Notification clock register
All 50 US states + 120 countries: your clock starts the moment you know.
For a multi-jurisdiction breach the notification stack is the most complex regulatory work an organization will ever do. Below: 10 major global frameworks, all 50 US state regimes summarised by deadline and penalty, and the cost components that make notification 6% of total breach cost.
GDPR clock
72 hours
From awareness, to lead authority
California SB 446
30 days
Effective Jan 2026, strictest US
GDPR max fine
4%
Of global annual revenue
Notification share
6%
Of total breach cost (IBM 2025)
Section 09.1 / Global frameworks
Major jurisdictions, side by side
The 72-hour benchmark is now the global default for major data-protection frameworks (GDPR, UK GDPR, South Korea PIPA). Outliers below or above this clock represent earlier-generation regimes (US states, Canada PIPEDA) or fast-moving 2023+ statutes (India DPDP, Brazil LGPD). 'Promptly' and 'as soon as feasible' are not flexible. Regulators interpret them as days, not weeks.
| Jurisdiction | Deadline | Authority | Max fine | Trigger |
|---|---|---|---|---|
| European Union (GDPR) | 72 hours | Lead supervisory authority | 4% global revenue or 20M EUR | Risk to rights and freedoms |
| United Kingdom (UK GDPR) | 72 hours | ICO | 17.5M GBP or 4% revenue | Risk to rights and freedoms |
| United States (Federal) | No federal law | State-by-state | Varies by state | Varies by state |
| Canada (PIPEDA) | As soon as feasible | Privacy Commissioner | $100K CAD per violation | Real risk of significant harm |
| Australia (NDB Scheme) | 30 days | OAIC | $50M AUD | Likely to result in serious harm |
| Brazil (LGPD) | Reasonable time | ANPD | 2% revenue or $50M BRL | Risk or damage to data subjects |
| Japan (APPI) | Promptly (3-5 days guidance) | PPC | $1M JPY per violation | Leakage of personal data |
| South Korea (PIPA) | 72 hours | PIPC | 3% related revenue | Leakage of personal data |
| India (DPDP Act 2023) | Without unreasonable delay | Data Protection Board | 250 Crore INR (~$30M) | Personal data breach |
| Singapore (PDPA) | 3 days | PDPC | $1M SGD or 10% revenue | Significant harm or scale |
Section 09.2 / US state-by-state register
The 50-statute reality
The US has no federal breach-notification law. Multi-state breaches must comply with up to 50+ different statutes, each with its own deadline, AG-notification trigger, and definition of personal information. The deadline range runs from 30 days (California SB 446 from Jan 2026, Florida, Washington, Colorado, Oregon) to 'without unreasonable delay' (most states). The table below summarises the 15 states most relevant to most multi-state filings.
| State | Deadline | AG notification | Penalty | Notes |
|---|---|---|---|---|
| California | 30 days (SB 446, Jan 2026) | Yes (500+ records) | $2,500-$7,500/violation (CCPA) | Most comprehensive. CCPA/CPRA rights. |
| New York | Without unreasonable delay | Yes | $5,000/violation (SHIELD Act) | SHIELD Act expanded in 2019. |
| Texas | 60 days | Yes (250+ residents) | $100-$250K/breach | Expanded notification requirements 2025. |
| Florida | 30 days | Yes (500+ individuals) | $1K/day ($500K max) | One of the shortest deadlines. |
| Illinois | Without unreasonable delay | Yes | AG enforcement | BIPA biometric data law is separate. |
| Virginia | 60 days | Yes | $150K/violation (VCDPA) | Consumer Data Protection Act 2023. |
| Colorado | 30 days | Yes | $20K/violation | Colorado Privacy Act 2023. |
| Connecticut | 60 days | Yes | $5K/violation | Connecticut Data Privacy Act 2023. |
| Massachusetts | As soon as practicable | Yes | $5K/violation | 201 CMR 17.00 data security regs. |
| Washington | 30 days | Yes (500+ residents) | $25K/violation | My Health My Data Act 2024. |
| Pennsylvania | Without unreasonable delay | Yes | $1K-$5K/day | Breach of Personally Identifiable Info Act. |
| Ohio | 45 days | Yes | AG enforcement | Data Protection Act safe harbor. |
| Georgia | Without unreasonable delay | No specific requirement | $AG enforcement | Relatively limited scope. |
| New Jersey | Without unreasonable delay | Yes | $10K/violation | Expanded PI definition 2024. |
| Oregon | 45 days | Yes (250+ residents) | $25K/violation | Consumer Privacy Act 2024. |
Primary source:State AG sites and statutes; IAPP US State Privacy Legislation Tracker; Perkins Coie Security Breach Notification Chart 2026 (verified Q1 2026).
Section 09.3 / What triggers notification
The encryption safe harbor and the risk-of-harm threshold
Two technical concepts dominate notification triggers across most modern statutes: the encryption safe harbor (encrypted data exfiltrated with the encryption key still secure does not trigger most notification obligations) and the risk-of-harm threshold (statutes vary on whether the threshold is 'risk of harm' or 'significant risk of harm'). Both are interpreted strictly: regulators have rejected encryption safe harbor claims where key management was inadequate, and class-action lawyers routinely challenge risk-of-harm determinations.
Encryption safe harbor
Most US state statutes and HIPAA exempt encrypted data from notification, provided the encryption key was not also exposed. Practical implication: a stolen laptop with full-disk encryption is typically a non-event under most statutes; an unencrypted laptop or an encrypted database where the key was stored alongside is a breach.
- [+] AES-256 at rest, key in HSM, key separate from data
- [+] TLS 1.3 in transit
- [!] Field-level encryption for PII even when stored in encrypted DB
Risk-of-harm threshold
Some statutes (Australia NDB, Canada PIPEDA, several US states) include a risk-of-harm assessment. Organizations may avoid notification if they can demonstrate that the breach is unlikely to result in significant harm. Documentation of the assessment is the key, regulators have rejected determinations made without contemporary evidence.
- [?] Document the assessment contemporaneously
- [?] Engage outside counsel for the determination
- [!] Some states (NY SHIELD) impose strict-liability notification
Section 09.4 / Cost of notification
Why notification is 6% of breach cost
Notification is IBM's smallest of four breach-cost categories at 6%, but at the $4.44M global average that is still ~$266K. Per-record costs range from $1 (electronic-only notification) to $10 (printed letter, certified mail, multilingual). Credit-monitoring provision (typically required for sensitive PII breaches) adds $10-$30 per person per year over 12-24 months.
Per-person notification cost ranges from $1 (electronic-only) to $10+ (printed letter, certified mail, multilingual). Most US state statutes specify acceptable notification methods; some require multiple methods if email cannot be reasonably expected to reach the affected party.
Credit-monitoring provision is typically required by AG settlements (rather than statutes) for breaches involving SSNs or financial-account data. Industry rate is $10-$30 per person per year for 12-24 months. For a 1M-record breach, this adds $10M-$60M.
Regulatory filing costs include outside counsel time for multi-jurisdiction filings (typically $50K-$500K), AG-coordination conference calls, and supervisory-authority response cycles for GDPR-relevant breaches.
Call-centre setup for incoming inquiries from notified individuals typically costs $500K-$3M for breaches affecting 100K+ individuals, including 8-12 weeks of staffing at peak inquiry volume.
Primary source:IBM Cost of a Data Breach Report 2025 (notification category 6% share); Verizon DBIR 2025 (notification cost ranges); Coalition Cyber Insurance pricing data Q1 2026.
Index / Companion schedules
08 By country
→Cost impact of these notification regimes.
03 By industry
→Sector-specific regulatory burden.
10 Cost breakdown
→Notification as 6% of total breach cost.
01 Calculator
→See your specific exposure including notification cost.
04 Biggest breaches
→The notification clocks these companies faced.
06 Ransomware
→Reporting requirements specific to ransomware.
Schedule F / Reference Q&A