Data Breaches: Regulatory and Contractual Notification Obligations

Keeping pace with the state of data privacy and data privacy regulations is becoming a pressing responsibility for businesses in the digital age. In this article, we provide an overview on data privacy and what businesses need to know.

Personal data breaches are, unfortunately, becoming an increasingly common occurrence. Personal data breaches can happen to any company within any industry, resulting in millions of dollars in fines and reputational costs. This blog will discuss what constitutes a personal data breach, organizational obligations for notifying customers, and how organizations can limit contractual liability for personal data breaches.


Data privacy concerns for businesses are on the rise, and organizations need to be prepared for the growing threat and response. One rising concern within the realm is the costly impact of data breaches, which have statistically been on the rise.

While the definition of a personal data breach varies jurisdiction to jurisdiction, a personal data breach is commonly defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed by a company. Personal data, as discussed further in our Data Privacy 101 overview, is any information relating to an identified or identifiable person, which may include a person’s name, date of birth, social security number, driver’s license number, credit card number, and medical information. 


A company’s obligations for notification of data breaches varies by jurisdiction, industry, role (business/data controller or service provider/data processor), and the impact of a data breach. In most cases, companies are required to notify customers within a certain amount of time after becoming aware of a personal data breach.

Within the United States, each state has its own specific laws governing data breach notification for residents. In addition, the US has a patchwork of breach laws at the federal level that overlap with individual states’ rules.


Each state’s notification obligations vary, however, a general resource for State Level compliance can be found at ITGovernanceUSA.

Potential State-by-State Obligations:

  • Notification to Affected Consumers
  • Disclosure to Attorney General
  • Notification to Consumer Reporting Agencies

Notification may not be required if an investigation determines a breach has not resulted in or is not reasonably likely to result in injury, identity theft, or economic loss to affected individuals.

Generally speaking, an organization must provide notice of breach without unreasonable delay. Timelines for notification vary anywhere from days to months, with many jurisdictions citing a 45-day limit.

In addition, some states require disclosure to the Attorney General regarding a breach. In some states, the Attorney General will need to be notified regardless of the volume of impact. In other states, disclosure may not be required unless a specific volume (anywhere from 250-1,000) of state residents are affected by the breach.

Finally, when a large volume of consumers is affected, breached entities may need to notify consumer reporting agencies.


Certain industries facing data breaches may also face additional measures for notification. In particular, the healthcare industry faces obligations set out in the HIPPA Security Rule.

HIPAA Data Breach Obligations

HIPAA data breach notification obligations are set out in 45 CFR § 164.404(b) of the HIPAA Security Rule, which requires covered entities to notify individuals whose protected health information (PHI) has been breached after an appropriate investigation and risk assessment have occurred. This notification must occur without unreasonable delay and generally within 60 days of the discovery of a data breach.

Data Breaches Affecting Non-U.S. Citizens

PIPEDA Data Breach Obligations

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s federal data protection law. Similar to HIPAA, PIPEDA requires organizations to notify individuals about data breaches that pose a “real risk of significant harm” to the individual. This notification must occur without unreasonable delay and generally within 30 days of the discovery of a data breach.

GDPR Data Breach Obligations

The GDPR is a law that went into effect this year to protect EU citizens’ data.
The General Data Protection Regulation (“GDPR”) regulates how companies store and handle personal information of E.U. users within their database.

GDPR data breach notification obligations are set out in Article 33 of the GDPR. Organizations acting as data controllers, must notify data protection authorities about data breaches involving personal data as soon as possible, and no later than 72 hours after first becoming aware of a data breach (unless the data controller’s lead supervisory authority otherwise mandates). Meanwhile, organizations acting as data processors must notify the data controller(s) without undue delay after becoming aware of a personal data breach. The notice to customers and end-users should include:

  • A description of what happened.
  • A contact point where additional information can be obtained.
  • The effects on you or others whose information was breached.
  • Steps that could be taken by those affected to reduce their risk from negative consequences caused by the breach.

Contractual Data Breach Notification Obligations

Statutory requirements for notifying individuals and regulators are not the only obligations entities face. Some organizations may also have a contractual obligation with third parties regarding certain types of breaches. 

For example, a business may have an agreement with a data processor whereby the data processor agrees to notify the business of any data breaches. The contract typically dictates that the data processor must notify the business of any data breach without undue delay and no later than a specific time (typically 48-72 hours) aftering becoming aware of the data breach. 

Depending on the data breach, the business will need to determine if the data breach requires notifications to data subjects, supervisory authorities or other government regulators.

What can organizations do to limit liability?

  1. Consult a Specialized Attorney:  A specialized data privacy attorney will have your organization’s best interests in mind and provide the guidance needed to navigate this ever-evolving field and regulations at hand.
  2. Set Clear Procedures: Organizations need to establish and ensure that data breach notification procedures are clearly defined within contracts and data processing agreements across all of its customers, service providers, and other third-parties.
  3. Establish a Response Plan: When data breaches occur, organizations need to have a data breach response plan in place. This data breach response plan should include the roles and responsibilities of all parties involved in notifying individuals affected by data breaches as well as whether regulators will be notified if personal data is breached when appropriate.

Data breaches are a significant concern to companies and individuals around the globe as data collection continues to grow exponentially every year. Proper planning for potential data breaches not only establishes important intercompany processes and procedures, but also could help limit contractual and regulatory liability in the event a data breach occurs.

In addition, Data Privacy is an essential component of our digital economy and should not be overlooked by businesses of any stage or size. By understanding the importance of data privacy, implementing the above-mentioned best practices, and staying on top of new data protection regulations, your organization can help protect your customers’ data and avoid costly data breaches.

Contact us today to learn more about data privacy legal solutions for your business.