Overview
When a data breach occurs, organizations face strict regulatory deadlines for notifying affected individuals and regulatory authorities. Getting the notification wrong, whether through delayed timing, incomplete information, or unclear language, can turn a manageable incident into a reputational and legal crisis. This resource provides ready-to-adapt templates for customer and regulator breach notifications, aligned with the requirements of GDPR, CCPA/CPRA, HIPAA, and SEC regulations.
Notification Framework by Regulation
| Regulation | Authority notification | Individual notification | Timeline |
|---|---|---|---|
| GDPR | Supervisory authority (DPA) | Data subjects if high risk to rights and freedoms | 72 hours to authority |
| CCPA/CPRA | California AG if 500+ CA residents | All affected CA residents | Without unreasonable delay |
| HIPAA | HHS OCR, media if 500+ in a state | Affected individuals | 60 days from discovery |
| SEC (8-K) | SEC filing | Investors via public disclosure | 4 business days from materiality determination |
| State breach laws | State AG (varies by state) | Affected residents (varies by state) | 30 to 90 days depending on state |
Customer Notification Template Elements
- Clear description of what happened and when it was discovered
- Types of personal data involved in the breach
- Steps already taken to contain and investigate the breach
- What the organization is doing to prevent recurrence
- Specific steps customers should take to protect themselves
- Credit monitoring or identity protection services offered
- Dedicated contact information for questions and support
- Timeline for follow-up communications
Regulator Notification Template Elements
- Nature of the personal data breach including categories and approximate number of records
- Name and contact details of the Data Protection Officer or equivalent
- Description of likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate effects
- Timeline of discovery, containment, and notification
- Whether affected individuals have been or will be notified
- Supporting documentation and evidence preservation summary
Tone and Language Guidelines
Breach notifications are not marketing documents. Use plain language that affected individuals can understand without a law degree. Be honest about what happened, take responsibility, and avoid minimizing the incident. Do not use phrases like "sophisticated attack" to shift blame. State the facts, explain what you are doing about it, and tell people exactly what they need to do to protect themselves. Have legal counsel review every notification before distribution, but do not let legal review strip out the human element entirely.
Multi-Jurisdiction Coordination
Most organizations operate across multiple jurisdictions, each with its own breach notification requirements. Build a regulatory map during incident response that identifies every applicable law based on the location of affected individuals, not just where the organization is headquartered. Coordinate notification timing so that regulatory authorities are informed before or simultaneously with affected individuals. Track all notification deadlines in a single dashboard and assign a notification coordinator to prevent missed filings.
Frequently Asked Questions
When does the notification clock start ticking?
It varies by regulation. Under GDPR, the 72-hour clock starts from the moment the organization becomes "aware" of the breach. Under HIPAA, the 60-day window begins from "discovery." Under most state laws, it starts when the breach is confirmed, not when it is suspected.
What happens if we miss a notification deadline?
Regulatory penalties vary. GDPR fines can reach 2% of annual global turnover for notification failures. HIPAA violations can result in fines up to $1.9 million per category. State attorneys general can bring enforcement actions with civil penalties.
Should we notify before the investigation is complete?
Yes, if the regulatory timeline requires it. Provide what you know and commit to supplemental notifications as the investigation progresses. Waiting for a complete picture can push you past legal deadlines.
Do we need to offer credit monitoring?
Many state laws and HIPAA require offering identity protection services when Social Security numbers, financial account numbers, or health information are exposed. Even when not legally required, offering credit monitoring demonstrates good faith and can reduce litigation risk.
How should we handle media inquiries about the breach?
Prepare a public statement that aligns with customer and regulator notifications. Designate a single spokesperson. Avoid saying more than what has been confirmed. Coordinate closely between PR, legal, and the incident response team to maintain consistent messaging.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.