Last review date: 29 December 2023

Yes. At the federal level, breach notification obligations apply in particular sectors (e.g., healthcare, financial institutions, and telecommunications). At the state level, each of the 50 states and Puerto Rico now have established a breach notification obligation that generally applies to unauthorized access or acquisition to categories of unencrypted sensitive personal data as specified in that state's law. Common data categories include Social Security Numbers, personal financial account numbers, health/medical information, username/passwords for online accounts, and others. The definitions and conditions vary from state to state. For example, under California's security breach notification law, Cal. Civ. Code § 1798.82, "breach of the security of the system" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal data maintained by the person or business, where the "personal data" at issue can include a wide variety of government identifiers, financial information, health/medical information and more. Other rules, such as those issued by the SEC as described above, also apply.

Last review date: 29 December 2023

US laws vary, but generally a controller may have an obligation to notify:

☒   data protection authorities

Federal rules typically require notification to the appropriate federal regulators if the applicable thresholds are met. For example, HIPAA's Breach Notification Rule (45 C.F.R. §§164.400-414) requires covered entities to notify HHS and affected individuals for certain unauthorized acquisitions, accesses, uses or disclosures of protected health information ("PHI") in certain circumstances.

Under certain state breach notification laws, in-scope entities that have experienced a data security breach must notify the applicable State Attorneys General if certain circumstances are met. For example, under Cal. Civ. Code § 1798.82(f), a company that is required to notify more than 500 individuals must also notify the California Attorney General. In certain states, such under Maryland Code, Commercial Law Section 14-3501 et seq., the Attorney General must be notified prior to notification to any individuals. 

☒   cybersecurity authorities. Telecommunications providers have duties to report cybersecurity incidents to law enforcement. Also, under CIRCIA, covered entities will be required to report cyberattacks and ransomware payments within specified timeframes to the Cybersecurity and Infrastructure Security Agency once the final rule implementing CIRCIA's requirements goes into effect.

☒   affected individuals, if applicable thresholds are met

☒   other.

In certain circumstances, companies may be required to report certain data events to law enforcement (e.g., in the telecommunications sector), the United States Department of Defense, and depending on the volume of data impacted, state laws may require entities are also required to notify consumer reporting agencies. Apart from privacy and regulatory duties, companies may also have contractual obligations to notify data incidents in certain cases, such as obligations to notify merchant banks and/or credit card brands of certain events involving payment card information.

Last review date: 29 December 2023

Under certain state-, sector-, activity- specific data breach notification laws, certain entities can functionally be considered "data processors," such as "business associates" under HIPAA, and "service providers" or "data maintainers" under state breach notice laws.  Additionally, contractual terms between the "data processor" and "controller" may require the processor to notify others, including affected individuals and regulators.

☒   controller/owner

Typically, these entities will have duties to notify the controllers/owners of the data. For example, at the federal level, the HIPAA Breach Notification Rule requires business associates to notify the relevant covered entity of a discovered data breach. Similar requirements apply under other federal and state data breach notification laws.

☐   data protection authorities

☐   cybersecurity authorities

☐   affected individuals

☐   others