US Breach Response Checklist

A structured checklist for US-regulated organisations covering state notification laws, SEC filing requirements, HIPAA, and FTC obligations. Work through it on screen during an incident, or print it empty for your incident response binder.

Last updated: April 2026 Jurisdiction: United States (federal + state) See also: EU/GDPR Checklist
0 of 34 tasks completed 0%

First 4 Hours: Containment and Triage

Phase 1 Hour 0–4: Containment & Triage

Hours 4–24: Scope and Assessment

Phase 2 Hour 4–24: Scope & Assessment

Hours 24–48: State and Federal Notification Preparation

Phase 3 Hour 24–48: Notification Preparation

Execute Notifications

Phase 4 Execute Notifications (per state timeline)

Post-Notification: Remediation and Review

Phase 5 Post-Notification: Remediation & Review
Incident Notes

US breach notification — FAQ

Is there a single federal data breach notification law in the US?

No. The US has no single federal breach-notification statute for general personal data. All 50 states, plus DC and several territories, have their own breach-notification laws, layered with sector-specific federal rules such as HIPAA for health data and GLBA for financial institutions. Your obligations are driven by where the affected individuals reside, not where your organisation is based.

How quickly must I notify after a US data breach?

It varies by state. Many require notification without unreasonable delay, while others set hard deadlines, commonly 30, 45, or 60 days from discovery. Some states also require notifying the state Attorney General, often above a threshold such as 500 or 1,000 affected residents. Because a breach can span several states, the strictest applicable deadline usually governs your timeline.

Who do I have to notify after a breach?

Typically the affected individuals, and depending on the state and scale: the state Attorney General or regulator, the major credit reporting agencies, and, under sector rules, bodies such as HHS for HIPAA-covered health data. A multi-state breach commonly requires notifying several Attorneys General at once, each on that state's own timeline and format.

When is breach notification legally required in the US?

Generally when unencrypted personal information is reasonably believed to have been acquired by an unauthorised party. Each state defines the triggering data, but it usually means a name combined with a Social Security number, driver's licence number, or financial account details. Most states exempt breaches of properly encrypted data where the key was not also compromised, but the risk assessment must be documented.

What about HIPAA, SEC, and other federal rules?

Federal and sector rules run in parallel with state law. HIPAA requires covered entities to notify individuals, HHS, and, for breaches affecting 500 or more, the media, generally within 60 days. Public companies must file an SEC Form 8-K, Item 1.05, within four business days of determining a cybersecurity incident is material. GLBA covers financial institutions. When a breach touches regulated data, you must satisfy both state law and every applicable federal framework, whichever is stricter on each point.

This checklist is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for your specific situation. Your checklist data is stored locally in your browser and is never transmitted to our servers.

← EU/GDPR Breach Response Checklist