How Quickly Should A Suspected Data Breach Be Reported?

Suspected Data Breach Reporting

Reporting must now be a critical part of any firm’s data breach response plan. The days of trying to keep an intrusion quiet to save face or pay a ransom to prevent public exposure of an incident are long gone.

In addition to increasingly strict mandatory reporting requirements from data protection regulators around the world, affected individuals also have a right to know as soon as possible if their personal data was impacted. This is especially true if they will need to take precautions such as changing login details or checking their finances for fraud.

Companies that fail to inform all stakeholders in good time face major consequences. In 2025’s NPD breach, for instance, some people only found out their data had been stolen when they were alerted by third-party monitoring services. If handled badly, this can lead to expensive compensation claims.

So how quickly should this be done and what considerations must businesses factor in when it comes to data breach reporting?

Understanding Mandatory Reporting Requirements

Mandatory reporting obligations exist across most major jurisdictions and apply to a broader range of organizations than many businesses assume. GDPR covers any organization that processes the personal data of EU residents, regardless of where that business is headquartered.

In the US, HIPAA applies to all firms handling medical data, including healthcare providers, health plans and their business associates. More broadly, all 50 states have independent breach notification laws covering businesses that handle residents’ personal data, meaning sector-specific federal legislation is rarely the only obligation in play.

How Long Do Firms Have To Report A Data Breach?

Reporting timelines are not triggered by formal confirmation of a breach. Instead, they should begin as soon as an organization becomes aware that one may have occurred. Under GDPR, supervisory authorities must be notified within 72 hours of that awareness. This is a tight window that makes having a response plan in place essential.

HIPAA sets a 60-day deadline from discovery for notifying both the Department of Health and Human Services and affected individuals. For publicly traded US companies, “material” breaches must be reported to the SEC within four business days. Entities covered under the Cyber Incident Reporting for Critical Infrastructure Act – which range from financial services and healthcare to energy firms – must report incidents to CISA within 72 hours and ransom payments within 24 hours.

Who Else Must Be Informed And When?

Regulatory reporting is only one part of the notification picture. In addition, the following key stakeholders should be contacted:

• Legal counsel: Engage within hours of discovery to manage cross-jurisdiction obligations and limit liability.
• Board and senior leadership: Notify immediately to authorize resources and manage reputational risk.
• Cyber insurers: Most policies require notification within 24 to 72 hours as a condition of coverage.
• Affected individuals: GDPR requires notification without undue delay once scope is confirmed; HIPAA sets a 60-day deadline.
• Partners and suppliers: Notify within 24 hours where shared risk exists.
• Law enforcement: Report within 48 hours to aid investigation and demonstrate responsible handling.