:

• Duration: 12-24 months of free credit monitoring
• Services: Credit report monitoring, identity theft insurance, fraud resolution assistance
• Providers: Experian IdentityWorks, Equifax Complete, TransUnion TrueIdentity
• Cost per person: Typically $15-$25 per person per year

Dedicated Support Resources

• Toll-free call center with extended hours
• Dedicated email address for inquiries
• FAQ page on company website
• Live chat support

Required Documentation

Maintain detailed records of:

• Incident timeline and discovery
• Investigation findings and forensic reports
• Risk assessment and notification decision rationale
• Legal analysis of applicable laws
• List of all affected individuals with data elements compromised
• Copies of all notifications sent
• Regulatory filings and correspondence
• Media coverage and public statements
• Call center logs and customer inquiries
• Remediation steps taken

Retention Period

Retain all breach-related documentation for minimum 7 years or as required by applicable regulations and litigation holds.

Typical Breach Response Costs

Coverage Typically Includes

• Forensic investigation costs
• Legal fees and regulatory defense
• Notification costs (letters, call center)
• Credit monitoring services
• Public relations expenses
• Regulatory fines and penalties (where insurable)
• Business interruption losses

Notification to Insurer

Contact cyber insurance carrier within 24 hours of breach discovery:

• Obtain claim number
• Understand coverage and requirements
• Use approved panel vendors when required
• Follow claims reporting procedures
• Keep insurer informed throughout incident

Regulatory Penalties

Other Consequences

• Class action lawsuits from affected individuals
• Loss of customer trust and business reputation
• Regulatory audits and increased oversight
• Increased insurance premiums
• Stock price impact (for public companies)
• Contract terminations or customer departures

Breach Prevention Measures

• Encrypt sensitive data at rest and in transit
• Implement multi-factor authentication
• Maintain up-to-date security patches
• Conduct regular security assessments and penetration testing
• Train employees on security awareness and phishing
• Implement data loss prevention (DLP) controls
• Minimize data collection and retention
• Conduct vendor security assessments

Breach Preparedness

• Maintain current incident response plan
• Conduct tabletop exercises annually
• Pre-establish relationships with forensic firms and legal counsel
• Maintain updated contact lists for breach response team
• Pre-negotiate contracts with notification and credit monitoring vendors
• Ensure adequate cyber insurance coverage
• Keep data inventories current
• Document data flows and system interconnections