Why Breach Notification Laws Exist
For decades, companies that suffered data breaches had no legal obligation to tell anyone. Millions of people had their personal information stolen without ever being notified. The result was that criminals could exploit stolen data for months or years before victims had any idea they were at risk.
Breach notification laws changed this by requiring organizations to disclose breaches within specific timeframes and to inform affected individuals so they can take protective action.
The European Union: GDPR
The General Data Protection Regulation, enacted in 2018, established the most comprehensive data protection framework in the world. Its breach notification requirements are among the strictest:
- 72-hour notification rule: Organizations must report breaches to their supervisory authority within 72 hours of becoming aware of the incident
- Individual notification: If the breach poses a high risk to individuals, the organization must notify affected persons "without undue delay"
- Content requirements: Notifications must describe the nature of the breach, likely consequences, measures taken, and contact information for the data protection officer
- Penalties: Violations can result in fines up to 20 million euros or 4 percent of global annual turnover, whichever is higher
- Extraterritorial scope: GDPR applies to any organization processing the data of EU residents, regardless of where the organization is based
GDPR fundamentally shifted the balance of power by treating personal data as belonging to the individual, not the organization that collects it.
The United States: A Patchwork Approach
The United States has no single federal breach notification law. Instead, all 50 states have enacted their own statutes, creating a complex web of varying requirements:
- California (CCPA/CPRA): Among the strongest state laws. Grants consumers the right to know what data is collected, demand deletion, and opt out of data sales. Breach notification within a reasonable timeframe
- New York SHIELD Act: Requires reasonable security safeguards and broadens the definition of private information that triggers notification requirements
- Texas: Notification required within 60 days. Breaches affecting more than 250 residents require notification to the state attorney general
- Florida: Notification within 30 days, one of the shorter deadlines among US states
Common elements across US state laws:
- Notification to affected individuals is universally required
- Definitions of "personal information" vary significantly between states
- Timeframes range from 30 to 90 days, with some states using vague language like "most expedient time possible"
- Many states require notification to the state attorney general for large breaches
Canada: PIPEDA
Canada's Personal Information Protection and Electronic Documents Act requires organizations to:
- Report breaches creating a "real risk of significant harm" to the Privacy Commissioner
- Notify affected individuals as soon as feasible
- Maintain records of all breaches for two years, regardless of severity
- Penalties of up to $100,000 CAD per violation
Australia: Notifiable Data Breaches Scheme
Since 2018, Australian organizations covered by the Privacy Act must:
- Assess suspected breaches within 30 days
- Notify the Office of the Australian Information Commissioner and affected individuals if the breach is likely to result in serious harm
- Provide specific details about the breach and recommended protective steps
Brazil: LGPD
Brazil's Lei Geral de Protecao de Dados, modeled after GDPR, requires:
- Notification to the national data protection authority within a "reasonable timeframe"
- Communication to affected data subjects when the breach may cause significant risk or damage
- Penalties up to 2 percent of revenue, capped at 50 million reais per violation
What These Laws Mean for You
You have the right to be informed. In most jurisdictions, organizations must tell you when your data has been compromised. If you receive a breach notification, take it seriously and act immediately.
Notification does not mean protection. Being told about a breach after the fact does not undo the damage. By the time you receive a notification letter, your data may have been circulating for weeks or months.
Companies often delay. Despite legal requirements, many organizations take months to disclose breaches. Some discover breaches only after stolen data appears for sale online.
Cross-border breaches create jurisdictional complexity. When a multinational company is breached, different notification rules may apply to different affected individuals based on where they live.
Proactive Monitoring Is Essential
Relying solely on breach notifications leaves you reactive. Companies may not know they have been breached, may delay notification, or may not be subject to strong notification requirements in their jurisdiction.
Check LeakedSource to proactively monitor whether your data appears in breaches, rather than waiting for a notification that may arrive too late.