What is breach notification?

Breach notification is the legal obligation to inform affected individuals, and often regulators, after personal or protected data is exposed in a security incident. The specific deadlines, thresholds, and recipients depend on which state laws and frameworks (HIPAA, DFARS, GDPR, PIPEDA, Québec Law 25) apply to the data involved.

How fast must I notify after a data breach?

It varies. Washington, Florida, Colorado, and Maine require consumer notice within 30 days; HIPAA requires individual notice no later than 60 days from discovery; GDPR Article 33 and DFARS require 72-hour reporting; SEC Item 1.05 requires an 8-K within four business days of a materiality determination. Many states require notice 'without unreasonable delay,' which Klaxon treats as the earliest applicable hard deadline.

Do I have to notify the state attorney general of a breach?

In 36 states, yes — once a breach exceeds that state's resident threshold you must notify the attorney general or a designated regulator, sometimes in a prescribed form and within a set deadline. Klaxon checks each affected state's threshold and tells you exactly which AG notices are triggered.

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule (45 CFR §§164.400–414) requires covered entities to notify affected individuals within 60 days of discovery; breaches affecting 500 or more individuals also require notice to HHS OCR and prominent media within 60 days, while smaller breaches go on an annual HHS log due within 60 days of year-end.

What is the PIPEDA and Québec Law 25 breach requirement in Canada?

Under PIPEDA, organizations must report breaches that pose a real risk of significant harm (RROSH) to the Office of the Privacy Commissioner and affected individuals as soon as feasible, and keep records of all breaches. Québec's Law 25 requires notifying the Commission d'accès à l'information (CAI) and affected individuals of incidents presenting a risk of serious injury.

Breach Notification: Requirements, Deadlines & Letters by State (2026)

What "breach notification" actually means

Breach notification is the legal duty to tell affected people — and frequently regulators — after their personal or protected data is exposed. The hard part isn't the duty; it's that the duty is defined separately by every US state, by HIPAA, by DoD acquisition rules, by the EU, and by Canada, each with its own trigger, threshold, deadline, recipient, and required content. A single incident touching residents of a dozen states plus PHI can generate twenty-plus distinct obligations on overlapping clocks.

The deadline landscape (2026)

Regime	Deadline	Notify
WA / FL / CO / ME state laws	30 days	Residents (+ AG over threshold)
Most other states	"without unreasonable delay"	Residents; 36 states also the AG
HIPAA — individuals	≤ 60 days	Affected individuals
HIPAA — 500+ breach	≤ 60 days	HHS OCR + prominent media
GDPR Article 33	72 hours	Supervisory authority
DFARS 252.204-7012	72 hours	DoD via DIBNet
SEC Item 1.05	4 business days	SEC (8-K), after materiality
CIRCIA (covered entities)	72h / 24h	CISA (incident / ransom payment)
PIPEDA (Canada)	"as soon as feasible"	OPC + individuals (RROSH)
Québec Law 25	"with diligence"	CAI + individuals

Decision-support, not legal advice. Verify with counsel and the current statute before notifying.

The three questions every breach raises

1. Who do I have to tell? Affected individuals always; the state AG in 36 states over a threshold; HHS and the media for large HIPAA breaches; DoD for CUI; an EU supervisory authority for EU residents; the OPC and CAI in Canada. Klaxon's engine resolves this from the data types and per-state resident counts you enter.

2. By when? The clock usually starts at discovery, not at the breach itself — and the earliest applicable deadline governs. Klaxon runs a live countdown on every obligation from the legally correct trigger.

3. In what form? Many states and HIPAA prescribe required content: a description of what happened, the data involved, steps individuals can take, contact information, and — where SSN or financial data is involved — offered credit monitoring (mandated in some states). Klaxon's letter generator assembles jurisdiction-correct letters with the required statutory fields and flags anything missing.

Substitute notice and credit monitoring

When direct notice is infeasible — too many people, no contact info, or cost above a state's threshold — most state laws permit substitute notice: email, a conspicuous website posting, and statewide media. Several states (e.g. Connecticut, California for certain breaches) require offering free credit monitoring when SSNs or financial data are exposed. Klaxon analyzes substitute-notice eligibility and the credit-monitoring requirement automatically.

Why most tools can't help here

Engineering incident tools — incident.io, PagerDuty, FireHydrant, Rootly — are built for Slack war-rooms and on-call, and have zero notification-law awareness. The enterprise privacy platforms that do this well (RadarFirst, BreachRx) are sales-led and cost five to six figures. Klaxon is the first SMB-priced product to put the notification-law engine and the operational incident response in one place. See how it fits a full IR plan →

Breach notification, decoded

What "breach notification" actually means

The deadline landscape (2026)

The three questions every breach raises

Substitute notice and credit monitoring

Why most tools can't help here

Answer "who, by when, in what form" in 30 seconds.