Breach Notification

The legal requirement to notify affected individuals, regulators, or other parties when a data breach occurs. Breach notification laws exist worldwide with varying requirements for timing, content, and recipients. Generally, you must notify regulators within specific timeframes (72 hours under GDPR) and inform affected individuals without undue delay when the breach poses risks to their rights and freedoms. Notifications should explain what happened, what data was affected, potential consequences, measures taken to address the breach, and recommended actions for affected individuals. Some jurisdictions require notifying consumer protection authorities, attorneys general, or credit reporting agencies. Failure to provide timely, adequate breach notification can result in separate penalties beyond those for the breach itself. Organizations should have incident response plans that include breach notification procedures, pre-drafted templates, and clear decision-making protocols for when notification is required.