Data Breach Notification
The legal obligation to inform individuals and regulators when their personal data has been exposed through a security incident.
Also known as: breach notification, GDPR breach notification
Last reviewed: 10 June 2026
Data breach notification laws require organisations that suffer a breach of personal data to notify affected individuals and, in most jurisdictions, the relevant regulator within specified time windows. Under the UK GDPR and EU GDPR, organisations must report a breach to their supervisory authority within 72 hours of becoming aware, and must notify affected individuals 'without undue delay' when the breach is likely to result in high risk to their rights and freedoms.
In the US, there is no single federal breach notification law, but all 50 states have enacted statutes with varying timelines, triggers, and content requirements. Some sectors (health under HIPAA, financial services under the FTC Safeguards Rule) have additional federal requirements. The most demanding state laws require notification within 30 days and specify the content that must be included.
For consumers, breach notifications are a critical trigger for preventive action: checking whether your email, password, payment details, or Social Security number was exposed, placing a credit freeze or fraud alert, changing passwords, and monitoring accounts for unauthorised activity. Free dark-web monitoring services and tools like HaveIBeenPwned.com can supplement official notifications.
Examples
- A retailer suffers a point-of-sale malware attack exposing 2 million card numbers; it notifies the ICO within 72 hours and customers within five days.
- A healthcare provider notifies patients under HIPAA within 60 days of discovering that a misconfigured server exposed their medical records.