You have just discovered that your business has been breached. Customer data may have been exposed. The clock is ticking, and every decision you make in the next few hours and days will have legal, financial, and reputational consequences. Do you know exactly what you are required to do?

Most small business owners do not. And that lack of preparation can turn a manageable incident into a devastating one. Every U.S. state has breach notification laws, and depending on your industry, you may face additional federal requirements. This guide explains what those requirements are, how to comply with them, and how to manage the process without losing your mind.

What Triggers a Breach Notification Obligation

Not every security incident requires notification. The obligation is typically triggered when there is unauthorized access to or acquisition of unencrypted personal information that creates a reasonable risk of harm to the affected individuals.

The key terms to understand are:

Personal information — most states define this as a combination of a name plus a sensitive data element such as a Social Security number, driver’s license number, financial account number, or medical information. Some states have expanded this definition to include email addresses with passwords, biometric data, and even geolocation data.

Unauthorized access — the data must have been accessed or acquired by someone who was not authorized to have it. If encrypted data is stolen but the encryption key was not compromised, many states consider this a safe harbor, meaning notification may not be required.

Risk of harm — some states require notification only if the breach poses a reasonable risk of harm to affected individuals. Others require notification regardless of the risk level.

State-by-State Notification Requirements

All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands have breach notification laws. While they share common elements, the specifics vary significantly. Here are the most important variables:

Notification Timelines

This is where state laws differ the most. Some of the strictest timelines include:

Colorado — 30 days from discovery

Florida — 30 days from discovery

Washington — 30 days from discovery

Connecticut — 60 days from discovery

New York — “as expeditiously as possible” with no specific deadline

California — “in the most expedient time possible and without unreasonable delay”

If your business serves customers in multiple states, you must comply with the notification requirements of each state where affected individuals reside. This can mean meeting the most aggressive timeline across all applicable jurisdictions.

Who Must Be Notified

Depending on the state, you may need to notify:

Affected individuals — required in all states

State attorney general — required in most states, often with specific thresholds (for example, California requires AG notification when more than 500 residents are affected)

Consumer reporting agencies — required in some states when the breach affects a large number of individuals (typically 500 or 1,000 or more)

State regulators — some industries require notification to specific regulatory bodies

Notification Content

Most states specify what the notification must include:

A description of the incident

The types of personal information involved

Steps the business is taking in response

Contact information for the business

Recommendations for the affected individual (such as monitoring credit reports)

Contact information for the state attorney general and Federal Trade Commission

Federal Notification Requirements

In addition to state laws, several federal regulations impose breach notification requirements on specific industries:

HIPAA (Healthcare)

Healthcare organizations and their business associates must notify affected individuals within 60 days of discovering a breach involving protected health information (PHI). Breaches affecting more than 500 individuals require notification to the Department of Health and Human Services and local media.

Gramm-Leach-Bliley Act (Financial Services)

Financial institutions must notify affected customers as soon as possible after discovering a breach involving customer financial information. The FTC’s updated Safeguards Rule requires notification within 30 days under certain circumstances.

SEC Requirements (Publicly Traded Companies)

Publicly traded companies must report material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material.

The Breach Response Timeline

When a breach is discovered, every hour matters. Here is a practical timeline for managing the response and notification process:

Hours 1-24: Contain and Assess

Days 2-7: Investigate and Plan

Days 7-30: Notify and Manage

The Cost of Breach Notification

Notification is expensive. Understanding the costs upfront helps you plan and makes the case for cyber insurance coverage. Here is what to budget for:

Forensic investigation — $50,000 to $100,000 or more, depending on the complexity of the breach

Legal counsel — $25,000 to $75,000 for breach notification guidance

Notification letters — $2 to $5 per letter for printing, postage, and fulfillment

Credit monitoring — $10 to $30 per person per year

Call center — $5,000 to $25,000 for a dedicated response line

Crisis communications — $10,000 to $50,000 for PR support

Regulatory fines — variable, but can reach hundreds of thousands of dollars

For a breach affecting 5,000 individuals, total notification and response costs commonly reach $500,000 or more. This is exactly why cyber insurance with adequate first-party coverage is so important.

Penalties for Non-Compliance

Failing to meet your notification obligations can result in severe penalties:

State fines — many states impose per-violation fines, which can mean per-person, per-day penalties. California’s penalties can reach $7,500 per violation.

Lawsuits — delayed or inadequate notification can be used as evidence of negligence in class action lawsuits.

Regulatory action — state attorneys general can bring enforcement actions, which add legal costs and reputational damage.

Loss of trust — customers and partners who learn about a breach from the news rather than from you will be far less forgiving.

How to Prepare Before a Breach Happens

The time to figure out your notification obligations is before a breach occurs, not after. Here are the preparation steps every business should take:

Key Takeaways

Breach notification is a legal obligation with real consequences for non-compliance. Here is what to remember:

All 50 states have breach notification laws with varying requirements

Notification timelines can be as short as 30 days from discovery

You must comply with the laws of every state where affected individuals reside

Federal requirements add additional obligations for healthcare and financial services

The cost of proper notification commonly exceeds $100 per affected individual

Cyber insurance should cover notification costs, forensics, legal counsel, and credit monitoring

Preparation before a breach is far less expensive than improvisation after one

Do not wait until you are in the middle of a crisis to figure out your obligations. Build your incident response plan, understand your notification requirements, and make sure your cyber insurance covers the costs. Your future self will thank you.