Understanding Data Breach Notification Laws

Data Breach Best Practices

Understanding Data Breach Notification Laws

- Breachsense
- ·
- Jan 20, 2025
- ·
- 6 Minute Reading Time

Wondering what your legal requirements are after a data breach? Not sure where to start?

As organizations operate across borders and handle data from users worldwide, they are subject to a large number of notification requirements that vary by jurisdiction.

This guide explores the important aspects of data breach notification laws, their requirements across different jurisdictions, and what they mean for organizations.

We’ll break down the who, what, when, and how of data breach notifications, helping you understand your responsibilities in the event of a data breach.

However, before diving into specific laws, let’s first understand what exactly constitutes a data breach notification.

What is a data breach notification?

A data breach notification is a formal notification that organizations are legally required to send when unauthorized parties access sensitive personal data.

The notification is sent to the affected individuals, regulatory authorities, and sometimes the general public as well.

There are two primary purposes for the notifications.

First, they alert individuals to potential risks to their personal information.

This enables victims to take protective actions, hopefully before the data is exploited.

Second, the notification enables companies to comply with data protection regulations like GDPR in Europe or state-specific laws in the US.

The notification typically includes several elements:

when the breach was discovered
what types of data were compromised (such as names, Social Security numbers, or financial information)
what actions the organization has taken to contain and investigate the breach
what steps affected individuals should take to protect themselves (e.g. monitor credit reports, change passwords, etc.)

Now that we understand what a data breach notification is, let’s talk about how different jurisdictions around the world regulate these notifications.

Data breach notification laws

Laws requiring organizations to notify their victims have been passed in all 50 states, as well as a number of countries around the world.

Here’s a high-level overview of data breach notification laws from around the world.

Australia

In 2018, the Australia Privacy Amendment (Notifiable Data Breaches) Act 2017 went into effect.

Organizations who store personal information are required to notify the Office of Australian Information Commissioner (OAIC) and affected individuals of any “eligible data breaches.”

An eligible data breach is any instance when personal information has been disclosed without authorization where the affected individuals are at “risk of serious harm”.

Serious harm includes identity theft, fraud, discrimination, or psychological and physical harm.

China

In 2017, China passed a new Cyber security law that included data breach requirements.

In 2021, the Personal Information Protection Law (“PIPL”) was passed, which further protects personal information and standardizes how to handle personal data.

European Union

In 2016, the EU passed the General Data Protection Regulation (GDPR), a federal data breach notification law.

When a breach is likely to impede on an individual’s rights and freedoms, organizations must notify the affected individuals, providing specific details about the breach and steps taken to address the root cause.

The notification must include the nature of the breach, categories of data involved, approximate number of individuals affected, likely consequences, and steps taken to mitigate risks.

Organizations that fail to comply with the GDPR requirements can face fines of up to €10 million or 2% of global annual revenue, whichever is higher.

Japan

In 2015, Japan amended the Act on the Protection of Personal Information (APPI) to require business owners to notify the PPC (data protection authorities) within 3 - 5 days of a data breach.

A more detailed report must be sent after 30 days of initially learning about the breach.

New Zealand

In 2020, New Zealand adopted the Privacy Act 2020.

The act governs the collection, use, storage, and disclosure of personal information.

The regulation requires organizations to report any privacy breaches that could cause serious harm.

The act applies globally, meaning any organization doing business in New Zealand, regardless of location, must comply with the regulations for handling personal information of New Zealand residents.

United States

Data Breach Notification Laws have been adopted all 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands.

The most notable of these is the California Senate Bill 1386 (2002).

The law requires businesses and state agencies to notify California residents when their unencrypted personal information is compromised.

The law defines personal information specifically as including social security numbers, driver’s license numbers, and financial account information.

The law applies when this data is believed to have been acquired by an unauthorized person.

Although no specific notification time was specified, organizations must notify the victims “in the most expedient time possible and without unreasonable delay.”

Most state laws follow the basic tenets of California’s original law.

With various laws across the globe establishing different requirements, an important question emerges: who exactly needs to be informed when a data breach happens?

Who must be notified of a data breach?

Although this varies by jurisdiction and severity of the breach, here’s a high-level breakdown:

Affected Individuals: Anyone whose personal data was compromised must be notified in most cases. This includes customers, employees, or other individuals whose sensitive information was exposed.
Regulatory Authorities: Organizations typically must notify relevant data protection authorities or regulators. In the EU this is the supervisory authority under GDPR. In the US, State Attorneys General (requirements vary by state). In Australia, it’s the Office of Australian Information Commissioner (OAIC).
Third Parties: Several groups may need to be informed depending on circumstances. If criminal activity is suspected then law enforcement should be notified. When the breach involves financial data then credit reporting agencies should be notified. Business partners or vendors if their data was also compromised. Payment card brands (like Visa/Mastercard) if payment data was exposed.
Broader Public: Public disclosure may be required when the breach affects a large number of individuals or the organization is publicly traded and the breach is material to investors.

The threshold for notification often depends on the type of data compromised, the number of individuals affected, the level of risk to the affected individuals, and any specific requirements based on applicable laws and regulations.

Understanding the legal and notification requirements is important, but organizations also need a clear action plan when a breach occurs. Here’s a comprehensive guide to responding effectively.

How to respond to a data breach?

Here’s a guide on how organizations should respond to a data breach:

Immediate Response (First 24-48 Hours):

Identify and contain the breach by isolating affected systems
Activate your incident response team and establish clear roles
Document everything, including when and how the breach was discovered
Preserve evidence for a forensics investigation. The evidence may also be needed in any future legal proceedings
Stop additional data loss by fixing vulnerabilities