If your business stores personal information about customers or employees and that data is exposed in a breach, you almost certainly have legal notification obligations. The specific requirements depend on where your customers live, what type of data was exposed, and what industry you operate in. Not knowing which laws apply is not a defense.
Analysis Briefing
- Topic: Small business breach notification legal obligations
- Analyst: Mike D (@MrComputerScience)
- Context: A collaborative deep dive triggered by Claude
- Source: Pithy Cyborg
- Key Question: Which breach notification laws apply to a small business operating across multiple US states?
Why There Is No Single US Federal Breach Notification Law
The United States does not have a single comprehensive federal breach notification law that applies to all businesses. Instead, a patchwork of state laws, sector-specific federal regulations, and international frameworks applies depending on who you are, what data you hold, and where your customers and employees are located.
This creates a compliance challenge that catches small businesses off guard. A small e-commerce business with customers in all 50 states technically has breach notification obligations under 50 different state laws, each with different definitions of personal information, different timelines, and different required notification content.
The practical reality is that most small businesses are not prosecuted for technical violations of every applicable state law in a breach situation. But they are exposed to legal and regulatory action, particularly when the breach involves significant harm to affected individuals or when the business failed to take reasonable security precautions.
| Jurisdiction | 2026 Timeline Requirement | Key Threshold / Change |
| California (SB 446) | 30 Days (Individual) / 15 Days (AG) | Effective Jan 1, 2026. Replaces “expedient” with a hard clock. |
| GDPR (EU) | 72 Hours | Starts at discovery, not confirmation of data loss. |
| FTC Safeguards | 30 Days | Applies to non-banking “financial” entities (inc. tax prep/dealerships). |
| Colorado (CPA) | 30 Days | Update: As of Jan 1, 2026, the 60-day “right to cure” has sunset. |
The State Laws That Matter Most
All 50 US states have breach notification laws. The ones with the most teeth and the broadest definitions are California, New York, and Colorado.
California’s CCPA and breach notification law apply to businesses that collect personal information from California residents, regardless of where the business is located. If you have California customers, California law may apply to you. California’s definition of personal information is broad and its enforcement is active.
New York’s SHIELD Act applies to any business that owns or licenses computerized data including private information of New York residents. It requires reasonable security safeguards and breach notification to affected New York residents and the state attorney general.
Colorado’s Privacy Act, effective since 2023, applies to businesses that process personal data of 100,000 or more Colorado consumers annually, or 25,000 consumers if the business derives revenue from selling personal data.
No More “Right to Cure” ➞ In states like Colorado, the 60-day “right to cure” (a grace period to fix violations before penalties) officially expired on December 31, 2025. Enforcement actions and penalties can now proceed immediately. If you’re caught out of compliance, there is no longer a “get out of jail free” window to fix it.
The 2026 California Shift (SB 446) ➞ As of January 1, 2026, the “compliance loophole” of investigating without a deadline is closed. California now requires notification to residents within 30 days of discovery. Furthermore, if you hit the 500-resident threshold, you must notify the Attorney General within 15 days of notifying the individuals. This requires a seamless handoff between your forensic team and your legal team that most small businesses aren’t built for.
The Sector-Specific Federal Requirements
HIPAA applies to healthcare providers, health plans, and their business associates. A breach of protected health information requires notification to affected individuals within 60 days, notification to HHS, and for breaches affecting more than 500 residents of a state, notification to prominent media outlets in that state.
The FTC Safeguards Rule applies to financial institutions including mortgage brokers, payday lenders, car dealerships that offer financing, and tax preparers. It requires a written information security program and notification to the FTC within 30 days of discovering a breach affecting 500 or more customers.
Gramm-Leach-Bliley applies to financial services companies with customer financial data obligations that predate most state laws.
What GDPR Means for US Small Businesses
GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. A US small business with European customers, European website visitors, or European employees has GDPR obligations.
The GDPR breach notification requirement is 72 hours to the relevant supervisory authority from the moment of discovery. This is the tightest timeline in any major breach notification framework and it starts running before the full scope of the breach is known.
Many small businesses that technically have GDPR obligations are unaware of them because they never explicitly targeted EU customers. Website analytics that collect IP addresses from EU visitors, email marketing lists that include EU contacts, and online sales to EU customers all potentially trigger GDPR applicability.
The State Attorney General Notification That Exists Separately From Individual Notification
Most people understand breach notification as notifying the affected individuals. What catches small businesses off guard is that many states require a separate, parallel notification to the state attorney general or a designated state agency, on a different timeline from individual notification.
New York requires notification to the state attorney general, the Department of Financial Services if applicable, and other state agencies depending on the data involved. California requires notification to the state attorney general when a breach affects more than 500 California residents. Florida requires notification to the Florida Department of Legal Affairs within 30 days for breaches affecting 500 or more Florida residents.
These regulatory notifications are distinct from individual notifications and have their own timelines, formats, and content requirements. Missing a regulatory notification while completing individual notifications is a common compliance gap because the two tracks run simultaneously and the regulatory notification requirement is less intuitive.
Your breach notification counsel should manage both tracks. If you are self-managing a small breach, verify which state regulatory notifications apply before assuming individual notification is the complete obligation.
What This Means For You
- Map your customers by state immediately. If you have even one customer in California, your 30-day clock is now a legal mandate, not a suggestion.+1
- Audit your data categories. Are you holding “Sensitive Data” (biometrics, precise geolocation, health info)? These categories often trigger faster notification and higher penalties.
- Draft your templates now. In a 72-hour (GDPR) or 15-day (CA AG) window, you do not have time to start from a blank page.
- Sync your forensic and legal teams. Forensics must provide a “preliminary scope” within 14 days so Legal can meet the new 30-day filing deadlines.
The Documentation Requirement Regulators Expect and Nobody Warns You About
Sending notification letters to affected individuals is the visible part of breach notification compliance. The less visible and equally important part is the documentation you are expected to maintain demonstrating what happened, when you knew, what you assessed, and what actions you took.
Regulators investigating a breach do not just ask whether you notified. They ask for your incident log. When was the breach discovered and by whom? When was legal counsel engaged? When was the scope assessment completed? When were notification decisions made and on what basis? What security measures were in place before the breach?
Maintaining a contemporaneous incident log from the moment of discovery is both a legal best practice and a practical protection. If you are investigated by a regulator or sued by affected individuals, your documented timeline of reasonable decisions is your primary defense.
The incident log does not need to be elaborate. A timestamped record of decisions, actions, and the information available at each decision point, maintained by the incident response lead throughout the response, satisfies the documentation requirement and demonstrates that the response was methodical rather than reactive.