Help Center / Obligation clocks
Obligation clocks
How Klaxon turns your incident facts into the exact set of notification obligations and deadlines — and how the live clocks, business-day math, proposed-vs-final labels, the reminder cascade, and filing status all work.
- The deterministic-law firewall
- How deadlines are computed
- The clock anchor (discovery)
- What's covered: 52 jurisdictions + 7 frameworks
- AG / agency thresholds
- Post-individual AG clocks (CA SB 446 / OK SB 626)
- Business-day math + federal holidays
- Proposed vs in-force (final) labeling
- The live countdown states
- The reminder cascade (T-48 / 24 / 4h / overdue)
- Filing-status capture
- Substitute-notice + credit-monitoring helpers
- Export to calendar (.ics)
The deterministic-law firewall
Every deadline, every "who to notify," and every required letter element comes from a deterministic rules engine reading a versioned jurisdiction dataset — never from an AI model and never with any randomness. The same facts always produce the same obligations. This is the "deterministic-law firewall": law comes from data, not from a model. (The optional AI copilot can only write prose; it can never set or change a legal deadline.)
How deadlines are computed
When you click Update facts & recompute (or compute in the Notification Engine), the engine does the following:
- Reads the clock anchor. It parses your Discovered at time as the trigger for most obligations.
- Walks the framework rules. For each framework (HIPAA, DFARS, GDPR, PIPEDA, Québec, SEC, CIRCIA), if the matching flag is set, it adds that framework's obligations — applying any count thresholds (for example, HIPAA's 500+ split for HHS notice and media notice).
- Walks the state rules. For each state where you entered an affected count above zero, it adds that state's individual notice, then adds the AG / agency notice if the state's threshold is met.
- Computes each deadline. Depending on the rule it adds a number of calendar days, a number of business days (holiday-aware), a number of hours, or a fixed date — or leaves it open ("without undue delay") when the law sets no fixed date.
- Sorts the result with the soonest dated deadline first and the open-ended ones last, so the most urgent obligation is at the top.
The output is the obligation table you see, each row carrying its recipient, deadline, basis (calendar / business / hours), legal citation, and a live countdown.
The clock anchor (discovery)
The Discovered at field is the anchor for most clocks. A few rules anchor differently, and Klaxon reflects that:
| Obligation | Anchored from |
|---|---|
| Most state individual + AG notices, HIPAA, GDPR, DFARS, PIPEDA, Québec, CIRCIA | Discovery (your Discovered at time). |
| SEC Form 8-K Item 1.05 | The materiality determination — 4 business days from when you determine the incident is material, not from discovery. (You set the anchor by treating Discovered at as the materiality date for the SEC clock.) |
| California / Oklahoma AG (SB 446 / SB 626) | The date you notified that state's residents — see post-individual AG clocks. |
| HIPAA under-500 annual log | A fixed date: roughly March 1 of the following year (60 days after year-end). |
What's covered: 52 jurisdictions + 7 frameworks
The dataset ships all 50 U.S. states plus the District of Columbia and Puerto Rico (52 U.S. jurisdictions), and seven frameworks. Each framework is gated by a flag on the incident:
| Framework | Flag | Key obligations |
|---|---|---|
| HIPAA Breach Notification Rule | HIPAA / PHI | Individuals (60 days); HHS OCR (500+: 60 days, under-500: annual log ~Mar 1); prominent media per state with 500+; plus a proposed 72-hour reporting item (see below). |
| DFARS 252.204-7012 | DFARS / CUI | Rapid report to DoD via DIBNet within 72 hours; preserve images / evidence for 90 days. |
| GDPR (EU) Art. 33 & 34 | GDPR / EU residents | Supervisory authority within 72 hours; data subjects without undue delay when high-risk. |
| PIPEDA (Canada, federal) | PIPEDA / Canada | Report to the OPC and notify individuals as soon as feasible on real risk of significant harm; keep records 24 months. |
| Québec Law 25 | Québec Law 25 | Notify the CAI and affected individuals with diligence on risk of serious injury; maintain an incident register. |
| SEC Form 8-K Item 1.05 | (SEC registrant) | File within 4 business days of a materiality determination. In force. |
| CIRCIA (CISA) | (CIRCIA covered) | 72-hour incident / 24-hour ransom-payment reports. Proposed — see below. |
For every state where you entered an affected count, you always get that state's individual notice; if the count meets the state's AG threshold you also get the AG / agency notice. State deadlines range from a fixed number of days (e.g. Florida and Washington 30 days, several states 45 days, Texas 60) to "without unreasonable delay" with no fixed date.
AG / agency thresholds
States differ widely on when the attorney general (or another agency) must be notified. Klaxon only adds the AG obligation when your per-state count meets that state's threshold. A few illustrative examples:
| State | AG / agency threshold | Recipient |
|---|---|---|
| California | 500+ residents | California Attorney General (electronic sample) |
| Texas | 250+ residents | Texas Attorney General (online form) |
| Connecticut / Indiana / Louisiana / Maryland / many SHIELD-style states | 1+ resident (always) | That state's AG (and sometimes additional bodies) |
| District of Columbia | 50+ residents | DC Attorney General |
| North Dakota / Oregon / South Dakota | 250+ residents | That state's AG |
So 250 California residents produces a CA individual notice but no CA AG notice (below 500), while 700 Texas residents produces both a TX individual notice and a TX AG notice (above 250). The citation on each AG row records the threshold that tripped it.
Post-individual AG clocks (CA SB 446 / OK SB 626)
Two 2026 laws moved the AG clock so it runs after individuals are notified, not from discovery:
- California SB 446 (eff. 2026-01-01): consumer notice is a fixed 30 calendar days from discovery; the AG sample is due 15 days after individuals are notified, when 500+ CA residents are affected.
- Oklahoma SB 626 (eff. 2026-01-01): broadened the personal-information definition (government IDs, electronic financial-account credentials, biometric data); the AG notice is due 60 days after individuals are notified, when 500+ OK residents are affected.
Klaxon handles the anchoring honestly:
| Have you recorded the real notice date? | What Klaxon does | Row pill |
|---|---|---|
| Yes (entered in the per-state notice-date field) | AG deadline = your recorded notice date + the statutory days (CA +15, OK +60). | from actual notice date |
| No (not yet recorded) | AG deadline is anchored to the individual-notice deadline — the latest lawful date the clock could start — which is the conservative latest AG due date. | fallback — record notice date |
Record the actual date as soon as notices go out (see Per-state individual-notice dates) so the AG deadline reflects the real clock rather than the conservative placeholder.
Business-day math + federal holidays
Some clocks are counted in business days, not calendar days. Klaxon's business-day math skips weekends and observed U.S. federal holidays, computed (never fetched) so the math is deterministic and works offline. It matches how the SEC counts "4 business days," for example.
Holidays accounted for, with the Saturday→Friday / Sunday→Monday observance shift for the fixed-date ones:
| Fixed-date (observance-shifted) | Floating |
|---|---|
| New Year's Day · Juneteenth · Independence Day · Veterans Day · Christmas Day | MLK Day (3rd Mon Jan) · Washington's Birthday (3rd Mon Feb) · Memorial Day (last Mon May) · Labor Day (1st Mon Sep) · Columbus Day (2nd Mon Oct) · Thanksgiving (4th Thu Nov) |
Which obligations use business days vs calendar days:
| Basis | Examples |
|---|---|
| Business days (weekends + holidays skipped) | SEC 8-K Item 1.05 (4 business days). The engine also supports business-day bases for rules like Iowa's AG (5 business days after consumer notice) and Vermont's 14-business-day preliminary AG notice where the dataset marks them. |
| Calendar days (every day counts, including weekends/holidays) | Most state individual / AG notices, HIPAA (60 days), DFARS (72 hours — runs through weekends/holidays), GDPR (72 hours), CIRCIA hours. |
| Hours | DFARS 72h, GDPR 72h, CIRCIA 72h incident / 24h ransom. |
| Fixed date | HIPAA under-500 annual log (~March 1 next year). |
| Open (no fixed date) | "Without unreasonable delay" states; GDPR Art. 34 data-subject notice; PIPEDA / Québec "as soon as feasible." |
If a deadline looks a day off from a naive count, it's almost always business-day math or a holiday skip working correctly. See the FAQ on business-day vs calendar.
Proposed vs in-force (final) labeling
Some rules are not yet enforceable. Klaxon labels them clearly with a PROPOSED pill and a hover note, so you never file on a rule that isn't in force:
| Item | Status | What it means |
|---|---|---|
| HIPAA 72-hour incident report | Proposed only | The HIPAA Security Rule NPRM (Jan 2025) would add a 72-hour reporting duty. No final rule as of mid-2026. It does not replace the authoritative 60-day individual / HHS / media deadlines. Shown for planning; do not file on this basis. |
| CIRCIA (72h incident / 24h ransom) | Proposed | CISA's final rule is pending (~2026, likely to slip). The numbers are expected to hold but are not yet binding. Plan against them; do not treat them as a current filing duty. |
| SEC Item 1.05 | In force | Confirmed in force: 4 business days from materiality. No proposed pill. |
| CA SB 446 / OK SB 626 | In force (eff. 2026-01-01) | Treated as current law; they drive the post-individual AG clocks above. |
Proposed obligations still appear in the table (so you can plan), but the pill and the citation note make clear they are not a current filing duty.
The live countdown states
Each dated obligation shows a live, ticking mono countdown that recolors by urgency:
| Color | State | Means |
|---|---|---|
| ● red (pulsing) | Overdue | The deadline has passed. |
| ● amber | Approaching | Within 48 hours of the deadline. |
| ● green | Clear | More than 48 hours out, or marked filed. |
| ● grey | Open | No fixed deadline — "without undue delay." |
The clock updates every second while the incident is open. The incident list also shows an "(N overdue)" badge counting un-filed overdue obligations per incident.
The reminder cascade (T-48 / 24 / 4h / overdue)
Above the obligation table, the Reminder cascade banner headlines the obligations you are closest to missing. It computes, for each dated obligation, which cascade stage it is in right now — purely from the deadline and the clock, locally, with no network:
| Stage | Window |
|---|---|
| T-48h | Within 48 hours of the deadline |
| T-24h | Within 24 hours |
| T-4h | Within 4 hours |
| Overdue | Past the deadline |
- The banner shows summary chips (e.g. "2 overdue · 1 within 4h") and names the single most-urgent obligation with its countdown.
- Obligations you've marked filed are excluded from the cascade.
- When no obligation is within 48 hours, the banner says so — the cascade is dormant.
This local preview is exactly the data an opt-in scheduled push runner would send to email / Slack / Teams / webhook — but the computation itself never needs the network, so your deadline math works offline.
Filing-status capture
When you've filed or submitted a notice, record it so the clock stops nagging you:
- In the obligation table, click Mark filed on that row.
- The countdown changes to "submitted" (green), the row drops out of the reminder cascade and the overdue count, and a timeline event records the filing.
Filing status flows into the PIR (FILED / OUTSTANDING per obligation) and the auditor bundle (filed / outstanding), giving auditors and carriers a clean picture of what was filed and when.
Substitute-notice + credit-monitoring helpers
In the Notification Engine tab, alongside the obligation table, two helpers appear:
- Substitute notice. Many states allow substitute notice (website posting + statewide media + a toll-free line, or email) instead of direct mail when direct notice is infeasible or the affected-count / cost exceeds a statutory threshold. Klaxon lists which affected states' thresholds are met and the package you must produce. To test cost thresholds, you can supply an estimated notice cost in the incident facts.
- Credit monitoring. When SSN / financial / payment data is involved and you have residents in states that mandate it (e.g. California, Connecticut, Delaware, Massachusetts, DC), Klaxon flags that you must offer free credit monitoring / identity protection, and a ready clause is available in the individual and substitute letter templates.
Export to calendar (.ics)
- Open the Notification Engine tab (or compute from an incident's facts).
- Click Export deadlines (.ics).
- Klaxon writes a calendar file with one event per dated obligation (summary = the obligation, description = recipient + citation). Import it into your calendar so the deadlines appear alongside everything else.
Open-ended ("without undue delay") obligations have no fixed date, so they are not written to the calendar — track those manually.