COMNEXIA
Data Privacy & Compliance

What Are Data Breach Notification Laws and What Must Your Business Do After a Breach?

Learn your legal obligations after a data breach, including notification timelines, who to notify, state-by-state requirements, and how to prepare a breach response plan.

By COMNEXIA
#data breach notification#breach response#compliance#data privacy#cybersecurity#incident response#state breach laws

A data breach can happen to any organization regardless of size, industry, or how much you’ve invested in security. When it does, what you do in the first hours and days determines whether the incident becomes a manageable event or a catastrophic legal and reputational crisis. Every U.S. state now has data breach notification laws on the books, and the timelines, definitions, and penalties vary significantly. Understanding your obligations before a breach occurs is not optional — it is a core business responsibility.

What Is a Data Breach Notification Law?

A data breach notification law is a statute that requires organizations to inform affected individuals, regulators, and sometimes credit bureaus when personal information has been accessed, acquired, or disclosed without authorization. All 50 U.S. states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted their own breach notification statutes. There is no single federal breach notification law that applies to all industries, though sector-specific federal regulations like HIPAA and the Gramm-Leach-Bliley Act impose their own requirements.

California was the first state to pass a data breach notification law in 2003 (SB 1386), and every other state has since followed. The result is a patchwork of requirements that any business operating across state lines — or handling customer data from multiple states — must navigate carefully.

Who Must Comply With Breach Notification Requirements?

Any business or organization that owns, licenses, or maintains personal information of residents in a given state must comply with that state’s breach notification law. This applies regardless of where your business is physically located. If you store data on customers in Georgia, Texas, and California, you may be subject to all three states’ laws simultaneously.

This means:

  • Small businesses are not exempt. Most state laws apply to businesses of all sizes.
  • Third-party vendors that process data on behalf of another organization typically must notify the data owner, who then notifies affected individuals.
  • Nonprofit organizations and government entities are generally covered as well.

For businesses working with managed IT and cybersecurity providers, understanding shared responsibilities in a breach scenario is critical. Your IT partner should have clear incident response procedures that align with your notification obligations.

What Triggers a Notification Requirement?

A notification obligation is triggered when there is unauthorized access to or acquisition of unencrypted personal information that compromises the security, confidentiality, or integrity of that data. The exact trigger varies by state:

  • Acquisition-based states require notification only when data was actually acquired by an unauthorized party (e.g., Georgia).
  • Access-based states set a lower threshold — mere unauthorized access can trigger notification even without confirmed exfiltration (e.g., California).
  • Risk-of-harm states require a risk assessment: if the breach is unlikely to cause harm, notification may not be required (e.g., Florida, with its threshold of “reasonable likelihood of identity theft or financial harm”).

Most states define personal information as a name combined with one or more of the following: Social Security number, driver’s license number, financial account numbers, medical information, or biometric data. Several states have expanded definitions in recent years to include email credentials, tax identification numbers, and passport numbers.

How Quickly Must You Notify After a Breach?

Notification timelines vary significantly by state, and missing a deadline can result in penalties even if you handle everything else correctly. Here are some key examples:

  • Florida: Within 30 days of determining a breach occurred.
  • Colorado: Within 30 days of determining a breach occurred.
  • Georgia: Requires notification “in the most expedient time possible and without unreasonable delay.” No specific day count.
  • California: Requires notification “in the most expedient time possible and without unreasonable delay.”
  • New York: Requires notification “in the most expedient time possible and without unreasonable delay,” but the SHIELD Act (effective 2020) expanded the definition of private information and broadened what constitutes a breach.
  • Texas: Within 60 days of determining a breach occurred.

The trend across state legislatures has been toward shorter, more specific timelines. Several states that previously used “without unreasonable delay” language have amended their statutes to include hard deadlines.

For organizations subject to HIPAA, the federal notification deadline is 60 days from discovery of the breach for incidents affecting 500 or more individuals, with notification to the Department of Health and Human Services required within the same window.

Who Must Be Notified After a Data Breach?

Depending on the jurisdiction and the scale of the breach, you may need to notify:

  1. Affected individuals — Required in all states. Notification must typically include a description of the incident, the types of information involved, and steps individuals can take to protect themselves.
  2. State attorneys general — Many states require direct notification to the AG’s office, sometimes with specific thresholds (e.g., California requires AG notification when more than 500 residents are affected).
  3. Consumer reporting agencies — When a breach affects a large number of individuals (commonly 1,000 or more), several states require notification to major credit bureaus.
  4. Federal regulators — If you operate in a regulated industry (healthcare, financial services), federal agencies like HHS or the FTC may also require notification.

What Are the Penalties for Failing to Notify?

Penalties for non-compliance range from modest fines to severe financial consequences:

  • State AG enforcement: Most states empower their attorneys general to bring enforcement actions. Fines can range from a few thousand dollars per violation to hundreds of thousands.
  • New York’s SHIELD Act allows penalties of up to $5,000 per violation with no cap specified in the statute.
  • California allows penalties of up to $7,500 per intentional violation under the California Consumer Privacy Act (CCPA).
  • HIPAA violations can result in fines ranging from $137 to over $2 million per violation category per year, depending on the level of negligence.
  • Private lawsuits: An increasing number of breach events result in class action litigation, particularly when sensitive data like Social Security numbers or financial records are involved.

Beyond financial penalties, the reputational damage from a poorly handled breach — or one where notification was delayed — often exceeds the direct costs by a significant margin.

How Should Your Business Prepare Before a Breach Happens?

The worst time to learn about breach notification requirements is during an active incident. Preparation is what separates a controlled response from chaos.

Do You Have an Incident Response Plan?

Every organization should maintain a written incident response plan (IRP) that addresses breach notification specifically. An effective IRP includes:

  • Defined roles and responsibilities: Who leads the response, who handles legal review, who communicates with affected parties.
  • Legal counsel engagement: Pre-establishing a relationship with an attorney experienced in data breach law so you are not searching for one during a crisis.
  • Forensic investigation procedures: How you will determine what happened, what data was affected, and how many individuals are impacted.
  • Communication templates: Pre-drafted notification letters that can be adapted quickly to specific incidents.
  • Vendor notification procedures: If a third-party vendor caused or was involved in the breach, how and when you notify them, and how they notify you.

Working with an experienced IT consulting partner to develop and test your incident response plan ensures that technical investigation and legal notification happen in coordination rather than in conflict.

Have You Mapped Your Data?

You cannot notify affected individuals if you do not know what data you hold, where it is stored, and who it belongs to. Data mapping — maintaining an inventory of personal information by type, location, and jurisdiction — is foundational to breach response.

Do You Conduct Tabletop Exercises?

A plan that sits in a drawer is only slightly better than no plan at all. Regular tabletop exercises that simulate breach scenarios help your team identify gaps in the response process before a real incident exposes them.

What Special Requirements Apply to Specific Industries?

Several industries face additional breach notification obligations beyond state law:

  • Healthcare (HIPAA): The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media. Breach risk assessments must evaluate the nature and extent of protected health information involved, the unauthorized person who accessed the data, whether data was actually acquired or viewed, and the extent to which risk has been mitigated.
  • Financial services (GLBA): The FTC’s Safeguards Rule requires financial institutions to maintain a comprehensive security program, and the updated 2023 requirements include notification to the FTC within 30 days for breaches affecting 500 or more people.
  • Automotive dealerships: The FTC Safeguards Rule applies directly to auto dealers as financial institutions under GLBA. This is an area COMNEXIA has worked in extensively over 35 years of serving the automotive industry from our base in Atlanta, Georgia.

What Is the Difference Between State and Federal Breach Laws?

State breach notification laws set the baseline for most businesses, while federal laws layer additional requirements on top for regulated industries. There is no comprehensive federal breach notification statute that applies universally to all businesses, though various proposals have been introduced in Congress over the years.

The practical effect for most businesses is that you must comply with the state laws of every state where affected individuals reside, plus any applicable federal regulations for your industry. A company in Georgia that experiences a breach affecting customers in 20 states could theoretically be subject to 20 different notification frameworks — each with its own definitions, timelines, and notification methods.

Frequently Asked Questions

Q: Does my business need to comply with breach notification laws if we’re a small company? A: Yes. Nearly all state breach notification laws apply regardless of business size. If you collect, store, or process personal information, you are subject to the notification requirements of the states where affected individuals reside.

Q: What should I do in the first 24 hours after discovering a breach? A: Contain the breach to prevent further data loss, engage your incident response team and legal counsel, begin forensic investigation to determine scope, preserve all evidence, and identify which notification obligations may apply. Do not notify prematurely before you understand the scope, but do not delay investigation.

Q: Are encrypted records exempt from notification requirements? A: In most states, yes — if personal information was encrypted at the time of the breach and the encryption key was not compromised, notification is generally not required. This is one of the strongest arguments for implementing encryption at rest and in transit across all systems that handle personal data.

Q: Do I need to notify if a breach affects only employee data, not customers? A: Yes. Most state breach notification laws protect individuals regardless of their relationship to your organization. Employee personal information (Social Security numbers, financial data, medical records) triggers the same notification obligations as customer data.

Q: How can a managed IT provider help with breach preparedness? A: A qualified managed cybersecurity provider helps with prevention through security monitoring and controls, preparation through incident response planning and tabletop exercises, detection through real-time threat monitoring, and response by supporting forensic investigation and remediation during an active breach. COMNEXIA has supported businesses across the Southeast with security infrastructure and incident preparedness for over three decades.

Back to Insights

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.

Schedule Consultation
Call (877) 600-6550