How to Report a Data Breach: Step-by-Step Guide

The Breach Nobody Reported — Until It Was Too Late

In 2020, the health insurer Anthem agreed to pay $39.5 million to settle claims with 43 state attorneys general over a 2015 data breach affecting nearly 79 million people. The breach itself was devastating. But the lawsuits and regulatory actions were amplified by delayed and botched notification processes. The lesson: knowing how to report a data breach isn't optional — it's a legal obligation that, if mishandled, can cost you more than the breach itself.

If you're reading this, chances are you're either dealing with a breach right now or you're smart enough to prepare before one happens. Either way, I'm going to walk you through exactly who to contact, what timelines you're working against, and how to avoid the regulatory landmines that turn a security incident into a business-ending event.

I've worked with organizations that discovered credential theft on a Friday afternoon and had no idea who to call first. This guide is what I wish I could have handed them.

What Counts as a Reportable Data Breach?

Not every security incident is a reportable data breach. But the threshold is lower than most people think.

A data breach, for reporting purposes, is generally any unauthorized access to, or acquisition of, unencrypted personal information that compromises the security, confidentiality, or integrity of that data. This includes names paired with Social Security numbers, financial account numbers, medical records, or login credentials.

The "Risk of Harm" Standard

Many state laws use a "risk of harm" threshold. If the exposed data could reasonably be used for identity theft, fraud, or other harm, it's reportable. Some states — like California — don't even require a risk assessment. If unencrypted personal information was accessed, you report it. Period.

A ransomware attack that exfiltrates customer records? Reportable. A phishing attack that gives a threat actor access to an employee's email full of client Social Security numbers? Reportable. A lost, unencrypted laptop with patient data? Also reportable.

How to Report a Data Breach: The Step-by-Step Process

Here's the framework I use when advising organizations. Speed and accuracy matter equally — report too slowly and you face regulatory penalties, report inaccurately and you face lawsuits.

Step 1: Contain the Incident First

Before you report anything, stop the bleeding. Isolate affected systems. Revoke compromised credentials. Engage your incident response team — internal or external. You need to understand the scope before you can accurately report it.

This doesn't mean you wait weeks. Containment and reporting run in parallel once you have basic facts: what data was involved, how many people are affected, and how the breach occurred.

Step 2: Notify Your State Attorney General

Every U.S. state, the District of Columbia, and all U.S. territories have data breach notification laws. Most require you to notify the state attorney general's office, especially if the breach affects a certain number of residents — often 500 or more.

Timelines vary dramatically. Some states require notification within 30 days (like Florida). Others, like Connecticut, say it must happen "without unreasonable delay" but no later than 90 days. Several states tightened their windows in 2021. You need to know the law in every state where affected individuals reside — not just where your business is located.

The National Conference of State Legislatures maintains a list of all 50 state breach notification laws — bookmark it.

Step 3: Notify Affected Individuals

This is where it gets personal. You're required to tell the actual humans whose data was compromised. State laws dictate the method (written letter, email, or substitute notice for large breaches) and the content (what happened, what data was exposed, what they should do).

In my experience, the notification letter is where most organizations stumble. Vague language like "some of your information may have been involved" erodes trust and invites lawsuits. Be specific. Tell people exactly what was exposed and give them concrete steps: freeze their credit, change passwords, enable multi-factor authentication on critical accounts.

Step 4: Report to Federal Agencies (When Required)

Federal reporting requirements depend on your industry:

Healthcare (HIPAA-covered entities): You must notify the U.S. Department of Health and Human Services. Breaches affecting 500+ individuals must be reported within 60 days and are posted on HHS's public breach portal — the infamous "Wall of Shame."
Financial institutions (GLBA): Federal banking regulators require notification. As of early 2022, a new rule from the OCC, FDIC, and Federal Reserve requires banks to notify their primary federal regulator within 36 hours of determining a "computer-security incident" has occurred.
Public companies (SEC): Material breaches may trigger disclosure obligations under SEC rules.
Critical infrastructure: CISA is increasingly involved in breach reporting. Visit CISA.gov/report to file a report.

Step 5: File with the FTC (If Applicable)

If your organization experienced a breach involving consumer data and you're not covered by a sector-specific regulator, the FTC may have jurisdiction. The FTC has taken enforcement actions against companies — from major retailers to small app developers — for inadequate data security practices that led to breaches.

The FTC's actions against companies like Equifax (a $575 million settlement in 2019) and CafePress ($500,000 penalty in 2022) show they treat breach response failures as seriously as the security failures themselves.

Step 6: File a Report with the FBI's IC3

If the breach involved criminal activity — ransomware, social engineering, business email compromise — file a complaint with the FBI's Internet Crime Complaint Center (IC3). The FBI's 2021 IC3 report documented nearly 850,000 complaints with potential losses exceeding $6.9 billion. Your report feeds into federal law enforcement efforts and can help recover stolen funds in some BEC cases.

Step 7: Notify Credit Bureaus (For Large Breaches)

If your breach affects more than 1,000 individuals in a single state, most state laws require you to notify the major credit reporting agencies — Equifax, Experian, and TransUnion. This helps the bureaus prepare for a surge in credit freeze and fraud alert requests from affected consumers.

The Timeline That Catches Everyone Off Guard

Here's the reality I've seen play out dozens of times: organizations discover a breach and immediately go into investigation mode. Weeks pass. Legal reviews the notification letter draft. Marketing wants to soften the language. And suddenly you've blown past your statutory deadline.

The 2021 Verizon Data Breach Investigations Report found that 20% of breaches took months or longer to discover. That discovery delay already puts you behind. Once you know, the clock starts ticking immediately — and in some jurisdictions, it ticks fast.

Build your notification timeline before a breach happens. Know which states have the shortest windows. Have template letters drafted. Know which outside counsel to call. This is what a mature incident response plan looks like.

What Happens If You Don't Report a Data Breach?

Failing to report a data breach isn't just unethical — it's illegal in every U.S. state. Penalties include:

State fines: Many states impose per-violation, per-day penalties. In some states, each affected individual counts as a separate violation. Do the math on a breach affecting 10,000 people.
Regulatory enforcement: State attorneys general can — and do — sue. The multi-state Anthem settlement is a prime example.
Class action lawsuits: Delayed notification gives plaintiffs' attorneys powerful ammunition. "They knew for three months and didn't tell us" is a devastating line in front of a jury.
Loss of business: Consumer trust is nearly impossible to rebuild after a cover-up. The breach hurts. The cover-up kills.

If your breach involves personal data of EU residents, the General Data Protection Regulation (GDPR) imposes a strict 72-hour notification window to the relevant supervisory authority. Fines for non-compliance can reach 4% of annual global revenue or €20 million — whichever is higher.

Canada's PIPEDA requires reporting breaches that pose a "real risk of significant harm." Brazil's LGPD has similar mandates. If you operate globally, your breach reporting obligations multiply quickly.

Building a Breach Response Plan Before You Need One

The organizations that handle breach reporting well are the ones that practiced it before it was real. Here's what your plan should include:

An incident response team with defined roles: legal, IT, communications, executive leadership.
A state-by-state notification matrix listing deadlines, AG contact information, and content requirements.
Pre-drafted notification templates for individuals, regulators, and media.
Outside counsel on retainer who specializes in data breach response.
A forensics partner you've vetted before you're in crisis mode.
Regular tabletop exercises simulating breach scenarios, including the notification process.

Security awareness training is foundational to preventing breaches in the first place. If your employees can't recognize a phishing email, your breach response plan will get plenty of use. Our cybersecurity awareness training program covers the social engineering tactics that lead to the credential theft and ransomware incidents that trigger breach notifications.

The Role of Phishing in Most Reportable Breaches

According to the 2021 Verizon DBIR, phishing was involved in 36% of data breaches — the single most common attack vector. That means more than a third of the time, a reportable breach started with an employee clicking something they shouldn't have.

This is why phishing simulation and training aren't just "nice to have" security awareness activities. They're your front line against the incidents that force you into the reporting process described above. I recommend enrolling your team in phishing awareness training for organizations to build the muscle memory that stops breaches before they start.

Quick Reference: Who to Contact After a Data Breach

If you're looking for a concise answer to how to report a data breach, here's the short version:

State attorney general in every state where affected individuals reside
Affected individuals via written notice with specific details about the exposure
Federal regulators (HHS for healthcare, banking regulators for financial institutions, SEC for public companies)
FBI IC3 if criminal activity is involved
CISA for critical infrastructure incidents
FTC when applicable
Credit bureaus if 1,000+ individuals are affected in a single state
GDPR supervisory authority within 72 hours if EU residents are involved

Don't Wait for the Breach to Read the Playbook

Every organization that's been through a data breach says the same thing afterward: "We should have been more prepared." The reporting requirements alone — across 50 states, multiple federal agencies, and potentially international regulators — are overwhelming in the middle of a crisis.

Build the plan now. Train your people now. Know who to call and what to say before your security team walks into your office with bad news. Because in 2022, it's not a question of if — it's when. And when it happens, the clock is already running.