Data Breach Notification: What You Need to Know (2026)

Notification Requirements

When a breach occurs, the clock starts immediately. GDPR requires authority notification within 72 hours and individual notification ‘without undue delay.’ CCPA requires notification ‘in the most expedient time possible.’ All 50 US states have breach notification laws with timelines of 30–90 days. Failure to notify can result in additional fines on top of the breach itself.

What to Include

Notifications must include: what happened (nature, approximate date), what data was affected (names, emails, payment info), what you’re doing about it (containment steps), what individuals can do (change passwords, monitor accounts), and contact information. For GDPR authority notifications, also include: approximate number affected, likely consequences, and DPO contact details. Keep language clear and direct. Use the Privacy Policy Generator to ensure your privacy policy covers breach notification obligations.

Creating an Incident Response Plan

Create your incident response plan before a breach: define the response team (legal, IT, communications, executive), detection and confirmation procedures, containment steps (isolate systems, revoke credentials), scope assessment (what data, how many people, exposure duration), notification procedures with pre-drafted templates, communication channels, and post-incident review. Test with tabletop exercises — simulate scenarios and walk through response steps.

Recovery Steps

After immediate response: conduct forensic investigation for root cause, implement fixes to prevent recurrence, update security measures, review privacy policy if necessary, document everything for compliance, and monitor for further unauthorized access. Consider credit monitoring for affected individuals if financial data was exposed. Review cyber insurance coverage. Conduct a post-mortem with the full team.