When Do You Need to Report a Data Breach?

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

The number of data breaches that were tracked in the U.S. in 2017 totaled 1,579, a nearly 44.7 percent increase from the previous year. Data breaches, incidents in which personal information is accidentally or unlawfully stolen, lost, disclosed, accessed, altered or destroyed, can happen to organizations of any size and sector.

Most data breach laws deal with personal data, which is essentially any information that can be associated with a particular person. Other rules concern personally identifiable information, which is data that someone could use, alone or along with additional information, to trace or distinguish a person’s identity.

The way in which you respond to a data breach has a significant impact on how severe its consequences are. Reporting an event is one action that can help.

When Should You Report a Data Breach?

In general, you should report a personal data breach if it likely poses a risk to people and threatens their rights and freedoms. This is based on the General Data Protection Regulation (GDPR), which applies to any organization that handles the data of European Union citizens. An incident might threaten someone’s rights and freedoms if it may result in identity theft, identity fraud, financial loss, discrimination, damage to reputation, social disadvantage or loss of confidentiality.

International, federal and state laws vary in their requirements about when to report breaches. In the U.S., all 50 states, the District of Columbia, Puerto Rico, Guam and the Virgin Islands have laws that require entities to notify people of breaches involving personally identifiable information.

How Soon After a Breach Should You Report It?

Under the GDPR, an organization that experiences a personal data breach must notify the appropriate authorities within 72 hours of discovering it. Within that timeframe, data controllers are also required to conduct an investigation of the incident, identify the affected data, inform impacted individuals and create a plan for containing the breach. If the organization can’t complete these activities within 72 hours, it is expected to provide an explanation as to why.

Under the Health Insurance Portability and Accountability Act (HIPAA), entities affected by the law must inform authorities and the impacted individuals within 60 days, but only if 500 or more people are affected. Authorities for some other sectors, such as the Securities and Exchange Commission (SEC), don’t have specific timeframe requirements.

Requirements under state laws vary. In New Mexico, businesses have 45 days to issue a notification if the incident impacted 1,000 or more residents of the state. California requires companies to send out notifications if 500 or more residents are affected, but it doesn’t have a specific timeframe requirement.

Laws, of course, affect how soon companies must report cybersecurity incidents. They should also do their best to ensure they have as much accurate information as possible before sending out an alert to avoid miscommunications. If an organization waits too long, on the other hand, the damage may already be done. It’s important to strike a balance between these two extremes.

To Whom Should You Report a Breach?

Who you should notify depends on the laws that apply to you, the industry you’re in and who was affected. In many cases, you must notify the supervising authorities. Under the GDPR, for example, you need to notify the Information Commissioner’s Office. If your organization is covered by the Health Breach Notification Rule, you must notify the U.S. Federal Trade Commission (FTC) and perhaps the media. If you are covered by the HIPAA Breach Notification Rule, you’ll need to inform the U.S. Health and Human Services department.

It is advisable to tell law enforcement about a breach as quickly as possible. You may call local police, but if they are not familiar with cybersecurity incidents, you can also call your local FBI office.

If you store information for other businesses, notify them. If information pertaining to a certain organization is stolen, contact that organization. For example, if an attack results in the theft of bank account numbers, notify the affected banks. If the breaches involve names and Social Security numbers, you may need to contact the major credit bureaus.

You may also need to contact the individuals who may be affected by the breach and inform them of what data was affected, what you’re doing to address the situation and what individuals can do to protect themselves.

Why Report a Breach?

Reporting breaches of personal data enables regulating authorities, law enforcement and individuals to take action to reduce the amount of damage that may occur. Some of these authorities may also be able to help you ensure your system is secure again and prevent further data loss.

The laws that affect your organization can vary depending on your location, industry and other factors. Consider these requirements as well as what is best for the individuals affected when deciding whether to report a breach.

Update February 11, 2024:

Chamber of Commerce Team published Package Theft Statistics, below are key findings:

More than one-quarter of consumers (26%) have had a package stolen, and most porch pirate incidents occurred at single-unit residential homes (49%) rather than an apartment or condominium (42%).
The average value of a stolen package was $81.91, according to respondents.
Among package theft victims, 22% had a doorbell camera when the theft occurred and 25% never received a refund for the stolen item(s).
38% believe that doorbell cameras do not deter package thieves.
More than one-third (36%) of respondents say advancements in AI technology will help prevent future package theft.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and here

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cybersecurity, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.