73 Hours: The Window That Cost Uber $148 Million
In 2018, Uber paid $148 million to settle with all 50 states and the District of Columbia — not because they got breached, but because they covered it up. The company learned about a massive breach affecting 57 million users and drivers in 2016 and chose to pay the attackers $100,000 to delete the data and stay quiet. They didn't notify a single affected person for over a year.
That settlement remains one of the clearest lessons in cybersecurity: the breach hurts, but failing to meet data breach notification requirements can destroy you financially and reputationally. I've worked with organizations that survived serious incidents with minimal fallout — because they notified properly and on time. I've also seen small companies nearly fold because they didn't know they had an obligation to disclose.
This post breaks down exactly what you need to know about breach notification laws in the U.S., what triggers them, who you must notify, and the specific timelines you can't afford to miss.
What Are Data Breach Notification Requirements?
Data breach notification requirements are legal obligations that force organizations to inform affected individuals, state regulators, and sometimes federal agencies when personal data has been compromised. Every U.S. state, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have enacted their own breach notification laws. There is no single federal breach notification law that covers all industries — though sector-specific rules exist for healthcare (HIPAA), financial services (GLBA), and others.
The core idea is simple: if a threat actor gains unauthorized access to personally identifiable information (PII), the people whose data was exposed have a right to know. The complexity comes from the details — what counts as "personal information," how fast you must act, and who exactly you tell.
The Patchwork Problem: 50 States, 50 Sets of Rules
Here's what actually makes compliance painful. There is no uniform standard. If your organization holds data on residents of multiple states — and almost every organization does — you must comply with the notification law of each affected individual's state of residence, not just the state where your business operates.
Trigger Definitions Vary Wildly
Some states define a breach as unauthorized acquisition of data. Others use unauthorized access. That distinction matters. Under an "acquisition" standard, a threat actor who views your database but doesn't exfiltrate records might not trigger notification. Under an "access" standard, simply viewing the data is enough.
California, for example, uses "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity" of personal information (Cal. Civ. Code § 1798.82). New York's SHIELD Act broadened the definition to include unauthorized access to private information, even without evidence of acquisition.
What Counts as Personal Information
Every state covers the basics: name plus Social Security number, driver's license number, or financial account number. But many states have expanded far beyond that. Illinois includes medical information and health insurance data. California includes biometric data, tax ID numbers, and even login credentials paired with security questions.
If your organization collects email addresses, usernames, or passwords — and you suffer credential theft from a phishing attack — you may have a notification obligation in several states even if no financial data was involved.
Notification Timelines: The Clock Is Already Running
Speed is where most organizations fail. The Verizon 2024 Data Breach Investigations Report found that the median time to detect a breach was still measured in days to weeks, and that doesn't include investigation time. Meanwhile, notification deadlines are tightening across the board.
Here's a snapshot of deadlines you need to know:
- Colorado: 30 days from determination of breach
- Florida: 30 days from determination
- Maryland: 45 days (reduced from previous timeline under updated law)
- California: "In the most expedient time possible and without unreasonable delay"
- New York: "In the most expedient time possible and without unreasonable delay"
- HIPAA (healthcare): 60 days from discovery
- Federal banking regulators (OCC, FDIC, FRB): 36 hours for significant incidents affecting operations
Note: many states start the clock upon "determination" that a breach occurred — meaning after your investigation confirms it. But several states start from "discovery," meaning the moment you become aware or should reasonably have become aware. Know which standard applies to your situation.
Who Must Be Notified — And How
Affected Individuals
Every state requires notification to affected individuals. Most mandate written notice sent to the person's last known mailing address. Many also allow email notification if that's the primary communication method. A few states allow substitute notice (website posting plus media notification) when the number of affected individuals exceeds a threshold — commonly 500,000 — or when the cost of direct notification is prohibitively high.
State Attorneys General and Regulators
Most states require you to notify the state Attorney General's office when a breach exceeds a certain number of affected residents. In many cases, this threshold is low. New York requires AG notification when any number of residents are affected. California requires it when more than 500 residents are involved. Some states require you to submit a copy of the notification letter itself.
Consumer Reporting Agencies
If a breach affects more than a certain number of individuals — typically 1,000 or more in a single state — you may also need to notify the major consumer reporting agencies (Equifax, Experian, TransUnion). This requirement exists in most states and under HIPAA.
Federal Agencies
HIPAA-covered entities must notify the Department of Health and Human Services (HHS). For breaches affecting 500 or more individuals, HHS must be notified within 60 days, and the breach gets posted on the HHS "Wall of Shame." For breaches affecting fewer than 500, annual notification to HHS is acceptable. The FTC has enforcement authority over companies that make deceptive claims about data security — meaning if your privacy policy says you protect data and you don't, you may face an FTC action regardless of state law.
The $4.88M Lesson Most Organizations Learn Too Late
According to IBM's Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million. But here's the detail that should keep you up at night: breaches where notification was delayed or mishandled cost significantly more — driven by regulatory fines, legal fees, and customer churn.
I've seen organizations save themselves enormous pain simply by having a documented incident response plan that includes notification procedures. The ones who struggle? They're the ones asking "who do we call?" for the first time during an active incident.
Building a security-aware workforce is your first line of defense against breaches that trigger notification in the first place. Cybersecurity awareness training equips your team to recognize social engineering, phishing, and other attack vectors before they escalate into reportable incidents.
Sector-Specific Requirements You Can't Ignore
Healthcare: HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule (45 CFR §§ 164.400-414) requires covered entities and business associates to notify affected individuals, HHS, and in some cases, the media following a breach of unsecured protected health information (PHI). "Unsecured" means data that wasn't encrypted or destroyed per HHS guidance. If you encrypted the data properly before the breach, you may qualify for a safe harbor — no notification required. More details are available from HHS's breach notification guidance.
Financial Services: GLBA Safeguards Rule
The updated FTC Safeguards Rule under the Gramm-Leach-Bliley Act requires financial institutions to notify the FTC within 30 days of discovering a breach affecting 500 or more people. This rule, updated in 2023, added specific notification requirements that didn't previously exist. It also mandates multi-factor authentication, encryption, and regular risk assessments.
Critical Infrastructure and Federal Contractors
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed in 2022, directs CISA to develop rules requiring critical infrastructure entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. Final rules are expected in 2026. Organizations in the 16 critical infrastructure sectors identified by CISA should prepare now.
How to Build a Breach Notification Playbook
Waiting until a breach happens to figure out your notification obligations is like buying car insurance after the accident. Here's what I tell every organization I work with:
Step 1: Map Your Data and Your Exposure
Know what personal information you hold, where it lives, and which states (or countries) your data subjects reside in. You can't assess notification obligations if you don't know what was compromised or whose data it was. A current data inventory is non-negotiable.
Step 2: Build a State-by-State Obligation Matrix
Create a reference document listing every state where you hold resident data, the trigger definition, the notification deadline, the required recipients, and the content requirements. Several states mandate that notification letters include specific information — the date of the breach, a description of the data involved, contact information for credit reporting agencies, and steps the individual can take.
Step 3: Pre-Draft Notification Templates
Your legal team should have template notification letters ready for the states where you have the most exposure. During a live incident, every hour spent drafting from scratch is an hour closer to a missed deadline.
Step 4: Assign Roles Before the Incident
Who makes the call that a breach has occurred? Who contacts the AG's office? Who manages individual notifications? Who talks to the press? These decisions should be made in advance and documented in your incident response plan.
Step 5: Train Your People Relentlessly
The majority of breaches that trigger notification start with a human error — a clicked phishing link, a reused password, an unpatched system someone forgot about. The 2024 Verizon DBIR confirmed that the human element was involved in the majority of breaches. Running regular phishing awareness simulations across your organization dramatically reduces the likelihood of a successful social engineering attack turning into a reportable breach.
Step 6: Test the Plan
Run tabletop exercises at least annually. Simulate a ransomware attack that exfiltrates customer PII. Walk through the entire notification process, from detection to disclosure. Find the gaps before an actual threat actor finds them for you.
What Happens If You Don't Comply?
Penalties vary by state, but they add up fast — especially when you're non-compliant in multiple jurisdictions simultaneously.
- New York: Up to $5,000 per violation under the SHIELD Act.
- California: Civil penalties up to $7,500 per intentional violation under the CCPA.
- HIPAA: Tiered penalties up to $2,067,813 per violation category per year (adjusted for inflation).
- FTC: Consent orders, mandated security programs, and ongoing audits for 20+ years. Ask Uber, Equifax, or Drizly how that feels.
Beyond fines, delayed or missing notification invites class-action lawsuits. Plaintiff attorneys actively monitor the HHS breach portal and state AG announcements for targets. The reputational damage is harder to quantify but often more devastating than the fine itself.
A Federal Breach Notification Law: Still Waiting
For years, lawmakers have debated a comprehensive federal data breach notification standard that would preempt the state patchwork. Multiple bills have been introduced and stalled. As of 2026, we still don't have one. The American Data Privacy and Protection Act (ADPPA) made progress in 2022 but didn't cross the finish line. Until a federal standard passes, you're stuck navigating 50+ separate regimes.
My advice: don't wait for Congress to simplify this for you. Build your notification program around the strictest state requirements — Colorado's 30-day deadline, New York's broad access-based trigger, California's expansive definition of personal information. If you can meet those, you can meet almost anything.
Encryption and the Safe Harbor You're Probably Not Using
Here's a practical detail that gets overlooked: most state breach notification laws include a safe harbor for encrypted data. If the compromised data was encrypted and the encryption key was not also compromised, notification is typically not required.
This means that implementing strong encryption — both at rest and in transit — doesn't just protect data. It can literally eliminate your notification obligation. Combined with a zero trust architecture where access is verified continuously and microsegmented, you reduce both the probability and the legal fallout of a breach.
Your Notification Checklist After a Breach
When a breach is confirmed, move through this sequence:
- Contain the incident and preserve forensic evidence.
- Determine what personal information was compromised.
- Identify the states of residence for affected individuals.
- Consult your obligation matrix for trigger definitions, deadlines, and recipients.
- Engage legal counsel — breach notification is a legal process, not just a technical one.
- Draft and send individual notifications within the required timeframe.
- Notify state Attorneys General and regulators as required.
- Notify consumer reporting agencies if thresholds are met.
- Notify federal agencies (HHS, FTC, CISA) as applicable.
- Document every decision and timestamp throughout the process.
That documentation matters. If a regulator or plaintiff attorney later questions your response, contemporaneous records of your decision-making process are your best defense.
The Real Bottom Line
Data breach notification requirements aren't a technicality — they're a legal obligation with real teeth. Every organization that collects personal information from customers, employees, or partners needs a documented, tested plan for meeting these obligations. The cost of getting it wrong — in fines, lawsuits, and lost trust — dwarfs the cost of preparation.
Start by understanding your data, your legal exposure, and your team's readiness. Invest in security awareness training to prevent the breaches that trigger notification. Run phishing simulations to identify your weakest links before attackers do. And build your notification playbook today — not during the worst week of your professional life.