In September 2023, MGM Resorts lost an estimated $100 million after a social engineering attack compromised its systems. But the financial damage from the breach itself was only part of the story. The chaos that followed — delayed notifications, regulatory scrutiny, class-action lawsuits — showed exactly what happens when an organization fumbles the reporting process. If you're wondering how to report a data breach, the answer is more nuanced than most people think. And getting it wrong can cost you more than the breach itself.

This guide walks you through every step: who to notify, when, how, and what to document along the way. Whether you run a 20-person company or manage security for an enterprise, these are the exact steps I've seen separate organizations that recover quickly from those that don't.

Why Knowing How to Report a Data Breach Matters More Than Ever

The numbers tell a stark story. According to IBM's 2023 Cost of a Data Breach Report, the global average cost of a data breach hit $4.45 million — the highest figure ever recorded. Organizations that contained and reported breaches within 200 days saved an average of $1.02 million compared to those that dragged their feet.

And the regulatory landscape has only gotten tighter. As of early 2024, all 50 U.S. states have data breach notification laws on the books. The SEC finalized new cybersecurity disclosure rules in late 2023. The FTC has aggressively pursued companies for delayed or inadequate breach notifications, including a string of enforcement actions targeting companies that failed to protect consumer data.

Here's the reality I've seen play out dozens of times: the breach itself is survivable. The cover-up — or even the appearance of one — is what destroys trust and invites regulators.

Step 1: Confirm and Contain the Breach

Before you report anything, you need to confirm that a breach actually occurred. Not every security incident qualifies as a reportable data breach. A data breach specifically involves unauthorized access to, or exfiltration of, personally identifiable information (PII), protected health information (PHI), or financial data.

Immediate Containment Actions

  • Isolate affected systems. Take compromised servers, endpoints, or network segments offline. Don't wipe anything yet — you'll need forensic evidence.
  • Revoke compromised credentials. If credential theft is involved, force password resets immediately and review multi-factor authentication configurations across all affected accounts.
  • Preserve logs. Firewall logs, authentication logs, email headers, endpoint detection alerts — all of it. Timestamped evidence is critical for both reporting and potential litigation.
  • Engage your incident response team. If you have a retainer with a digital forensics firm, now is the time to call them. If you don't, this incident just showed you why you need one.

I've worked cases where organizations immediately reformatted compromised servers, destroying the very evidence they needed to determine the scope of the breach. Don't make that mistake. Containment means stopping the bleeding, not destroying the crime scene.

Step 2: Assess the Scope and Impact

You can't file an accurate report if you don't know what happened. This step runs in parallel with containment and involves answering specific questions.

Key Questions to Answer

  • What types of data were compromised? (SSNs, financial records, health data, credentials)
  • How many individuals are affected?
  • What was the attack vector? (Phishing, ransomware, insider threat, unpatched vulnerability)
  • Is the threat actor still in the environment?
  • Was data exfiltrated, or only accessed?

The Verizon 2023 Data Breach Investigations Report found that 74% of all breaches involved the human element — whether through social engineering, errors, or misuse. Understanding how the breach happened directly shapes your notification obligations and your remediation plan. If a phishing attack was the entry point, that tells you something important about the training gaps in your organization.

This is where investing in phishing awareness training for your organization pays for itself. Every phishing simulation you run before a breach happens is one less attack vector a threat actor can exploit.

Step 3: Notify Law Enforcement

Many organizations skip this step or delay it, which is a mistake. Law enforcement agencies can provide resources, intelligence about the threat actor, and sometimes even help recover stolen data.

Where to File

  • FBI Internet Crime Complaint Center (IC3): File a complaint at ic3.gov. This is the primary federal reporting mechanism for cyber incidents. The FBI's IC3 received over 800,000 complaints in 2022 with losses exceeding $10.3 billion.
  • Local FBI field office: For significant breaches involving ransomware, nation-state threat actors, or large-scale data theft, contact your local field office directly.
  • U.S. Secret Service: If the breach involves financial fraud or payment card data, the Secret Service has jurisdiction.
  • CISA: Report incidents to the Cybersecurity and Infrastructure Security Agency at cisa.gov/report. Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), certain critical infrastructure entities will soon face mandatory reporting requirements.

Filing with law enforcement does not satisfy your obligation to notify affected individuals or state regulators. These are separate tracks that run simultaneously.

Step 4: Determine Your State Notification Obligations

This is where most organizations get tripped up. Every state has its own breach notification law, and if your affected customers or employees live in multiple states, you must comply with each one.

What State Laws Typically Require

  • Notification timeline: Ranges from 30 days (Colorado, Florida) to 60 days (most states) to "as expeditiously as possible" (some states with no hard deadline).
  • Who must be notified: Affected individuals, state attorney general, and sometimes credit reporting agencies (usually when more than 500 or 1,000 residents are affected).
  • Content requirements: Most states require you to describe the breach, specify what data was exposed, explain what you're doing about it, and provide contact information for credit bureaus.

California, under the CCPA and its amendments, has some of the strictest requirements. New York's SHIELD Act expanded the definition of private information and added specific security requirements. If you handle health data, HIPAA requires notification within 60 days and mandates reporting to the HHS Office for Civil Rights.

I maintain a spreadsheet of state breach notification requirements for every engagement. If you don't have one, start building it now — before you need it.

Step 5: Notify Affected Individuals

This is the notification most people think of when they ask how to report a data breach. It's also the one that carries the most reputational risk.

What an Effective Notification Includes

  • A clear, plain-language description of what happened
  • What specific data was compromised
  • What steps you've taken to address the breach
  • What the individual should do to protect themselves
  • Contact information for your organization's response team
  • Information about credit monitoring services (if applicable)

Don't bury bad news in legal jargon. I've reviewed breach notification letters that were clearly written by lawyers trying to minimize liability rather than inform customers. Recipients see through that immediately, and it destroys whatever trust remained.

The FTC recommends using plain language and providing specific, actionable guidance. "Monitor your accounts" is useless without telling people how to place fraud alerts or credit freezes.

Step 6: Notify Federal Regulators (If Applicable)

SEC Disclosure Rules

If you're a publicly traded company, the SEC's new rules (effective December 2023) require disclosure of material cybersecurity incidents within four business days of determining materiality. This is a significant acceleration from prior practice.

HIPAA Breach Notification

Healthcare organizations and their business associates must notify HHS, affected individuals, and potentially the media (for breaches affecting 500+ residents of a state) within 60 days.

Financial Sector Requirements

Banks and financial institutions face notification requirements from their primary federal regulator (OCC, FDIC, or Federal Reserve) as well as the Gramm-Leach-Bliley Act's Safeguards Rule.

What Qualifies as a Reportable Data Breach?

A reportable data breach occurs when personally identifiable information — such as Social Security numbers, financial account numbers, driver's license numbers, or health records — is accessed, acquired, or disclosed without authorization. Most state laws apply a "risk of harm" standard: if the breach creates a reasonable risk of identity theft or financial harm, it's reportable. Some states, like California, require notification for any breach of specified data categories regardless of the harm assessment.

Encrypted data that was breached may be exempt from notification requirements in some states, but only if the encryption keys were not also compromised. This safe harbor provision is narrower than many organizations assume.

Step 7: Document Everything and Conduct a Post-Incident Review

Every action you take from the moment you discover the breach should be documented. Timestamps, decisions, communications, forensic findings — all of it. This documentation serves three purposes.

  • Legal protection: Demonstrates due diligence if regulators or plaintiffs come calling.
  • Insurance claims: Your cyber liability carrier will want detailed records.
  • Process improvement: You can't fix what you don't measure.

The Post-Incident Review

Within 30 days of resolving the incident, conduct a formal post-incident review. What worked? What failed? Where did your incident response plan have gaps? Did your employees recognize the attack vector, or did a phishing email sail right past everyone?

If the answer to that last question makes you uncomfortable, consider enrolling your team in cybersecurity awareness training that covers real-world attack scenarios. Security awareness isn't a checkbox exercise — it's the difference between catching a threat actor at the door and finding them in your database three months later.

The Mistakes I See Organizations Make Repeatedly

After years of working breach incidents, I've identified patterns that come up again and again.

Waiting Too Long to Start the Clock

Some organizations delay their internal determination that a breach occurred to buy time on notification deadlines. Regulators see through this. The SEC, FTC, and state attorneys general have all taken enforcement actions against companies that played timing games.

Underestimating the Scope

Initial assessments almost always undercount affected individuals. The first number you come up with is almost never the final number. Plan for that. It's better to over-notify than to send a second "we discovered more people were affected" letter.

Neglecting Third-Party Notifications

If the breach occurred at a vendor or service provider, you still have notification obligations to your customers. Zero trust principles apply here: verify your vendors' security practices before a breach forces the conversation.

No Incident Response Plan

The worst time to figure out how to report a data breach is when you're actively dealing with one. Organizations with a tested incident response plan save an average of $1.49 million compared to those without one, according to IBM's research.

Build the Muscle Before You Need It

Knowing how to report a data breach is a skill you build now, not during a crisis. Document your incident response plan. Know your state notification obligations. Establish relationships with law enforcement before you need them. Train your people to recognize phishing and social engineering attacks.

The organizations that survive breaches with their reputations intact are the ones that respond transparently, quickly, and competently. That kind of response doesn't happen by accident. It happens because someone — maybe you — invested the time to prepare.

Start with your people. Phishing simulations, security awareness training, and tabletop exercises cost a fraction of what a mishandled breach costs. The preparation you do today determines whether tomorrow's breach is a manageable incident or a company-ending catastrophe.