Breach Notification: Who Needs to Know and When

Your email says a vendor you use was breached. Your customer list was potentially exposed. It happened two weeks ago. They just told you now.

You have customers in California, New York, and Texas. Your vendor is in Ireland. Your data might have been involved.

This is not a hypothetical. This is a likely Tuesday for your business.

The question isn't whether you'll face an incident. It's whether you'll be ready when it happens.

What this solves (in real business terms)

An incident notification plan tells you:

• What counts as a breach that requires action
• Who you need to notify and when
• What you need to tell them
• Who does what in the first 24 hours

Without this, you waste the critical window where early notification to customers and regulators can limit damage—and where late notification can make everything worse.

What can go wrong

Equifax did everything wrong. 147 million people affected. Executives found out about the breach on July 30, 2017. They didn't tell the public until September 7. During that month, executives sold stock. The eventual settlement: $700 million. Criminal charges. Congressional testimony. This is the blueprint for how not to handle it.

Notification deadlines are real. GDPR: 72 hours to supervisory authority. HIPAA: 60 days to HHS. CCPA: "in the most expedient time possible." Most states: 30–45 days. If you're still figuring out what to do on day 45, you're already in violation.

Silent failures. Many breaches aren't discovered for months. If your vendor doesn't tell you they were breached, and you don't discover it independently, you're still liable for the exposure—and you're behind on your notification timeline before you even know it started.

Customer trust collapse. Target offered free credit monitoring after their 2013 breach and still lost 40% of their affected customers. Your customers won't wait to see how you handle it—they'll just leave.

What it costs (honest ranges)

| What | What you'll pay | |------|----------------| | Incident response plan (DIY) | $0 | | Incident response retainer with cybersecurity firm | $2,000–$10,000/year | | Legal counsel for breach management | $10,000–$50,000 (if it happens) | | Credit monitoring for affected customers | $10–$30/person | | Forensic investigation | $15,000–$100,000 (major incidents) | | State fines (varies by violation) | $1,000–$500,000 |

The planning is cheap. The not-planning is expensive.

Who you need to notify (and when)

Immediate (within 24 hours of discovery):

• Your IT/security team (internal or retained vendor)
• Your lawyer
• Your cyber insurance carrier

Within 48–72 hours:

• Affected customers (if data was confirmed exposed)
• Your state's attorney general (most states require notification)
• HHS (if HIPAA-covered, 60 days but start immediately)

Within 30 days:

• Credit bureaus (if SSNs were exposed—some states require this)
• All state AGs where affected customers reside (some states have this requirement)

Don't forget:

• Payment card brands (Visa, Mastercard) if payment data was involved
• Your bank/processor if credentials were compromised
• Your cyber insurance carrier (even if you're not sure it's a claim)

Minimum viable implementation

1. Define "incident" for your business. A vendor breach affecting your data = incident. Suspicious email activity = incident. Ransomware on any connected system = incident.

2. Assign roles now. Who contacts the lawyer? Who works with IT? Who talks to customers? In a crisis, you don't have time to figure this out.

3. Build a vendor contact list. Your payment processor, IT provider, cyber insurance, lawyer—have their numbers now, not during a crisis.

4. Enable breach notifications. Subscribe to HaveIBeenPwned, your vendor's security advisories, and relevant industry breach notification feeds.

5. Document everything from minute one. During an incident, your notes become evidence. Document: when you discovered it, what you did, who you contacted, what you learned.

6. Practice the first call. Your first call should be to your lawyer and cyber insurance carrier simultaneously. Know their numbers. Know what information they'll need.

Vendor questions (copy/paste)

When you need incident response help:

1. "What's your typical response time? Can you have someone on the phone within 2 hours?"

2. "Do you have experience with [your industry] breach notification requirements?"

3. "Do you handle regulatory notification drafting, or just technical investigation?"

4. "What's your forensic capability? Can you determine what data was accessed?"

5. "Are you on retainer or call-as-needed? What's the engagement structure?"

6. "Can you interface with law enforcement and regulatory bodies if required?"

When to hire help

Hire incident response help if:

• You process more than $250K/year online
• You're in healthcare, finance, or government contracting
• You have any cyber insurance policy (they often require pre-approved vendors)
• You've had any suspicious activity in the past 12 months
• You can't answer "who would I call in the first hour" with a name and number

Pro tip: negotiate your incident response retainer before you need it. During a crisis, you don't have leverage.