Skip to main content

    We value your privacy

    We use cookies to enhance your browsing experience, analyze site traffic, and personalize content. By clicking "Accept All", you consent to our use of cookies. Read our Cookie Policy to learn more.

    Skip to main content
    Back to Glossary
    compliance
    2 min read

    Breach Notification

    Breach notification is the legal requirement to inform regulators and affected individuals when personal data is compromised.

    Breach notification requirements vary by regulation but generally mandate timely disclosure of data breaches.

    Notification requirements by regulation: - GDPR: 72 hours to supervisory authority - HIPAA: 60 days to HHS and individuals - CCPA: "Reasonable" time frame - State Laws: Typically 30-60 days

    Notification content typically includes: - Nature of the breach - Types of data affected - Timeline of events - Remediation steps taken - Steps individuals should take - Contact information

    Who to notify: - Regulators (where required) - Affected individuals - Law enforcement (if criminal) - Cyber insurance provider - Board/executives

    Why It Matters

    Failure to notify regulators and affected individuals within required timeframes can multiply penalties dramatically. GDPR fines for notification failures are separate from and additional to fines for the breach itself. Organizations must have documented breach notification procedures ready before an incident occurs—scrambling to figure out requirements during a crisis leads to missed deadlines and compounded liability.

    Key Points

    GDPR requires 72-hour notification
    Must document breach response
    Content requirements are specific
    Failure to notify compounds liability
    Insurance often covers notification costs

    Applicable Compliance Frameworks

    GDPRHIPAAPCI DSS

    Related Terms

    Data Breach

    A data breach is a security incident where protected, sensitive, or confidential data is accessed, disclosed, or stolen by unauthorized parties.

    Incident Response

    Incident response is a structured approach to preparing for, detecting, containing, and recovering from security incidents while minimizing damage.

    GDPR

    GDPR (General Data Protection Regulation) is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data of EU residents.

    Frequently Asked Questions

    Do all breaches require notification?

    No. Most laws have thresholds. GDPR exempts breaches unlikely to result in risk to individuals.

    What if I'm not sure it's a breach?

    Document your investigation. The 72-hour clock typically starts when you become reasonably certain a breach occurred.

    Related Services & Resources

    Service

    Vanta Implementation

    Expert Vanta deployment with 80+ integrations configured in 4-6 weeks

    Learn more
    Service

    Drata Implementation

    Full Drata setup with automated evidence collection and control mapping

    Learn more
    Standard

    SOC 2 Compliance

    Trust services criteria for security, availability, and confidentiality

    Learn more
    Standard

    ISO 27001 Certification

    International standard for information security management

    Learn more
    Resource

    SOC 2 Complete Guide

    Everything you need to know about achieving SOC 2 compliance

    Learn more
    Resource

    HIPAA Checklist

    Comprehensive checklist for HIPAA compliance requirements

    Learn more

    Need Help with Breach Notification?

    Our experts can help you understand and implement the right controls for your organization.

    Talk to an ExpertBrowse All Terms