ELI5: What is Data Breach Notification?
If a store loses your family’s credit card info, they have to tell you about it quickly so you can protect yourself. Data breach notification laws say companies must let people know when their private information gets stolen.
Definition
Data breach notification laws and regulations require organizations that experience unauthorized access to personal or sensitive data to notify affected individuals, regulatory authorities, and in some cases the public, within a specified timeframe. These requirements exist under GDPR (72 hours to supervisory authorities), HIPAA (60 days to HHS and affected individuals for breaches affecting 500+ individuals), and numerous US state laws (many require notification within 30–45 days).
Key Details
- GDPR: 72 hours to notify the supervisory authority; notification to individuals “without undue delay” for high-risk breaches
- HIPAA: 60 days to notify HHS, affected individuals, and (for 500+ affected) prominent media in the state
- US state laws (e.g., California CCPA) have their own notification requirements and timelines
- Notification content typically must include: what happened, what data was affected, what actions are being taken, and who to contact
- Exam tip: 72 hours is the GDPR supervisor notification window; this is a commonly tested fact on Security+