Data Breach Notification Deadline Calculator
Calculate mandatory data breach notification deadlines for affected individuals, regulators, and attorneys general based on US state laws and federal regulations.
Formula
Notification Deadline Date = Discovery Date + Statutory Deadline (calendar days)
Where the statutory deadline varies by jurisdiction:
- 4 business days: SEC (from materiality determination)
- 30 days: Florida, Colorado, Utah, Washington, FTC Safeguards Rule
- 45 days: Alabama, Alaska, Arizona, Indiana, Maryland, New Mexico, Ohio, Oregon, Rhode Island, Tennessee, Vermont
- 60 days: HIPAA, Connecticut, Delaware, Louisiana, South Dakota, Virginia AG
- Expedient / Without Unreasonable Delay: California, Georgia, Illinois, New York, and others — no hard statutory deadline; best practice is 30–60 days
Days Remaining = Deadline Date − Today's Date
Assumptions & References
- All deadlines are in calendar days from the date of discovery unless otherwise noted (SEC uses business days).
- The "discovery date" is the date the organization first became aware of the breach, not the date it occurred.
- Deadlines apply only when the breach involves personal information as defined by each jurisdiction's statute.
- Many states allow a reasonable delay if a law enforcement agency determines notification would impede a criminal investigation.
- HIPAA: 45 CFR §§ 164.400–414 (Breach Notification Rule, effective 2013 Omnibus Rule).
- GLBA / Banking: 12 CFR Part 30 (OCC); FIL-66-2021 (FDIC); 12 CFR Part 225 (Federal Reserve).
- FTC Safeguards Rule: 16 CFR Part 314 (amended 2023).
- SEC: Release No. 33-11216 (effective December 2023).
- State laws are current as of 2024; laws change frequently — always verify with legal counsel.
- This calculator does not constitute legal advice. Consult a qualified attorney for compliance guidance.
- Multi-state breaches require compliance with each applicable state law simultaneously.
- Some states require credit monitoring services for breaches involving Social Security Numbers.