What is breach notification?

Breach notification is the legal obligation to inform affected individuals, and often regulators, after personal or protected data is exposed in a security incident. The specific deadlines, thresholds, and recipients depend on which state laws and frameworks (HIPAA, DFARS, GDPR, PIPEDA, Québec Law 25) apply to the data involved.

How fast must I notify after a data breach?

It varies. Washington, Florida, Colorado, and Maine require consumer notice within 30 days; HIPAA requires individual notice no later than 60 days from discovery; GDPR Article 33 and DFARS require 72-hour reporting; SEC Item 1.05 requires an 8-K within four business days of a materiality determination. Many states require notice 'without unreasonable delay,' which Klaxon treats as the earliest applicable hard deadline.

Do I have to notify the state attorney general of a breach?

In 36 states, yes — once a breach exceeds that state's resident threshold you must notify the attorney general or a designated regulator, sometimes in a prescribed form and within a set deadline. Klaxon checks each affected state's threshold and tells you exactly which AG notices are triggered.

What is the HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule (45 CFR §§164.400–414) requires covered entities to notify affected individuals within 60 days of discovery; breaches affecting 500 or more individuals also require notice to HHS OCR and prominent media within 60 days, while smaller breaches go on an annual HHS log due within 60 days of year-end.

What is the PIPEDA and Québec Law 25 breach requirement in Canada?

Under PIPEDA, organizations must report breaches that pose a real risk of significant harm (RROSH) to the Office of the Privacy Commissioner and affected individuals as soon as feasible, and keep records of all breaches. Québec's Law 25 requires notifying the Commission d'accès à l'information (CAI) and affected individuals of incidents presenting a risk of serious injury.

Breach Notification: Requirements, Deadlines & Letters by State (2026)

What "breach notification" actually means

Breach notification is the legal duty to tell affected people — and frequently regulators — after their personal or protected data is exposed. The hard part isn't the duty; it's that the duty is defined separately by every US state, by HIPAA, by DoD acquisition rules, by the EU, and by Canada, each with its own trigger, threshold, deadline, recipient, and required content. A single incident touching residents of a dozen states plus PHI can generate twenty-plus distinct obligations on overlapping clocks.

The deadline landscape (2026)

Regime	Deadline	Notify
WA / FL / CO / ME state laws	30 days	Residents (+ AG over threshold)
Most other states	"without unreasonable delay"	Residents; 36 states also the AG
HIPAA — individuals	≤ 60 days	Affected individuals
HIPAA — 500+ breach	≤ 60 days	HHS OCR + prominent media
GDPR Article 33	72 hours	Supervisory authority
DFARS 252.204-7012	72 hours	DoD via DIBNet
SEC Item 1.05 IN FORCE	4 business days	SEC (8-K), after materiality
CIRCIA (covered entities) PROPOSED	72h / 24h	CISA (incident / ransom payment)
HIPAA 72-hour report PROPOSED	72 hours	NPRM only — not a current filing duty
PIPEDA (Canada)	"as soon as feasible"	OPC + individuals (RROSH)
Québec Law 25	"with diligence"	CAI + individuals

Decision-support, not legal advice. Verify with counsel and the current statute before notifying. Klaxon labels rules that are not yet enforceable proposed — CIRCIA and the proposed HIPAA 72-hour report appear for planning but are not a current filing duty; SEC Item 1.05 is in force.

What changed in 2026: post-individual AG clocks

Two state laws took effect 2026-01-01 and moved the attorney-general clock so it runs after individuals are notified rather than from discovery. Klaxon encodes both as current law:

California SB 446. Consumer notice is a fixed 30 calendar days from discovery; the AG sample is due 15 days after individuals are notified, when 500+ California residents are affected.
Oklahoma SB 626. Broadened the definition of personal information (government IDs, electronic financial-account credentials, biometric data); the AG notice is due 60 days after individuals are notified, when 500+ Oklahoma residents are affected.

Record the actual individual-notice date and Klaxon anchors the AG deadline to it; until then it shows a conservative fallback, clearly marked. See how the post-individual AG clocks work.

How the deadlines are counted

Some clocks count business days, not calendar days. Klaxon's business-day math skips weekends and observed U.S. federal holidays, computed offline so it stays deterministic during an incident when your network may be down — it matches how the SEC counts "4 business days." Most state and HIPAA deadlines are calendar days; 72-hour clocks (DFARS, GDPR, CIRCIA) run straight through weekends and holidays. See business-day & federal-holiday math.

The three questions every breach raises

1. Who do I have to tell? Affected individuals always; the state AG in 36 states over a threshold; HHS and the media for large HIPAA breaches; DoD for CUI; an EU supervisory authority for EU residents; the OPC and CAI in Canada. Klaxon's engine resolves this from the data types and per-state resident counts you enter.

2. By when? The clock usually starts at discovery, not at the breach itself — and the earliest applicable deadline governs. Klaxon runs a live countdown on every obligation from the legally correct trigger and stages each one through a T-48 / 24 / 4h / overdue reminder cascade so the obligation you're closest to missing is always in front of you — and seals the whole timeline in a tamper-evident hash chain so the record holds up afterward.

3. In what form? Many states and HIPAA prescribe required content: a description of what happened, the data involved, steps individuals can take, contact information, and — where SSN or financial data is involved — offered credit monitoring (mandated in some states). Klaxon's letter generator assembles jurisdiction-correct letters with the required statutory fields and flags anything missing.

Substitute notice and credit monitoring

When direct notice is infeasible — too many people, no contact info, or cost above a state's threshold — most state laws permit substitute notice: email, a conspicuous website posting, and statewide media. Several states (e.g. Connecticut, California for certain breaches) require offering free credit monitoring when SSNs or financial data are exposed. Klaxon analyzes substitute-notice eligibility and the credit-monitoring requirement automatically.

Why most tools can't help here

Engineering incident tools — incident.io, PagerDuty, FireHydrant, Rootly — are built for Slack war-rooms and on-call, and have zero notification-law awareness. The enterprise privacy platforms that do this well (RadarFirst, BreachRx) are sales-led and cost five to six figures. Klaxon is the first SMB-priced product to put the notification-law engine and the operational incident response in one place. See how it fits a full IR plan →

Breach notification, decoded