Data Breach Notification: What Your Privacy Policy Should Address
Data breaches are not a matter of if, but when. Every business that collects personal information faces the risk of a security incident, and every US state plus most countries have laws that require businesses to notify affected individuals when their personal data is compromised. Your privacy policy should address your breach notification commitments and demonstrate that you have a plan in place.
What Constitutes a Data Breach?
A data breach occurs when personal information is accessed, acquired, used, or disclosed without authorization. This includes:
- External attacks — Hacking, phishing, malware, or ransomware that exposes user data
- Internal incidents — Employee mistakes, unauthorized employee access, or insider threats
- Physical breaches — Stolen laptops, lost storage devices, or unauthorized access to physical records
- Vendor incidents — A third-party service provider experiences a breach affecting your users' data
- Accidental exposure — Data inadvertently published online, emailed to the wrong recipient, or left in an unsecured location
Not every security incident constitutes a reportable breach. Most notification laws require that the incident involves personal information and creates a meaningful risk of harm to affected individuals.
Data Breach Notification Laws
US State Laws
All 50 US states, the District of Columbia, and US territories have data breach notification laws. While specific requirements vary, most share common elements:
- Covered information — Typically includes name combined with Social Security number, driver's license number, financial account number, or medical information
- Notification timeline — Ranges from 30 to 90 days depending on the state; some require notification "as expeditiously as possible"
- Notification content — Must include a description of the incident, types of information involved, steps the business is taking, and how affected individuals can protect themselves
- Notification methods — Written notice, electronic notice, or substitute notice (for very large breaches)
- Regulatory notification — Many states require notification to the state attorney general, especially for breaches affecting a large number of residents
GDPR
The GDPR requires:
- 72-hour notification to supervisory authority — You must notify the relevant data protection authority within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms
- Notification to affected individuals — Required when the breach is likely to result in a high risk to individuals' rights and freedoms
- Documentation — All breaches must be documented, including those that do not require notification
CCPA/CPRA
While the CCPA does not have its own breach notification requirement, it provides a private right of action for certain data breaches, allowing consumers to sue for statutory damages of $100 to $750 per consumer, per incident, if a breach results from the business's failure to implement reasonable security measures.
The 72-hour notification requirement under the GDPR starts from when you become "aware" of the breach, not when the breach occurred. This means you need monitoring and detection systems in place to identify breaches quickly, as delayed discovery does not extend your notification deadline.
What Your Privacy Policy Should Say About Breaches
Security Measures
Describe the general security measures you have in place to protect personal information:
- Encryption of data at rest and in transit
- Access controls and authentication requirements
- Regular security assessments and penetration testing
- Employee training on data security
- Monitoring and detection systems
Be descriptive enough to build confidence without revealing specific security details that could be exploited.
Breach Notification Commitment
Include a statement about how you will handle breaches:
- You will notify affected individuals in accordance with applicable laws
- You will provide information about the nature of the breach and the types of data involved
- You will describe the steps you are taking to address the breach
- You will provide guidance on steps individuals can take to protect themselves
Contact Information
Provide a way for users to report security concerns:
- Dedicated security email address
- Responsible disclosure policy for security researchers
- General contact information for security-related inquiries
Building a Breach Response Plan
While the details of your breach response plan are internal, having one directly supports the commitments in your privacy policy.
Preparation Phase
Before a breach occurs:
- Assign roles — Designate an incident response team with clear responsibilities
- Create templates — Draft notification letters, press statements, and regulatory filings
- Identify requirements — Map notification requirements for each jurisdiction where you have users
- Establish vendor contacts — Line up forensic investigators, PR firms, and legal support
- Conduct tabletop exercises — Practice breach response scenarios regularly
Detection and Assessment
When a potential breach is identified:
- Contain the breach — Stop the unauthorized access as quickly as possible
- Preserve evidence — Secure logs, access records, and affected systems for investigation
- Assess scope — Determine what data was affected, how many individuals are impacted, and the risk of harm
- Classify severity — Determine whether the incident triggers notification requirements
Notification
When notification is required:
- Determine recipients — Identify all affected individuals and applicable regulatory bodies
- Prepare notifications — Draft clear, honest communications that include required information
- Meet deadlines — Comply with the shortest applicable notification timeline
- Offer remediation — Provide credit monitoring, identity theft protection, or other appropriate services
- Document everything — Record all notification activities for compliance documentation
Recovery
After notifications are sent:
- Remediate vulnerabilities — Fix the security weaknesses that enabled the breach
- Enhance monitoring — Implement additional detection capabilities
- Review and update — Update your security measures, privacy policy, and breach response plan based on lessons learned
- Regulatory follow-up — Respond to any regulatory inquiries or investigations
Maintain an up-to-date inventory of where your users are located. Breach notification requirements are determined by the jurisdictions where affected individuals reside, not where your business is based. Knowing your user geography in advance allows you to respond quickly rather than scrambling to identify applicable laws during a crisis.
Vendor Breach Management
Data breaches at your vendors and service providers can affect your users. Your vendor management practices should include:
Contractual Requirements
Your data processing agreements should require vendors to:
- Notify you of breaches within a specified timeframe (typically 24-48 hours)
- Provide detailed information about the scope and impact
- Cooperate with your investigation and response efforts
- Implement corrective measures
Vendor Assessment
Evaluate vendors' security posture:
- Review their security certifications (SOC 2, ISO 27001)
- Assess their breach history and response track record
- Verify their own breach notification procedures
- Monitor for reported incidents
Communication Chain
Establish clear communication protocols:
- Who at the vendor contacts who at your company
- What information must be included in the initial notification
- Escalation procedures for severe incidents
- Coordination of external notifications
Common Breach Response Mistakes
Delayed Discovery
Many breaches go undetected for weeks or months. Invest in monitoring and detection tools that alert you to suspicious activity quickly.
Incomplete Notification
Notifications that lack required information (description of the breach, types of data involved, remediation steps) can result in regulatory penalties and undermine consumer trust.
Inconsistent Communication
Sending different messages to different audiences creates confusion and credibility problems. Coordinate all communications through a single team.
Over-Notification
Not every security incident requires notification. Assess each incident against applicable legal thresholds before sending notifications. Over-notification can cause unnecessary alarm and notification fatigue.
Integrating Breach Preparedness into Your Privacy Policy
Your privacy policy should reflect the reality that breaches are a possibility and demonstrate that you are prepared. The goal is not to alarm users but to show that you take data security seriously and have plans in place to protect them if something goes wrong. This transparency builds trust and positions your business as a responsible custodian of personal data.