Breach Notification in the U.S.: Federal vs State Timelines Explained
Purpose. This guide explains how breach-notification timelines work in the United States, contrasting federal sector rules with state consumer-breach statutes. It is written for privacy, security, and legal teams that need a practical, defensible approach to “how fast is fast enough?” when an incident may have exposed personal information. It is not legal advice; always confirm current statutes and regulator guidance for your facts and locations.
Key idea. In the U.S., there is no single, universal breach-notification deadline. Instead, you coordinate federal sectoral rules (e.g., HIPAA, FTC Health Breach Notification Rule, GLBA Safeguards Rule, SEC disclosure) with 50-state consumer breach laws plus territories and D.C. The practical goal is to reach a timely, accurate decision on whether and whom to notify, and to send notices within the shortest applicable clock while preserving evidence, limiting harm, and avoiding premature or incorrect statements.
What starts the clock? “Discovery,” “awareness,” and “materiality”
- Discovery / awareness (typical state laws & many federal rules). The clock usually begins when the organization discovers or is made aware of a breach or of facts from which a breach is reasonably believed to have occurred. You do not need perfect certainty; a credible basis is enough to start internal timing.
- Determination of materiality (SEC disclosure for public companies). For SEC Item 1.05, the four-business-day clock starts after you determine the incident is material—not at first suspicion. Your processes must let you reach that determination “without unreasonable delay.”
- Role matters (controller vs processor/service provider). Processors often must notify the controller “without unreasonable delay” (sometimes on specified day counts) after discovery, not notify individuals directly. Many state laws and contracts impose specific deadlines on service providers to alert the data owner.
Practical step. In your incident log, write the exact clock-start event (date/time UTC, source, who knew, and what was known). If different rules apply (e.g., HIPAA discovery vs. SEC materiality), track separate clocks in the same log.
Federal regimes: what the deadlines look like
HIPAA Breach Notification Rule (health sector)
- Who is covered? HIPAA covered entities and business associates handling protected health information (PHI).
- Clock & deadline. Notification generally must occur without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. Separate timing applies to HHS and media for larger incidents.
- Key nuances. A four-factor risk assessment determines whether an impermissible use/disclosure is a breach that triggers notice. Encryption safe harbor applies if PHI was encrypted to HIPAA standards and keys were not compromised.
FTC Health Breach Notification Rule (HBNR)
- Who is covered? Vendors of personal health records (PHRs) and related entities outside HIPAA (e.g., many consumer health apps, wearables, trackers).
- Clock & deadline. Notice to individuals (and to the FTC via its portal) is required on a set timeline after discovery of a breach of unsecured PHR identifiable health information. (Teams should confirm the latest timing specifics; the 2024 updates clarify scope and content.)
- Key nuances. Common triggers include third-party tracking pixels or SDKs that transmit health data without proper authorization; content requirements are prescriptive and plain-language oriented.
GLBA Safeguards Rule – breach notice to the FTC
- Who is covered? Non-bank financial institutions (e.g., mortgage brokers, auto dealers, many fintechs) under FTC jurisdiction.
- Clock & deadline. For certain “notification events” affecting 500+ consumers with unencrypted customer information, notice to the FTC must be provided as soon as possible and within a specified outer limit (widely referenced as 30 days after discovery).
- Key nuances. This is in addition to (not instead of) any state-law consumer notifications. The Safeguards Rule’s security program obligations (risk assessments, testing, logging, access controls) directly influence your ability to meet timelines.
SEC cybersecurity disclosure (public companies)
- Who is covered? Issuers required to file periodic reports with the SEC.
- Clock & deadline. File Form 8-K Item 1.05 within four business days after determining a cyber incident is material. This is separate from consumer breach notices and does not itself require technical remediation to be complete.
- Key nuances. “Material” focuses on a reasonable investor standard. There are narrow national-security/public-safety delay pathways via the Attorney General; do not assume a delay—coordinate early with counsel.
CIRCIA (critical infrastructure reporting) – emerging
- Who is likely covered? Designated critical-infrastructure entities once CISA’s final rules are effective.
- Indicative timing. Statute preview: report covered cyber incidents within 72 hours and ransom payments within 24 hours. Teams should prepare placeholders so processes are ready when the final rule lands.
Bottom line on federal clocks. HIPAA’s 60-day outer limit, SEC’s 4 business-day post-materiality filing, and GLBA Safeguards’ rapid (commonly framed as 30-day) regulator notice can all apply simultaneously with state consumer laws. Plan to satisfy the shortest applicable deadline while protecting accuracy and law-enforcement needs.
State consumer-breach laws: how “timelines” really work
All U.S. states, D.C., and most territories require notice to affected residents when defined “personal information” is breached. While definitions and thresholds vary, timing follows common patterns:
1) “Most expedient time possible and without unreasonable delay”
This is the baseline in many states (including large markets). It allows investigation, containment, and law-enforcement coordination, but not open-ended indecision. Regulators increasingly expect active, documented progress, not silence.
2) Outer-limit states
Several states set explicit outer limits—often 30 or 45 days from discovery—sometimes with built-in extensions for law-enforcement delay or when a controller must wait for a processor’s facts. A smaller group uses longer ceilings (e.g., 60–90 days). If your population spans multiple states, treat the shortest outer limit as your planning anchor.
3) Regulator/AG notice triggers
Beyond notifying individuals, many states require notice to the Attorney General or another regulator for larger incidents (e.g., thresholds like 500, 1,000, or more residents) and sometimes require consumer reporting agency notice. These notices often have the same or shorter clocks than individual notices and have prescriptive content.
4) Service-provider timelines
States commonly impose explicit deadlines on service providers to notify the data owner/controller after discovery (e.g., “as soon as practicable,” within a set number of days, or “without unreasonable delay”). Contracts frequently add tighter notice windows (24–72 hours).
5) Safe harbors and risk of harm
Encryption safe harbors and “risk-of-harm” thresholds can remove or reduce the duty to notify—but you must document the analysis. State enforcement trends show skepticism when companies claim low risk without clear evidence.
| State Timing Pattern | Typical Language | Planning Implication |
|---|---|---|
| “Unreasonable delay” (no outer limit) | Notify in the most expedient time possible and without unreasonable delay | Document progress; you still need speed. Regulators look for contemporaneous logs and credible reasons for any delay. |
| 30-day outer limit | Notify no later than 30 days after discovery | Assume this governs multi-state incidents unless a shorter duty applies (e.g., contract or federal regulator). |
| 45-day outer limit | Notify no later than 45 days after discovery | Permits a brief investigation window but still requires parallel drafting and scoping to avoid last-minute rushes. |
| Longer ceilings (60–90 days) | Notify no later than X days after discovery | Do not plan to consume the entire window; plaintiffs and AGs still test “reasonableness.” |
A defensible timeline workflow for multi-jurisdiction incidents
Phase A — Day 0 to Day 2: establish clocks and preserve options
- Record discovery time. In the case log, capture the first credible signal, who knew, and any law-enforcement contact.
- Map applicable regimes. Which federal/sector rules (HIPAA, HBNR, GLBA Safeguards, SEC) and which state populations are in scope? Identify the shortest deadline among them.
- Start parallel drafting. Even if you may not notify, draft individual and AG/regulator templates under privilege. Waiting until “we’re sure” risks missing an outer limit.
- Preserve evidence first. Build your narrative: what happened, what data was implicated, when, for how long, and what has been done.
Phase B — Day 2 to Day 10: tighten scope, make the notification call
- Quantify populations and data elements. Join identity, storage, and access logs. Produce ranges with confidence levels to support a risk-of-harm analysis.
- Decide “breach” vs “incident.” Apply statutory tests. For HIPAA, complete the four-factor assessment; for states with risk-of-harm, document reasoning and evidence.
- Set the notice schedule. If any regime has a firm outer limit (e.g., 30 or 45 days), lock the drop-dead date and plan to file before it while maintaining accuracy.
- Coordinate LE. If law enforcement asks for a delay to avoid impeding an investigation, ensure you have a written request and calendar the pause/review cadence. Re-assess clocks immediately when the hold is lifted.
Phase C — Day 10 to deadline: finalize and deliver
- Finalize content. Most state and federal notices require core elements: nature of the incident, categories of data, time frames, steps taken, actions individuals should take, and contact points. AG notices may also require sample letters and incident metrics.
- Stage sends. Coordinate regulator/AG submissions, consumer letters/emails, website postings (if required), and press statements so no audience first learns from media.
- Archive artifacts. Preserve final versions, submission receipts, and mailing/Email service proofs; regulators often ask later.
How federal and state clocks interact in practice
Scenario 1 — Health app (non-HIPAA) with nationwide users
An analytics pixel sent health-related events to a third-party. The company is a PHR vendor under the FTC HBNR and stores users from all 50 states.
- Clocks: HBNR individual + FTC notice by its specified outer limit after discovery, plus state notices where applicable (many states will treat this as a consumer data breach).
- Approach: Use the shortest applicable window for planning; send one harmonized consumer letter that meets both state and HBNR content requirements, and a regulator submission tailored to the FTC and any state AG thresholds.
Scenario 2 — Public company hit by credential stuffing
Attackers accessed some consumer accounts; investigation is ongoing.
- Clocks: SEC 8-K filing only if/when the board or management determines materiality; consumer notices under state law may still be required sooner.
- Approach: Run two clocks: the continuous state-law “discovery” clock and the SEC “materiality” clock. If consumer notice goes first, the 8-K can reference that notice and focus on investor-relevant impacts.
Scenario 3 — HIPAA covered entity with affected patients in multiple states
Unencrypted PHI was exfiltrated from a compromised server.
- Clocks: HIPAA’s 60-day outer limit controls patient notice and HHS/Media notices for large breaches; state consumer laws may still require AG notifications or additional content.
- Approach: Use HIPAA content as the master and add any state-specific extras (e.g., credit monitoring information where required). Meet the earliest AG filing deadline among states.
Why organizations miss deadlines (and how to avoid it)
- Late clock-start recognition. Teams fail to memorialize the first credible awareness event. Fix: a standing incident log that starts at first signal, with counsel notified immediately.
- Serial investigation psychology. Waiting to “finish forensics” before drafting notices. Fix: parallel tracks: evidence capture, scoping, and notice drafting from Day 1.
- Vendor dependency. Processors delay sharing logs. Fix: contract for hard notice windows (e.g., 24–72 hours), audit rights, and predefined log exports; escalate via legal early.
- Fragmented ownership. Security, privacy, and comms work in silos. Fix: identify a single Incident Commander and a Legal Lead; hold brief daily decisions and publish them in one canonical timeline.
- Ambiguous population estimates. No defensible count of affected residents by state. Fix: maintain a data map and residency attributes; build standard queries for “who was where” at time of incident.
- No templates. Drafting from zero costs days. Fix: pre-approve consumer and regulator templates for HIPAA, HBNR, GLBA Safeguards, and multi-state notices.
Content building blocks most statutes expect
- Plain description of what happened and when (without unnecessary technical jargon or speculative attribution).
- What information was involved (e.g., names, SSNs, driver’s license numbers, financial account numbers, medical information); avoid listing data not actually implicated.
- What you are doing (containment, law-enforcement engagement, remediation, additional security controls).
- What individuals should do now (password resets, credit reports, fraud alerts/freezes, specific health/financial steps as relevant); include support contacts.
- Remedies you offer (e.g., credit monitoring/identity protection) if appropriate.
- Regulator-specific elements (e.g., number of residents notified; sample copy; preparedness to answer follow-ups).
Model timeline calculator (federal + state overlay)
| Event | When to record | Why it matters | Clock impact |
|---|---|---|---|
| Initial credible signal (IDS alert; vendor notice) | Day 0, Time T0 | Starts internal “discovery” awareness | State clocks begin planning; HIPAA/HBNR discovery begins if scope suggests PHI/PHR data |
| Law-enforcement engagement | As soon as reasonably possible | May justify limited delay if requested in writing | Pauses some state notices while LE hold is active |
| Materiality determination (public company only) | When executive governance decides | Triggers SEC 8-K four-business-day filing | Separate from state/federal consumer notice clocks |
| Scope decision: breach vs incident | As soon as evidence supports a defensible call | Determines whether notices are required | Do not wait to draft while deciding |
| Notice package ready | Before the earliest outer limit | Enables synchronized sends to individuals and regulators | Builds buffer for mailing/portal issues |
Documentation that proves timeliness
- Unified incident timeline with UTC stamps for discovery, triage, containment, law-enforcement contacts, materiality analysis, breach determinations, and notice send times.
- Legal memoranda (under privilege) applying statutory tests (HIPAA, HBNR, GLBA, state laws) and explaining why timelines selected were reasonable and compliant.
- Population math (SQL/warehouse queries, audit logs, cloud/object access logs) supporting counts by state and data element categories.
- Copies and receipts of regulator submissions, consumer letters/emails, and web postings; call-center scripts and FAQs as finally used.
- Change-control artifacts for security improvements implemented before restoration (MFA expansions, key rotations, logging retention changes, backup hardening).
Common questions about “delay” that derail compliance
- “Can we wait until forensics finish?” No. Timelines run while you investigate. Draft early, revise as facts mature.
- “We haven’t confirmed exfiltration—do we still notify?” Many laws focus on access or acquisition, not only confirmed exfiltration. Apply statutory definitions; when in doubt, prepare notices.
- “If encryption is present, we’re safe, right?” Only if keys were not compromised and encryption meets the relevant standard. Document key custody.
- “Our vendor is responsible, so they notify.” Controllers usually retain the duty to notify individuals; service-provider notice to you does not satisfy consumer notice unless the statute says otherwise and you’ve contractually delegated duties.
Playbook checkpoints that keep you on time
- Clock board: a live dashboard listing the earliest outer limit (by state or federal rule), the SEC materiality status, and any LE holds with next review time.
- Pre-approved templates: consumer letters (general + state addenda), AG/Regulator forms, HIPAA/HBNR letters, GLBA Safeguards portal text, and an internal Q&A.
- Service-provider SLOs: 24-hour notice on discovery, 72-hour log export, and named points of contact; failure escalates to executive/legal immediately.
- Evidence & scoping sprint: a fixed, two-to-five-day window with daily sign-offs; if uncertainty persists, ship notices with best-available facts and label them as such.
- Single source of truth: one incident channel, one timeline document, one owner for each outbound notice. Reduces version drift and late edits.
Conclusion
Breach-notification timing in the U.S. is a coordination problem: federal sector rules (HIPAA, HBNR, GLBA Safeguards, SEC) sit on top of a patchwork of state consumer laws. Teams that succeed treat the earliest applicable deadline as the anchor, draft notices in parallel with forensics, and maintain a signed, privileged rationale for every timing decision. Build your process to recognize clock starts immediately, keep law enforcement and regulators aligned without surrendering speed, and ship accurate notices with clear, useful guidance for affected people. Do this consistently and you will meet the letter and the spirit of the timelines—without sacrificing investigative quality or customer trust.
Guia rápido
Goal. Ship accurate breach notifications on time by coordinating federal sector rules with state consumer-breach laws. Start clocks early, draft in parallel with forensics, and anchor to the shortest applicable deadline.
Clock starts to record immediately. Write the exact discovery/awareness time in UTC, who knew, and what was known. If you are a public company, also track the separate moment when the incident becomes material for SEC purposes (that triggers a four–business-day 8-K clock). If you are a processor/service provider, track the deadline to notify the controller (often “without unreasonable delay” or within a defined day count by statute/contract).
Day 0–2 (stabilize + prepare notices). Preserve evidence before major changes; contain quietly. Map which frameworks apply: HIPAA (health), FTC Health Breach Notification Rule—HBNR (consumer health apps/PHRs), GLBA Safeguards Rule (non-bank financial institutions), and any state laws for affected residents. Identify regulator/AG thresholds (e.g., notice to AG when resident count passes X). Begin drafting: (1) consumer letter (plain language, actions they should take); (2) regulator/AG filings; (3) HIPAA/HBNR/GLBA versions if in scope; (4) a privileged memo explaining timing decisions. If law enforcement requests a delay, obtain it in writing and calendar reviews.
Day 2–10 (scope + decide). Quantify populations by state and the data elements at issue (e.g., names + SSNs; medical details; credentials). Apply statutory tests: “breach” vs “incident,” “risk-of-harm” thresholds, encryption safe harbors, and, for HIPAA, the four-factor risk assessment. If any law sets an outer limit (commonly 30 or 45 days from discovery), plan to send earlier than that date. For public companies, run a separate materiality analysis for SEC disclosure without slowing consumer notices.
Before earliest deadline (finalize + send). Validate mailing lists/emails, stage portal submissions (FTC/AG/HHS/GLBA), and synchronize sends so individuals don’t learn from the press first. Archive final letters, regulator receipts, and a unified incident timeline. After launch, keep a Q&A for support teams and a 14–30 day monitoring plan.
- Controller vs processor: controllers typically notify individuals; processors notify controllers rapidly and share logs/artifacts.
- Content building blocks: what happened, what information, when, what you’re doing, what the person should do now, remedies offered, and contacts.
- Do not wait for perfect certainty: draft early; update facts as they harden. “Unreasonable delay” language still expects speed.
Bottom line: Treat the earliest applicable clock as the anchor, keep a privileged written rationale, and execute a coordinated consumer + regulator plan with verified facts.
FAQ
1) When does the notification clock start?
Most state laws and several federal rules start at discovery/awareness of a breach (not necessarily full confirmation). SEC disclosure for public companies starts after a materiality determination. Record both if applicable.
2) What if we are only a processor/service provider?
You typically must notify the controller quickly (often “without unreasonable delay” or within a fixed day count). The controller usually notifies affected individuals and regulators, unless your contract/statute delegates that job to you.
3) How fast is “without unreasonable delay”?
It allows time for containment, scoping, and law-enforcement coordination, but regulators expect documented progress and timely decisions. If another regime sets 30 or 45 days, treat that outer limit as your planning anchor—then ship earlier if possible.
4) Do encryption or hashing eliminate notification?
Many laws have encryption safe harbors if keys were not compromised and the standard is strong. Hashing alone may not qualify. Always document key custody and technical controls.
5) Can we delay because law enforcement asked us to?
Often yes, but only with a written request. Re-evaluate frequently and resume notifications promptly when the hold is lifted. Keep the request and review notes in the case file.
6) What goes into a compliant consumer notice?
Plain description of what happened and when, categories of information involved, steps you are taking, recommended actions for the individual (e.g., resets, credit freezes), available remedies (e.g., monitoring), and contact points. Some states/federal rules require specific headings and sample letters.
7) How do federal rules interact with state laws?
They stack. You may have HIPAA/HBNR/GLBA/SEC timing plus state consumer notices and AG filings. Plan to satisfy the shortest applicable clock and harmonize content across audiences.
8) What if we cannot confirm exfiltration?
Several laws trigger on access or acquisition, not only confirmed exfiltration. Run a risk-of-harm analysis where allowed; if notice is prudent or required, send with best-available facts and note the investigation continues.
9) We’re a public company—do we file the SEC 8-K first?
Not necessarily. The 8-K is due four business days after you decide the incident is material; consumer/regulator notices under state/federal privacy laws may be due earlier. Run two clocks with separate owners and coordinated messaging.
10) What documentation proves we were timely?
A unified UTC timeline (discovery, decisions, notices), legal memoranda applying statutes, population counts by state, copies of letters and regulator receipts, and evidence of LE holds. Keep all under legal privilege where appropriate.
Technical Basis & Legal Sources
- HIPAA Breach Notification Rule (45 CFR §§164.400–414): patient/individual notice, HHS and media thresholds, 60-day outer limit after discovery, four-factor risk assessment, encryption safe harbor.
- FTC Health Breach Notification Rule (HBNR) (16 CFR Part 318): applies to PHR vendors and related entities outside HIPAA; individual + FTC notice; clarified scope and content for modern apps/trackers.
- GLBA Safeguards Rule—Breach Notice to the FTC (16 CFR Part 314): non-bank financial institutions must notify the FTC promptly (outer limit commonly 30 days) when certain events affect 500+ consumers with unencrypted customer information.
- SEC Cybersecurity Disclosure (Form 8-K Item 1.05, 2023 rule): four business days after a materiality determination; separate from consumer privacy notices.
- State consumer-breach statutes (all 50 states, D.C., territories): “most expedient time possible and without unreasonable delay” or fixed ceilings (often 30/45 days), AG thresholds, content requirements, and safe harbors.
- CIRCIA (forthcoming CISA rules): statutory preview—report covered cyber incidents within 72 hours and ransom payments within 24 hours for covered critical-infrastructure entities (prepare placeholders now).
- Supporting standards: NIST SP 800-61 (incident handling), NIST CSF 2.0 (Respond/Recover/Govern), ISO/IEC 27035 (incident management) to structure processes, evidence, and governance for defensible timing decisions.
Disclaimer
This information is for general educational purposes only and does not constitute legal advice. It does not replace an attorney, does not create an attorney–client relationship, and may not reflect the most current legal developments. Consult qualified counsel licensed in your jurisdiction for advice about your specific facts and deadlines.