If your business holds customer data and gets breached, what you do in the first 72 hours often determines what you owe later. Every state has its own notification law, and many have hard deadlines that don't pause for investigation. Here's the practical playbook.
Disconnect affected systems from the network, but don't wipe them — forensic evidence is critical. Engage IT security and (if available) cyber-insurance breach response. Document every step in a timeline.
An attorney experienced in breach response can structure the investigation under attorney-client privilege, identify which laws apply, and start the notification clock running on a sound footing. This step pays for itself.
Notification triggers depend on data types — names + Social Security numbers, financial account numbers, health info, biometrics. The more sensitive the data, the broader and faster the notification requirements.
All 50 states have breach notification statutes. Texas (BC §521.053), Arizona (ARS §18-552), Nevada (NRS 603A.220), and New Mexico (NMSA §57-12C-1) all require notification "in the most expedient time possible" — typically 30–60 days.
Most state laws and customer expectations call for offering 12–24 months of free credit monitoring. Document everything you did to investigate, notify, and remediate — it's your shield in any subsequent regulatory or civil action.
Need a business attorney? Browse partner attorneys for Small Business
NotALawyer.com provides general legal information, not legal advice.