This isn't legal advice
The seven audiences, in order
Your cyber-insurance carrier
Within 24–72 hours of discovery
Notification window is in the policy. Off-panel engagement before notifying voids coverage. Even if you're not sure whether it's a covered event, notify — the carrier will tell you whether it qualifies.
Law enforcement (FBI / IC3 / Secret Service)
As soon as criminal activity is suspected
Report at ic3.gov for FBI Internet Crime Complaint Center. Local field office for serious incidents. The FBI doesn't take over your incident — they ask questions and add your case to their investigations. Reporting doesn't obligate disclosure to anyone else.
Regulators (per applicable laws)
Window varies by law — see below
Federal: HIPAA (60 days for breaches of unsecured PHI >500 individuals to HHS, 60 days to affected individuals; smaller breaches by year-end), FTC for Safeguards-covered entities, SEC for public companies (4 business days for material incidents). State: 50 different state breach notification laws with timelines from immediate to 90 days. Industry: NAIC (insurance), FINRA (broker-dealers), state bar (law firms).
Affected individuals
Within state-law window (typically 30–90 days)
Notification letter to affected clients/customers/employees with: what happened, what data was exposed, what you're doing about it, what they can do to protect themselves, who to contact. Most states require this in writing; some allow email if pre-consented. Credit monitoring offer is standard practice and required in some states for SSN exposures.
Your staff
Before public disclosure, after legal counsel review
Staff need to know what to say to clients (and what NOT to say). A written internal FAQ with the agreed talking points, prepared with breach counsel, prevents accidental damage. Brief in-person or via secure channel — not compromised email.
Your clients (where contractually required)
Per contract terms
Many B2B contracts require breach notification to clients within a specific window (often 24–72 hours), separate from any legal obligation. Check your customer contracts; this is often shorter than the state-law deadline.
Media / public (only if required or strategically chosen)
Coordinated with breach counsel and PR
Public statements should be drafted by breach counsel, vetted by the carrier's PR firm if applicable, and timed strategically. “No comment” is often correct early; once a statement is issued, it can't be retracted.
What the notification letter has to contain
Most state breach-notification laws specify minimum content. The common required elements:
- Description of the incident in general terms.
- The categories of personal information involved (names, SSNs, account numbers, health info, drivers' licence numbers, etc.). Specific data fields matter for the regulatory analysis.
- The approximate date of the breach (or that the date cannot be determined).
- The date of discovery.
- What you're doing about it — investigation, remediation, security improvements.
- What the recipient can do — placing fraud alerts, freezing credit, monitoring statements.
- Free credit monitoring offer (required in several states for SSN exposure, standard practice broadly).
- Contact information for questions — usually a dedicated phone number and email staffed for the duration.
- Notification to credit bureaus if SSN exposure exceeds threshold (in many states, breaches affecting >500 or >1,000 residents require parallel notification to Equifax, Experian, TransUnion).
Industry-specific overlays
- HIPAA (healthcare): HHS notification, individual notification within 60 days, media notification if >500 individuals in a state/jurisdiction, and HHS posts to the public “wall of shame”.
- NAIC Insurance Data Security Model Law: 72-hour notification to state insurance commissioner, in adopted states.
- FTC Safeguards Rule: 30-day FTC notification for breaches of >500 consumers' unencrypted customer info.
- State financial regulators: NY DFS Cybersecurity Regulation requires 72-hour reporting; other states vary.
- SEC (public companies): 4 business days for material cyber incidents under Item 1.05 of Form 8-K.
- GDPR (any EU/UK data subjects): 72-hour notification to the lead supervisory authority; individual notification “without undue delay” for high-risk breaches.
- State bar rules (law firms): Most jurisdictions require client notification under ethics rules, separate from state breach law.
The internal communications playbook
Your staff need three things from leadership during a breach:
- An honest brief on what happened. Don't hide it from people who'll be asked about it by clients.
- Written talking points for what to say (and what not to say) to clients, vendors, family. Reviewed by breach counsel.
- A named internal point of contact for questions and incident-related concerns.
Avoid:
- Speculation about cause or scope in writing (becomes evidence).
- Casual Slack / email discussion of the incident (also evidence; also a re-attack risk).
- Promising clients things you can't deliver (lifetime credit monitoring, etc.).
- Telling individual staff different versions of events.
What clients hear matters more than what regulators do
Regulatory fines are usually survivable. Client trust loss is often not. The notification letter is your one chance to control the narrative directly. Three rules:
- Be straight about what happened. People can tell when they're being managed.
- Tell them what you're doing. Concrete remediation actions are reassurance.
- Make the offered protection easy to use. A pre-paid credit monitoring code with one-click activation outperforms a code that takes 20 minutes to redeem.
The pre-incident equivalent
Need help with breach notification?
We coordinate breach counsel, draft templated notification letters, manage credit monitoring vendor selection, and track state-by-state filing windows.
Submit emergency intake