The SolarWinds Breach Just Made Notification a National Crisis
In December 2020, FireEye disclosed that a sophisticated threat actor had compromised SolarWinds Orion software, giving attackers access to roughly 18,000 organizations — including the U.S. Treasury, the Department of Homeland Security, and Fortune 500 companies. Weeks later, we're still discovering the scope. And for every organization affected, one question is now urgent: who do we have to notify, how fast, and what happens if we get it wrong?
If you're responsible for security at any organization that handles personal data — and that's nearly every organization — you need to understand data breach notification requirements inside and out. Not in theory. In practice. Because when your SIEM lights up at 2 AM with evidence of credential theft and data exfiltration, you won't have time to start Googling state statutes.
This guide breaks down exactly what the law requires, where the traps are, and what I've seen organizations do right and wrong when the clock starts ticking.
What Are Data Breach Notification Requirements?
Data breach notification requirements are the legal obligations that force organizations to inform affected individuals, regulators, and sometimes credit bureaus when personal data is compromised. Every U.S. state, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands now have their own breach notification laws. There is no single federal breach notification law that covers all industries — though sector-specific rules like HIPAA and the Gramm-Leach-Bliley Act layer on additional mandates.
The core concept is simple: if someone's personal information was accessed or acquired by an unauthorized party, you probably have to tell them. The devil is in the definitions, timelines, and exceptions — and those vary wildly depending on where your affected individuals live.
The 50-State Patchwork That Keeps CISOs Up at Night
California passed the first state breach notification law (SB 1386) back in 2003. By 2018, all 50 states had followed. But they didn't follow a template. Each state defines "personal information," "breach," and "notification timeline" differently.
What Counts as Personal Information
Most states define it as a person's name combined with one or more data elements: Social Security number, driver's license number, or financial account number with access credentials. But newer laws go further. California's CCPA and the 2020 amendments expanded the definition to include biometric data, health information, and even login credentials for online accounts.
Illinois includes medical information and health insurance data. New York's SHIELD Act, effective in March 2020, broadened the definition to include biometric data, email addresses combined with passwords, and username/password combinations — even without a name attached.
How Fast You Have to Notify
This is where organizations get burned. Some states have no specific deadline — they say "without unreasonable delay." Others are brutally specific:
- Florida: 30 days to individuals, 30 days to the state attorney general if more than 500 people are affected.
- Colorado: 30 days.
- Connecticut: 90 days.
- Vermont: 45 days, plus you must notify the state attorney general within 14 business days of discovery.
- Washington: 30 days to individuals, with attorney general notification within that same window if more than 500 residents are affected.
The clock usually starts when you "discover" or "become aware of" the breach — not when the breach actually occurred. In the SolarWinds case, attackers had access since at least March 2020. Discovery didn't happen until December. That gap matters legally.
Who Else Gets Notified
Most states require notification to the state attorney general when breaches exceed a certain threshold — often 500 or 1,000 individuals. Some require notifying consumer reporting agencies. A few require notifying the state's department of consumer protection or equivalent.
If you operate in healthcare, HIPAA requires notification to the Department of Health and Human Services. Breaches affecting 500 or more individuals get posted to the HHS "Wall of Shame" — the HHS Breach Notification Rule page details the requirements.
Federal Rules That Layer on Top
While there's no omnibus federal breach notification law, several sector-specific regulations impose their own data breach notification requirements:
HIPAA Breach Notification Rule
Covered entities and business associates must notify affected individuals within 60 days of discovering a breach of unsecured protected health information. Breaches affecting 500+ people in a state require media notification. The HHS must be notified within 60 days for large breaches and annually for smaller ones.
Gramm-Leach-Bliley Act (GLBA)
Financial institutions have obligations under the Interagency Guidance on Response Programs, which requires notifying customers when their sensitive information has been misused or is reasonably likely to be misused.
FTC Act — Section 5
The FTC has used its authority over unfair and deceptive practices to pursue companies that fail to safeguard consumer data or notify consumers after breaches. The FTC's settlement with Equifax following the 2017 breach — resulting in up to $700 million in penalties and restitution — demonstrated the agency's enforcement muscle. Details are available on the FTC's Equifax settlement page.
The $4.88M Lesson Most Organizations Learn Too Late
According to the Ponemon Institute and IBM's 2020 Cost of a Data Breach Report, the average total cost of a data breach in the United States was $8.64 million. Globally, it was $3.86 million. But here's the number that matters for this discussion: organizations that contained a breach in under 200 days saved an average of $1.12 million compared to those that took longer.
Speed matters. And notification timelines are part of that speed equation. I've seen organizations burn weeks debating whether an incident "really" qualifies as a breach, only to blow past statutory deadlines and face regulatory action on top of the breach itself.
The Verizon 2020 Data Breach Investigations Report found that 86% of breaches were financially motivated, and phishing was involved in 22% of confirmed breaches. When a phishing attack leads to credential theft, and that credential theft leads to data exfiltration, the notification clock starts as soon as you have evidence that personal information was compromised. Not when forensics is complete. Not when legal finishes reviewing. When you know or reasonably should know.
What "Reasonable" Actually Means in Practice
I've worked with organizations that delayed notification because they were "still investigating." That's a legitimate reason to take a few days or weeks — most statutes allow for law enforcement delay requests and reasonable investigation time. But "reasonable" has limits.
In 2019, the New York Attorney General fined a medical management company $200,000 under HIPAA and state law for waiting six months to notify patients of a breach. In 2020, the California Attorney General issued guidance emphasizing that the CCPA's "most expedient time possible and without unreasonable delay" standard means exactly what it says.
Here's my rule of thumb: if you know personal data was accessed by an unauthorized party, start drafting your notification within 72 hours. That doesn't mean you send it in 72 hours — it means you start the process. Parallel-path your investigation and your notification preparation.
Your Incident Response Plan Needs a Notification Playbook
Most incident response plans I review have a generic "notify affected parties" step somewhere near the end. That's not a plan. That's a wish.
What Your Notification Playbook Should Include
- A jurisdiction map: Where do your customers, employees, patients, or users live? Map every state and territory where you have data subjects. Pre-identify the notification statutes for each.
- Pre-drafted templates: Have notification letter templates ready for your top five states by volume. Include the elements each state requires: description of the incident, types of data involved, steps taken, contact information, and credit monitoring offers if applicable.
- Contact lists: Pre-identify the attorney general offices, consumer protection agencies, and credit bureaus you may need to notify. Have phone numbers and submission portals bookmarked.
- Legal review workflow: Define who reviews the notification, in what order, with what turnaround time. I've seen notifications delayed two weeks because they sat in a partner's inbox at an outside law firm.
- A decision matrix: Define the criteria for determining whether a security incident rises to the level of a reportable breach. Include the risk-of-harm analysis frameworks that states like New York and California use.
Train Before the Breach, Not During
Your incident response team needs to run tabletop exercises that include the notification process. I'm not talking about a PowerPoint walkthrough. I'm talking about a realistic scenario where your team identifies the breach, determines which states are affected, pulls the right templates, and drafts notifications under time pressure.
If your employees can't recognize a phishing email, your incident response plan won't matter — you'll be responding to breaches constantly. Build security awareness into your culture with cybersecurity awareness training for your entire workforce. And because phishing remains the top initial access vector for data breaches, invest in phishing awareness training tailored to your organization's risk profile.
Multi-Factor Authentication: The Notification You'll Never Have to Send
The best breach notification is the one you never have to write. Multi-factor authentication (MFA) stops the vast majority of credential theft attacks from escalating into full-blown breaches. Microsoft reported in 2019 that MFA blocks 99.9% of automated account compromise attacks.
If your organization still relies on passwords alone for email, VPN, or cloud application access, you're choosing to accept a risk that has a well-documented, affordable mitigation. Every breach I've worked that started with stolen credentials could have been prevented — or at least contained — with MFA.
Zero trust architecture takes this further. Instead of assuming that anyone inside your network perimeter is trustworthy, zero trust requires continuous verification. NIST Special Publication 800-207 provides the framework — you can review it at NIST's zero trust architecture page.
Ransomware and the Notification Question Nobody Expected
Here's a wrinkle that caught many organizations off guard in 2020: ransomware operators started exfiltrating data before encrypting it. Groups like Maze, REvil, and Egregor steal sensitive files and threaten to publish them unless the ransom is paid.
This changes the notification calculus entirely. A ransomware attack that only encrypts data might not trigger notification requirements in some states — if the data was never "accessed or acquired" by the threat actor and you have backups. But once a ransomware gang exfiltrates personal information and posts samples on a leak site as proof, there's no ambiguity. You've had a reportable data breach.
The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints increased significantly in 2020. The IC3 website tracks these trends and provides reporting mechanisms for victims.
International Wrinkles: GDPR's 72-Hour Rule
If you handle data belonging to EU residents, the General Data Protection Regulation's 72-hour notification requirement to supervisory authorities is the most aggressive timeline in the world. You must notify your lead supervisory authority within 72 hours of becoming aware of a breach involving personal data — unless the breach is unlikely to result in risk to individuals' rights and freedoms.
Post-Brexit, the UK has adopted its own version (UK GDPR) with the same 72-hour window. If your organization serves customers internationally, your data breach notification requirements span multiple legal regimes simultaneously.
What Happens When You Get It Wrong
The penalties for failing to meet data breach notification requirements aren't theoretical:
- Uber (2018): Paid $148 million to settle claims that it concealed a 2016 breach affecting 57 million users and drivers. The company's former CSO was later charged criminally for the cover-up.
- Anthem (2018): Paid $16 million to HHS — the largest HIPAA settlement in history at the time — following a 2015 breach affecting 79 million individuals.
- Premera Blue Cross (2020): Paid $6.85 million to HHS for a breach affecting 10.4 million people, with notification failures cited as an aggravating factor.
State attorneys general are increasingly coordinating multi-state investigations. When your breach affects residents in 30 states, you may face 30 separate enforcement actions. The cost of compliant, timely notification is a fraction of the cost of getting it wrong.
Start With What You Can Control Today
You can't prevent every breach. But you can control how prepared you are when one happens. Map your data. Know your jurisdictions. Pre-build your notification templates. Run tabletop exercises quarterly. Deploy MFA everywhere. Train every employee to recognize social engineering attacks.
Data breach notification requirements aren't just a legal checkbox — they're a reflection of how seriously your organization takes its obligation to the people whose data you hold. Get this right, and you'll survive a breach with your reputation intact. Get it wrong, and the breach becomes the second-worst thing that happened to you.