If personal information gets compromised, your first call determines whether you meet your legal obligations or face regulatory penalties. Most breaches require notification to multiple parties within tight deadlines, and missing even one can expose you to lawsuits, fines, and damaged trust.
The truth about data breach reporting? It’s not one report to one agency.
You’re juggling notifications to federal regulators, state attorneys general, law enforcement, credit bureaus, and every affected individual. Each has different requirements, different timelines, and different forms. And if you get it wrong, regulators won’t care that you were overwhelmed.
This guide walks you through exactly who to notify, when to notify them, and how to document everything properly. No legal jargon. No guesswork. Just the practical steps that keep you compliant and protected.
What Is a Data Breach and When Must You Report It?
A data breach is unauthorized access to personal information. That includes names, Social Security numbers, credit card details, email addresses, passwords, and health records.
Not every security incident qualifies as a reportable data breach. If you catch unauthorized access before any data leaves your systems, containment might be enough. But once personal information is viewed, copied, or stolen, you cross into mandatory reporting territory.
Common exposed data in breaches include usernames, passwords, email addresses, Social Security numbers, and credit card details. Any combination of these triggers notification requirements under most state laws.
Here’s when you must report:
- Personal information was accessed by unauthorized parties
- Data was exfiltrated from your systems
- You cannot definitively prove data wasn’t accessed during a security incident
- Encrypted data was stolen along with encryption keys
State data breach notification laws vary, but most require notification within 30 to 60 days of discovering the breach. Some states demand notification “without unreasonable delay.” That means as soon as you confirm a breach occurred, your clock starts ticking.
Don’t wait for perfect information. Regulators expect you to notify based on reasonable suspicion, then provide updates as your investigation progresses.
Immediate Steps to Secure Your Systems
Before you report anything, stop the bleeding.
Your first priority is containment. If attackers still have access to your systems, they’re potentially exfiltrating more data while you’re figuring out who to call.
Isolate Compromised Systems
Disconnect affected servers, workstations, and network segments from the internet. Don’t shut them down yet. You need to preserve evidence for forensic investigation and law enforcement.
Change all administrative passwords immediately. Assume that any credentials on compromised systems are now in attacker hands. This includes service accounts, API keys, and database passwords.
Enable multi-factor authentication on all critical systems if you haven’t already. This prevents attackers from using stolen passwords to regain access.
Preserve Evidence
Take disk images and memory dumps of affected systems before making any changes. A data breach response plan includes stages from discovery to resolution, such as containment and investigation, and your evidence preservation determines whether you can prosecute attackers or claim cyber insurance coverage.
Document everything with timestamps. Log every action your team takes. Law enforcement and regulators will ask for a detailed timeline, and your records need to show you acted reasonably and promptly.
If you don’t have internal forensic capabilities, bring in a third-party incident response firm now. They can secure systems without destroying evidence and provide the technical analysis regulators expect.
Assess the Damage
Figure out what data was accessed or stolen. This determines who you notify and what information you provide. Check system logs, network traffic, and database query histories.
Identify all affected individuals. You need names, contact information, and what specific data was compromised for each person. This list drives your notification obligations.
Now you’re ready to report.
Who to Report a Data Breach To: Required Notifications
A common concern is where to start when multiple agencies require notification.
In practice, employees and customers typically report data breaches to the organization that holds the data using official incident-reporting channels, such as security email addresses, hotlines, or privacy officers. But as the breached organization, you face a more complex notification matrix.
Your notification obligations depend on the type of data compromised and where your affected individuals live.
Federal Agencies
The Federal Trade Commission monitors data breach notifications for unfair business practices. While the FTC doesn’t require direct breach notification for most businesses, they track patterns and investigate companies that experience repeated breaches or fail to implement reasonable security measures.
The FBI investigates cyber crimes including data breaches. You’re not legally required to notify the FBI in most cases, but reporting helps them track criminal networks and potentially recover stolen data.
The Internet Crime Complaint Center serves as the FBI’s central hub for cyber crime reporting. File a complaint here for any breach involving criminal activity.
State Attorneys General
Most state data breach notification laws require you to notify the state Attorney General if the breach affects a certain number of residents. Thresholds vary by state, from as few as 10 residents in some states to 500 or 1,000 in others.
Some states require simultaneous notification when you notify affected individuals. Others give you a few extra days. Check requirements for every state where affected individuals live.
Credit Bureaus
If your breach compromises Social Security numbers or financial account information, notify the major credit bureaus: Equifax, Experian, and TransUnion. This allows them to flag affected individuals’ files and watch for fraudulent activity.
Many states require credit bureau notification when a breach affects more than 1,000 residents.
Affected Individuals
You must notify every person whose personal information was compromised. Notification must explain what data was breached, what steps you’ve taken to secure systems, what services you’re offering (like credit monitoring), and what individuals should do to protect themselves.
Use whatever contact method you have. Email is acceptable for most breaches. Mail works if you don’t have email addresses. Substitute notice through media outlets and your website is allowed only when contact information is insufficient or notification costs exceed $250,000.
Don’t delay individual notification while you complete regulatory filings. People need time to protect themselves.
How to Report to Federal Agencies (FTC, FBI, IC3)
Federal reporting follows different processes depending on the agency and your industry.
Filing with the Internet Crime Complaint Center (IC3)
The IC3 operates at ic3.gov and accepts reports of all cyber crimes including data breaches. Your complaint helps the FBI track criminal activity patterns and potentially identify breach perpetrators.
File your IC3 report as soon as you determine criminal activity occurred. You’ll need to provide:
- Your organization’s information and contact details
- Description of the breach and how it occurred
- Timeline of discovery and response
- Types of data compromised
- Number of affected individuals
The IC3 automatically routes your complaint to relevant FBI field offices and other federal agencies. You’ll receive a complaint ID number for your records.
Notifying the FBI Directly
For significant breaches involving sophisticated attacks or substantial data theft, contact your local FBI field office directly. The FBI can provide threat intelligence and coordinate with other agencies investigating similar attacks.
Law enforcement notification serves multiple purposes beyond legal compliance. The FBI shares threat indicators with other potential targets and can help you understand whether you’re dealing with nation-state actors, organized crime, or opportunistic criminals.
Federal Trade Commission Reporting
The FTC doesn’t maintain a data breach notification portal for most businesses. However, if your breach involves consumer financial information or you’re subject to specific FTC regulations, you may need to notify them directly.
The FTC uses breach information to investigate companies for unfair or deceptive practices. Document your security measures, incident response, and notification process. This record demonstrates reasonable security practices if the FTC later investigates.
CISA Cyber Incident Reporting
The Cybersecurity and Infrastructure Security Agency accepts voluntary breach reports and provides incident response support. Report through their incident notification system at cisa.gov.
CISA shares anonymized breach information with other organizations to help them defend against similar attacks. They can also provide technical assistance during your incident response.
This cooperation benefits you. CISA has visibility into attack campaigns and can tell you whether you’re dealing with a targeted attack or widespread exploitation of a vulnerability.
Healthcare Data Breach Reporting (HIPAA and HHS)
Healthcare breaches face stricter requirements under HIPAA breach notification rules.
If your breach affects protected health information, you must notify the Department of Health and Human Services Office for Civil Rights. The notification process depends on breach size.
Breaches Affecting 500 or More Individuals
Report these breaches to HHS within 60 days of discovery. File through the HHS breach reporting portal at ocrportal.hhs.gov.
HHS publishes these breaches on their public “wall of shame” website. This means media attention. Prepare your public communications before filing.
You must also notify prominent media outlets serving the affected area. HHS considers this additional notification critical for reaching affected individuals quickly.
Breaches Affecting Fewer Than 500 Individuals
You still must report these breaches, but you can batch them. Submit an annual log to HHS within 60 days after the end of each calendar year.
Don’t let the delayed reporting deadline fool you. You must still notify affected individuals within 60 days of discovering the breach. Only the HHS notification can be delayed.
HIPAA Notification Requirements
Healthcare breach notifications must include specific elements beyond general data breach notices. Explain what health information was compromised, what healthcare services might be affected, and what individuals should do to protect their medical information.
Offer credit monitoring if financial information or Social Security numbers were compromised. Many affected individuals won’t understand how health information theft leads to financial fraud, so spell it out clearly.
State-Level Data Breach Reporting Requirements
State data breach notification laws create the most complex reporting obligations because every state has different rules.
All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws. Each defines personal information differently, sets different notification timelines, and requires different information in notifications.
Understanding State Notification Triggers
Most states require notification when personal information was or is reasonably believed to have been acquired by an unauthorized person. “Personal information” typically includes a person’s name combined with Social Security number, driver’s license number, financial account information, or medical information.
Some states include additional data elements like email addresses combined with passwords or biometric data. Check each state’s definition because compromising data that one state doesn’t consider personal information might still trigger notification requirements in another state.
Notification Timing by State
Notification deadlines range from “immediate” to 90 days after discovery. Most states require notification “without unreasonable delay” or within 30 to 60 days.
Discovery doesn’t mean when the breach occurred. It means when you reasonably should have known that personal information was compromised. Your investigation timeline matters, but dragging out your investigation to delay notification violates most state laws.
Attorney General Notification
Many states require you to notify the state Attorney General when breaches affect a threshold number of state residents. Common thresholds are 500 or 1,000 residents, but some states require Attorney General notification for any breach.
Submit these notifications simultaneously with or shortly after notifying affected individuals. Include a sample of your consumer notification letter, the number of affected residents, and the date you discovered the breach.
Substitute Notice Provisions
If you lack contact information for affected individuals or if notification costs exceed a state-specific threshold (commonly $250,000), most states allow substitute notice through conspicuous website posting and notification to major statewide media.
Substitute notice isn’t a cost-saving measure. It’s a last resort when individual notification is genuinely impractical. Document why individual notification is impossible before using substitute notice.
Check the complete data breach response plan guide for state-specific notification templates and timeline tracking.
Notifying Credit Bureaus and Affected Individuals
Individual notification carries the highest stakes because it’s your direct communication with people whose trust you just lost.
Credit Bureau Notification Process
Contact Equifax, Experian, and TransUnion when your breach compromises Social Security numbers, driver’s license numbers, or financial account information.
Provide the credit bureaus with:
- Your organization’s name and contact information
- Nature of the breach and types of data compromised
- Approximate number of affected individuals
- Geographic distribution of affected individuals
- Timeline of the breach and discovery
The bureaus use this information to monitor for fraudulent credit applications and alert their customers to potential identity theft. Affected individuals should consider placing a credit freeze or fraud alert to prevent new fraudulent accounts.
Individual Notification Content Requirements
Your breach notification letter must include specific information to help affected individuals protect themselves. State laws vary, but most require:
| Required Element | What to Include | Why It Matters |
|---|---|---|
| Description of Breach | What happened, when it happened, when you discovered it | Transparency builds trust |
| Data Compromised | Specific data elements accessed or stolen | Individuals need to know their risk level |
| Your Response | Steps you’ve taken to secure systems and prevent recurrence | Shows you’re taking responsibility |
| Services Offered | Credit monitoring, identity theft protection, fraud resolution assistance | Demonstrates commitment to making things right |
| Protective Actions | What individuals should do to protect themselves | Empowers recipients to take control |
| Contact Information | Dedicated call center or response team details | Provides avenue for questions and concerns |
Offering Credit Monitoring Services
Credit monitoring isn’t legally required in most jurisdictions, but it’s become the standard breach response. Offer at least one year of credit monitoring and identity theft protection services at no cost to affected individuals.
Choose a reputable provider and make enrollment easy. Pre-populate enrollment codes in notification letters. Affected individuals won’t enroll if the process is complicated.
Notification Delivery Methods
Use the most reliable contact method you have for each affected individual. Email notification is acceptable for most breaches if you regularly communicate with individuals by email.
Mail notification works when you have physical addresses or when state law requires written notice. Send via first-class mail, not bulk rate, to ensure delivery.
For large-scale breaches where contact information is incomplete, supplement direct notification with conspicuous posting on your website homepage and notification to major media outlets.
Never delay notification because you’re waiting for perfect information. Send an initial notice with what you know, then send updates as your investigation progresses. People need to act quickly to protect themselves.
Creating Your Data Breach Response Plan
If you’re scrambling to figure out breach reporting after you’ve already been compromised, you’re too late.
A data breach response plan documents your notification procedures before crisis hits. This plan turns chaotic breach response into a systematic process that meets legal requirements and preserves stakeholder trust.
Assemble Your Response Team
Identify team members by role, not by name. Your plan needs to work even if specific people are unavailable.
Include:
- Executive leadership (approval authority for major decisions)
- Legal counsel (compliance oversight and regulatory communication)
- IT security (technical investigation and system remediation)
- Communications (public relations and media management)
- Human resources (internal notification and employee support)
Define each role’s specific responsibilities during breach response. Document decision-making authority and escalation procedures.
Map Your Notification Requirements
Create a notification matrix that shows who you must notify, under what circumstances, within what timeframe, and through what method.
Document state-specific requirements for every state where you have customers or employees. Include Attorney General contact information, notification thresholds, and timeline requirements.
Maintain updated contact information for federal agencies, credit bureaus, cyber insurance carriers, and forensic investigation firms. You don’t want to be googling for phone numbers during a breach.
Prepare Notification Templates
Draft template notification letters for affected individuals, regulators, and media. Include placeholder fields for breach-specific information like dates, data elements compromised, and number of affected individuals.
Have legal counsel review these templates now. Making edits during an active breach creates delays when every hour counts.
Prepare FAQ documents for your customer service team. Affected individuals will call with questions, and your team needs consistent, accurate answers.
Document Communication Protocols
Establish who can make public statements about breaches. One voice prevents conflicting information that damages credibility.
Define your media response strategy. Will you proactively reach out to media or respond only to inquiries? Either approach works, but decide in advance.
Create internal communication procedures so employees learn about breaches from management, not from news reports. Your team needs to understand what happened and how to respond to customer questions.
Test Your Plan Annually
Run tabletop exercises that simulate breach scenarios. Walk through your notification procedures with your response team and identify gaps.
Update contact information, notification requirements, and regulatory requirements at least annually. Data breach laws change frequently.
Review your plan after every security incident, even minor ones. Small incidents reveal process weaknesses before major breaches exploit them.
The complete post-breach action guide covers response plan testing and continuous improvement processes.
Quick Answers to Key Questions
Who do you report a data breach to?
For most organizations, report a suspected data breach to the organization that holds the data using official incident-reporting channels like security email addresses or privacy officers. Organizations must then notify regulators like state attorneys general, health authorities, and data protection authorities, plus affected individuals, under specific breach notification rules.
Who do I contact if my data has been breached?
If you learn your data was breached, immediately contact the affected organization to understand what information was exposed and what monitoring services they provide. U.S. consumers should also submit an identity theft report through the FTC’s IdentityTheft.gov portal if personal information is misused.
What if I discover a breach affecting my organization?
Secure your systems immediately, preserve evidence, and begin your notification process based on the types of data compromised and where affected individuals live. Don’t wait for complete information before notifying regulators and affected individuals.
