Not every cybersecurity incident needs to be reported—for example, unauthorized access attempts that don’t compromise data. Breach notification laws come into play with confirmed theft of sensitive data, such as financial or personal information. These definitions vary across jurisdictions, but usually hinge on a fancy legal word: “materiality.”

In 2023, the Securities and Exchange Commission (SEC) adopted new regulations that require public companies to disclose material cybersecurity incidents within four business days of determining materiality. SEC defines materiality as information that a reasonable investor would deem important, including potential financial, reputational, or litigation risks.

For other organizations, materiality is dictated by relevant jurisdictions. This can create a complex web of state, federal, international, and sector-based laws and regulations that organizations must plan for.

For example, medical organizations must follow HIPAA’s patient confidentiality protections and send data breach notifications if personal health information (PHI) is compromised. HIPAA has risk-based notification rules, while states such as California take a stricter approach, triggering notification when unencrypted personal information is acquired (or reasonably believed acquired). HIPAA applies to PHI, while state breach notification laws cover a broader range of data, including payment cards, login credentials, online identifiers, and more.

All 50 states and territories have breach notification laws with differing definitions and triggers for reporting. What qualifies as "personally identifiable information" (PII) can vary, with some states including biometric data while others focus on financial details. Companies often follow the most stringent standard to cover multi-state obligations.

Who you must send notice of a data breach and how quickly also vary widely. Potential audiences include:

• Affected individuals (to alert them to protective steps like credit monitoring)
• Regulators (e.g., SEC, state attorneys general)
• Partners/vendors (for supply chain risks)
• Insurers (to activate coverage)
• Law enforcement (e.g., FBI for criminal probes)

For example, any business that processes credit card transactions is contractually obligated under PCI DSS to report card data compromises to its acquirer bank and card brands, and sometimes to engage a payment card industry forensic investigator (PFI). All 50 states also require notifying affected residents if personal information is compromised, and credit card numbers and names usually qualify.

Timelines range from immediate (e.g., law enforcement) to 30–60 days for individuals in many US states. In the EU, the General Data Protection Regulation (GDPR) is stricter, requiring authorities to be notified within 72 hours of a personal data breach.

Because of overlapping jurisdictions and breach compliance requirements, planning is critical. Businesses must carefully determine which mandates apply and draw up an incident response (IR) plan that details clear roles and responsibilities for carrying out these requirements. You don’t want to rely on assumptions during a crisis.

Key components of your IR plan include:

• Defined roles: Every team member knows their responsibilities during incident response (e.g., CISO for technical lead, executives for oversight)
• Contact trees: Up-to-date lists for internal and external parties
• Legal counsel: For compliance and litigation prep
• Insurers: For claim notifications
• Forensics: Tools for analysis, such as SIEM
• Communications: Messaging templates that have been pre-approved by counsel

For a deeper dive into IR planning, watch our on-demand webinar, "Practical Incident Response Planning.”

Preserving the facts of the breach requires rigorous evidence handling. This is important for legal and investigative purposes, as well as minimizing future risk. Proper evidence handling involves:

• Chain of custody tracks asset handling via documentation, preventing tampering.
• Immutable logs (e.g., audit trails) ensure unalterable records.
• Preservation steps include forensic imaging, secure storage, and NIST-compliant sanitization (see: NIST SP 800-61, SP 800-86)

Several authorities publish playbooks for how to integrate these best practices, including CISA and NIST. These can be put into action with a managed security information and event management (SIEM) platform, which arms businesses with total visibility into relevant log data across systems, streamlining audits and compliance.

Tabletop exercises allow organizations to simulate breaches and refine IR plans without the stakes of a live event. Scenarios might include ransomware or phishing attacks and include strategic and technical assessments. Your team can see how their roles work together, identify gaps, and note areas for post-exercise improvements.

Compliance and risk management are an inseparable part of cybersecurity. Both rely on having the proper tools, preparation, and team in place. Huntress provides 24/7 managed SOC services and monitoring to quickly detect and neutralize threats before they can do harm.

• Managed ITDR platform detects identity-centric threats such as business email compromise (BEC).
• Managed EDR puts your IR playbook into action with fast containment.
• Managed SIEM equips you with immutable logging and reporting capabilities for effective compliance.

Guard against attacks, contain threats, and streamline data breach compliance with Huntress at your back.