Overview
After a breach, you are racing multiple clocks at once. Different regulations have different deadlines, different authorities expecting different information, and different consequences for missing them. This checklist consolidates the notification requirements across major regulatory frameworks so your incident response team knows exactly who to notify, when, and with what information. Print it, pin it to your war room wall, and reference it every time an incident crosses the reportable threshold.
Notification Deadlines by Framework
| Framework | Deadline | Notify | Key requirements |
|---|---|---|---|
| GDPR | 72 hours from awareness | Supervisory authority + data subjects (if high risk) | Nature of breach, categories of data, approximate number of records, DPO contact |
| HIPAA | 60 days from discovery | HHS OCR + individuals, media if 500+ per state | Description of breach, types of PHI, steps taken, contact for questions |
| SEC (8-K) | 4 business days from materiality determination | SEC via Form 8-K | Material impact, nature and scope, status of remediation |
| CCPA/CPRA | Without unreasonable delay | California AG (if 500+ residents) + affected individuals | Categories of data, timeline, remedial actions, contact info |
| NY SHIELD Act | Without unreasonable delay | NY AG + affected residents | Types of data, timeline, protective measures offered |
| PCI DSS | Immediately upon discovery | Acquiring bank and card brands | Compromise scope, potentially affected card numbers, forensic investigation plan |
Pre-Incident Preparation Steps
- Map all applicable regulations to your organization based on customer locations and data types
- Build a regulatory contact database with authority names, submission portals, and email addresses
- Pre-draft notification templates for each major framework
- Identify outside counsel with breach notification expertise across jurisdictions
- Establish a cross-functional notification team: legal, privacy, communications, and IR
- Conduct a tabletop exercise focused specifically on multi-jurisdiction notification scenarios
During-Incident Notification Workflow
Start the notification clock the moment the incident meets the "awareness" or "discovery" threshold under each applicable law. Immediately convene the notification team and outside counsel. Determine which jurisdictions apply based on affected individuals. Draft authority notifications first since many regulations require authority notification before or concurrent with individual notification. Log every notification sent with timestamps, recipients, and content. Assign a single person to own deadline tracking across all jurisdictions.
Post-Notification Obligations
- File supplemental notifications if the investigation reveals additional affected individuals or data types
- Respond to regulatory inquiries within requested timelines
- Preserve all notification records for at least five years
- Monitor for follow-up enforcement actions or investigations
- Update breach notification procedures based on lessons learned
- Track customer inquiries and complaint volumes for regulatory reporting
Common Pitfalls
The most frequent mistake is not starting the clock early enough. If your team suspects a breach on Monday but does not confirm it until Friday, most regulators will argue the clock started Monday. Other common pitfalls include failing to account for state-level laws that have shorter timelines than federal ones, sending incomplete notifications that require costly supplementals, and not coordinating timing between authority and individual notifications. build the muscle memory before you need it by running notification-focused tabletop exercises at least once a year.
Frequently Asked Questions
How do we determine which regulations apply to our breach?
Look at the types of data involved (PII, PHI, financial data, payment cards), the location of affected individuals (not just your headquarters), and any industry-specific regulations you are subject to. Map this during incident response, not after.
What if we cannot determine the full scope within the notification deadline?
Notify with what you know and commit to supplemental updates. GDPR explicitly allows phased notifications. Most U.S. state laws accept initial notifications followed by supplements as the investigation progresses.
Do we need to notify for encrypted data that was breached?
It depends on the regulation. Under many U.S. state laws, properly encrypted data is exempt from notification requirements. Under GDPR, encrypted data reduces risk to individuals and may eliminate the obligation to notify data subjects, though authority notification may still be required.
Can our cyber insurance carrier help with notifications?
Yes. Most cyber insurance policies include breach notification services such as legal counsel, notification mailing, and credit monitoring. Engage your carrier early because they often have pre-negotiated vendor relationships that can accelerate the process.
What documentation should we retain after the notification process?
Keep copies of all notifications sent, delivery confirmations, regulatory correspondence, investigation reports, and decision logs. Retain these for at least five years or longer if litigation is pending. This documentation becomes critical if regulators question your notification process.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.