Chapter 7: State Data Breach Notification, Data Security, and Data Destruction Laws

Notification: Timing to Affected Parties

The most common timing standard is as expeditiously as possible and without unreasonable delay. Where a specific cap is set, 45 days after discovery is the most common, but the industry best practice is 30 days, so 45 days could be deemed unreasonable in some states without justification.

The standard phrase, as expeditiously as possible and without unreasonable delay, allows time for a reasonable investigation and to restore the integrity of the data system. Where states attach a hard cap, 45 days after discovery is the most common.

30 vs 45 days

For national operations, industry best practice is 30 days. A delay to 45 days could be considered unreasonable in some states absent a valid explanation - so do not treat 45 days as a safe universal target.

Key terms - quick answers

What is “As expeditiously as possible and without unreasonable delay”?

The most common timing phrase for breach notice, allowing a reasonable investigation while restoring system integrity.

← Notification: Whom to Notify Notification: Content of the Letter →