Module 2: Legal and Regulatory Landscape for Data Breaches

Step 1 – Orienting the Landscape: Why Data Breach Law Is Fragmented

In this module, you zoom in from the high‑level lifecycle (Module 1) to the legal map that governs data breaches.

Think of a single ransomware incident at a multinational company. The same incident can simultaneously trigger:

• EU-wide rules: GDPR (and UK GDPR, if relevant)
• 50+ US state/territory breach notification statutes
• Sectoral US federal regimes: GLBA, HIPAA, FCC rules, SEC rules, etc.
• Critical infrastructure reporting: CIRCIA (US), NIS2 (EU) and national implementations

Your goals in this module:

1. Compare timelines: GDPR’s 72‑hour supervisory authority notification vs. US state and sectoral deadlines (often 30–45 days for individuals, sometimes shorter for regulators).
2. Spot overlay regimes: When do GLBA, FCC rules, SEC Regulation S‑P, and CIRCIA apply in addition to state breach laws?
3. Apply recent changes: Especially:

• New York and California firm 30‑day individual notice deadlines
• Expanded duties to notify state attorneys general and sector regulators
• New SEC and FCC breach rules, and emerging CIRCIA requirements

Keep in mind the date: today is January 27, 2026. Several of the rules we discuss have been significantly updated since 2023–2024; older study materials may be out of date.

Mental model:

• Horizontal rules – broad, cross‑sector (e.g., GDPR, US state laws)
• Vertical rules – sector‑specific overlays (e.g., GLBA, FCC, SEC)

We will move from the EU (GDPR), to US states, then to US sectoral regimes and critical infrastructure reporting.

Step 2 – GDPR Core Framework: Articles 32, 33, and 34

Under the GDPR (in force since 2018, still the core EU privacy regime in 2026), three provisions are central to breach preparation and response:

1. Article 32 – Security of Processing

Article 32 does not define a breach; it sets the standard of care for security:

• Controllers and processors must implement “appropriate technical and organisational measures”.
• Examples: encryption, pseudonymisation, resilience, backup, regular testing.
• Breach analysis often asks: Were Article 32 measures adequate given the state of the art, costs, and risks?

2. Article 33 – Personal Data Breach Notification to Supervisory Authority

Key points:

• Trigger: Personal data breach that is likely to result in a risk to the rights and freedoms of natural persons.
• Deadline: “Without undue delay and, where feasible, not later than 72 hours” after becoming aware of the breach.
• If notification is later than 72 hours, the controller must justify the delay.
• Recipients: Competent supervisory authority (e.g., CNIL in France, DPA in Ireland).
• Content (Article 33(3)):
• Nature of the breach (categories and approximate number of data subjects/records)
• Contact details of the DPO or contact point
• Likely consequences
• Measures taken or proposed to address the breach

Awareness is interpreted (per EDPB guidance) as the point where the controller has a reasonable degree of certainty that a security incident is a personal data breach.

3. Article 34 – Communication to Data Subjects

• Trigger: Breach likely to result in a high risk to the rights and freedoms of natural persons.
• Deadline: Without undue delay (no fixed hours/days, but DPAs expect prompt action).
• Content: Plain‑language description of the breach, likely consequences, and measures taken, plus contact point.
• Exceptions (no notice to individuals required) if:
• Data were protected by strong encryption or otherwise rendered unintelligible; or
• Subsequent measures have ensured that the high risk is no longer likely to materialise; or
• Individual notification would involve disproportionate effort, in which case a public communication is used instead.

Risk‑based logic

• Article 33 (DPA notice) ⇒ “risk”
• Article 34 (data subject notice) ⇒ “high risk”

This risk layering is fundamentally different from many US state laws, which are more harm‑to‑consumer and data‑type‑triggered than GDPR’s rights‑and‑freedoms analysis.

Step 3 – Applying GDPR Risk vs. High Risk (Thought Exercise)

Work through these scenarios and decide:

1. Scenario A – Encrypted Laptop

A controller’s employee loses a laptop containing HR records (names, addresses, salary, limited health information). The disk is encrypted with full‑disk encryption and strong key management.

• Q1: Is this a personal data breach under GDPR?
• Q2: Is Article 33 notification to the supervisory authority required?
• Q3: Is Article 34 notification to data subjects required?

1. Scenario B – Ransomware with Data Exfiltration

A hospital in Germany is hit by ransomware. Forensics show exfiltration of medical records (diagnoses, treatments, identifiers) of 50,000 patients. No proof yet of public posting.

• Q1: Article 33 notification? By when?
• Q2: Article 34 notification? To whom and how quickly?
• Q3: What Article 32 arguments will the DPA examine?

1. Scenario C – Misaddressed Email

A bank emails monthly statements (names, account numbers, balances) of 30 customers to the wrong corporate client. The recipient promptly confirms deletion and signs a deletion attestation.

• Q1: Does this cross the risk threshold for Article 33?
• Q2: Does it cross the high risk threshold for Article 34?

Your task:

For each scenario, write a short, structured answer (bullet points) that states:

• Whether Article 33 is triggered and why
• Whether Article 34 is triggered and why
• One or two factors you would document in the incident report to defend your assessment

Try to reason using the risk vs. high risk framework, not just intuition about “seriousness.”

Step 4 – US State Breach Laws: From Patchwork to Stricter Deadlines

In the US, there is no single federal omnibus breach notification law. Instead, nearly all states, DC, and several territories have their own breach statutes. As of early 2026, key trends are:

A. Trigger Concepts

Most state laws focus on:

1. “Personal information” (PI) – typically a name plus another identifier (SSN, driver’s license, financial account + access code, medical/health data, etc.).
2. “Breach” – usually unauthorized acquisition of PI; some states now also cover unauthorized access (even without clear acquisition).
3. Risk/harm thresholds – many states use a standard like “material risk of harm” or “likely to result in identity theft or fraud” to determine whether notice is required.

This is more data‑type and harm‑centric than GDPR’s rights‑and‑freedoms approach.

B. Timelines: The 30–45 Day Trend

Historically, laws said “in the most expedient time possible and without unreasonable delay”. Since roughly 2018 onward, states have increasingly hard‑coded outer limits. Two important examples with firm 30‑day deadlines:

• New York
• Under New York’s breach notification law (as amended), entities must generally notify affected individuals no later than 30 days after the determination that a breach occurred, subject to law‑enforcement delay.
• New York’s SHIELD Act also expanded the definition of PI and strengthened security program expectations.

• California
• California’s breach laws (including Cal. Civ. Code §§ 1798.29, 1798.82, as amended in recent years) impose a 30‑day outer deadline for notification to affected individuals after completion of the investigation sufficient to determine scope and affected persons, again subject to law‑enforcement delay.
• California has also tightened content and format requirements and integrated breach expectations with its broader privacy regime (CCPA/CPRA).

Other states have 45‑ or 60‑day caps (e.g., Florida 30 days; Colorado and Ohio 30 days; many others 45 days). You must always check the latest statutory text and AG guidance, as these deadlines have been shortened in several updates between 2020–2025.

C. Regulator / AG Notification

Recent amendments in multiple states (including NY and CA) have:

• Expanded mandatory notice to state attorneys general or other regulators above certain thresholds (e.g., >500 or >1,000 residents).
• Required submission of sample notice letters and incident summaries.
• Enabled more coordinated enforcement, especially where companies repeatedly delay notifications or under‑inform consumers.

D. Contrast with GDPR

• GDPR: 72‑hour DPA notice for risk, and separate data subject notice for high risk (no fixed hours/days).
• US states: Typically longer outer limits (30–60 days) for individual notice, sometimes with shorter or separate timelines for AG/regulator notice. No universal supervisory authority equivalent.

From an incident‑response perspective, this means:

• In a cross‑border breach, GDPR 72‑hour clock is usually your tightest deadline.
• US state clocks are longer but more fragmented; you must track different triggers and recipient lists.

Step 5 – Worked Example: Dual GDPR + US State Notification

Imagine a SaaS company headquartered in Germany with customers in the EU and several US states, including New York and California.

Incident

• On Day 0 (Monday), the SOC detects suspicious activity in a production database holding:
• EU and US customer names
• Email addresses
• Password hashes (bcrypt, strong cost factor)
• Some US customers’ billing addresses and last 4 digits of credit cards (full card data is tokenized with a PCI‑compliant processor).
• On Day 1 (Tuesday), forensics confirm unauthorized access and probable exfiltration of the database. No evidence of plaintext passwords or full card numbers.

Step‑by‑step legal analysis

1. GDPR – Article 33 (Supervisory Authority)

• The company is a controller for EU customer data.
• There is a personal data breach (confidentiality compromised).
• Risk assessment: credential stuffing, phishing, account takeover risks ⇒ at least “risk” to rights and freedoms.
• Outcome: Article 33 notification is required.
• Deadline: 72 hours from awareness (arguably Day 1 when breach status is reasonably confirmed).
• Action: By Day 4 (Friday) at the latest, notify the lead supervisory authority (e.g., in the Member State of main establishment), even if some details are preliminary.

1. GDPR – Article 34 (Data Subjects)

• Does this create high risk?
• Factors: nature of data (no IDs or financial account numbers, but credentials), likelihood of misuse, scope (number of users), absence of strong additional mitigations.
• Many DPAs would treat credential compromise, at scale, as high risk, especially if passwords are reused.
• Likely outcome: Article 34 data subject notification required, with advice on password resets, MFA, phishing vigilance.

1. US State Laws – New York & California

• For New York and California residents, the incident likely meets each state’s definition of a security breach involving personal information (name + account credentials).
• Both states now impose firm 30‑day outer deadlines for individual notification after determining that a breach occurred and identifying affected individuals, subject to law‑enforcement delay.
• The company must:
• Provide clear breach notices to affected NY and CA residents.
• In some cases, notify the state AG or other designated regulator if thresholds are met (e.g., number of residents affected).

1. Timeline comparison

• GDPR DPA notice: within 72 hours of awareness (Day 4).
• GDPR data subject notice: without undue delay after determining high risk (likely within a few days, often aligned with or shortly after public disclosure).
• NY & CA individual notice: within 30 days of determination (which might be Day 1 or Day 2, depending on internal policies).

Practical coordination

Incident response counsel will typically:

• Treat the GDPR 72‑hour deadline as the primary “hard clock.”
• Design harmonized notices that satisfy GDPR and US state content requirements while acknowledging different legal bases.
• Maintain a notification matrix to track which regulators and AGs must be notified, and by when, based on resident counts and data types.

This example illustrates why early legal triage is critical: the same incident triggers different thresholds and timelines across regimes.

Step 6 – Sectoral US Regimes: GLBA, FCC Rules, SEC Reg S‑P, and CIRCIA

Beyond general state breach laws, several sector‑specific US federal regimes impose additional (and sometimes stricter) obligations. As of early 2026, the following are especially important.

A. GLBA Safeguards Rule (FTC) – Financial Institutions

• Who is covered?
• “Financial institutions” under the Gramm–Leach–Bliley Act (GLBA), including many non‑bank entities (e.g., mortgage brokers, payday lenders, certain fintechs).
• Safeguards Rule (16 C.F.R. Part 314), significantly amended in 2021–2023 and enforced by the FTC:
• Requires a written information security program with risk assessments, access controls, encryption, and incident response plans.
• Introduced a breach‑notification requirement to the FTC for certain incidents involving at least 500 consumers, with a 30‑day deadline after discovery. (This federal notification is in addition to state‑law notifications.)
• Interaction with state law: GLBA does not preempt most state breach laws; covered entities must comply with both.

B. FCC Breach Rules – Telecommunications and VoIP Providers

• The Federal Communications Commission (FCC) governs breaches of Customer Proprietary Network Information (CPNI) and other sensitive data held by telecom carriers, interconnected VoIP, and some broadband providers.
• In 2023–2024, the FCC updated its breach rules to:
• Broaden the definition of “breach” beyond confirmed acquisition to include access in some circumstances.
• Require notice to the FCC, FBI, and U.S. Secret Service for significant breaches, often within 7 business days or similar tight windows, depending on the scale and type of data.
• Remove or narrow prior requirements to delay consumer notice until after law‑enforcement notification, giving more flexibility for earlier consumer alerts.
• Result: Telecom‑related entities now face faster, more centralized federal reporting, on top of state notification duties.

C. SEC Regulation S‑P Amendments – Broker‑Dealers, Investment Companies, RIAs

• Regulation S‑P (originally adopted under the Gramm–Leach–Bliley Act) governs privacy and safeguards for broker‑dealers, investment companies, and registered investment advisers.
• In 2024, the SEC adopted major amendments to Reg S‑P that:
• Require covered firms to adopt and implement written incident response programs for unauthorized access to or use of customer information.
• Introduce federal customer notification requirements for certain data breaches, often requiring notice within 30 days after becoming aware of unauthorized access to sensitive customer information (with limited exceptions, e.g., no reasonable likelihood of harm).
• Align, but do not duplicate, state breach laws; firms must often meet both SEC and state obligations.
• These amendments are now in effect (phased compliance periods after 2024 adoption) and are a major driver of formalized IR playbooks in the securities sector.

D. CIRCIA – Critical Infrastructure Reporting (US)

• The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires CISA (Cybersecurity and Infrastructure Security Agency) to establish rules for mandatory cyber incident reporting by covered critical infrastructure entities.
• Key features (as of January 2026):
• CIRCIA itself is in force, but detailed implementing regulations are still being finalized; CISA issued proposed rules in 2024–2025.
• The statute envisions:
• Reporting of “covered cyber incidents” within 72 hours of reasonably believing an incident occurred.
• Reporting of ransomware payments within 24 hours of payment.
• CIRCIA is incident‑centric, not limited to personal data breaches; it covers operational disruptions, attacks on ICS/OT, etc.
• Once final rules are in effect, covered entities (e.g., in sectors like energy, healthcare, financial services, transportation) will have parallel obligations:
• State breach laws (for PI)
• Sectoral privacy/security rules (GLBA, HIPAA, etc.)
• CIRCIA incident reporting to CISA for broader cyber events

Key skill for you: Recognize when a client is in a specialized vertical so you can layer obligations correctly rather than stopping at state breach laws.

Step 7 – Quick Check: Which Regime Applies?

Test your ability to match scenarios with the correct specialized regime(s).

Step 8 – Key Term Flashcards

Use these flashcards to solidify core terminology before we move to more complex comparisons.

Step 9 – Comparing Timelines

Check that you can contrast key notification deadlines across regimes.

Step 10 – Synthesis Exercise: Building a Notification Matrix

Imagine you are outside counsel advising a multinational payment processor that:

• Stores EU and US customer data (names, emails, billing addresses, partial card data)
• Is a GLBA financial institution (e.g., offers white‑label credit products)
• Is considered part of US critical infrastructure under CIRCIA’s forthcoming rules
• Uses telecom providers and cloud services subject to FCC rules (indirectly) and other sectoral requirements

A suspected intrusion is detected today. You do not yet know whether data were exfiltrated.

Your task: Sketch a 3–5 row notification matrix (you can do this in a simple table on paper or in your notes) that lists, for each row:

1. Regime / Law (e.g., GDPR, NY breach law, GLBA Safeguards Rule, SEC Reg S‑P, CIRCIA)
2. Trigger test (e.g., “personal data breach with risk,” “unauthorized acquisition of PI,” “covered cyber incident,” etc.)
3. Primary deadline (e.g., 72 hours, 30 days, 45 days, TBD pending final rules)
4. Recipient(s) (e.g., DPA, individuals, state AG, FTC, CISA)
5. Current status (e.g., “definitely triggered,” “likely triggered if exfiltration confirmed,” “monitor – rules not final yet”)

Then, answer these reflection questions:

• Which clock starts earliest based on the information you have at detection time?
• Which regime’s definition of the incident (e.g., “breach,” “covered cyber incident”) is hardest to apply at this early stage?
• How would you structure the first 24 hours of legal triage to avoid missing a strict deadline while still preserving investigative flexibility?

This exercise is intentionally complex; the goal is to practice layering regimes and prioritizing timelines, not to reach a single “correct” matrix.