What counts as a data breach?

A data breach occurs whenever protected information is accessed, disclosed, or lost by someone who was not authorized to have it. The cause does not have to be malicious ... accidental exposure counts.

Common Breach Scenarios

• A cyberattacker exfiltrates customer records from your database
• An employee sends a spreadsheet with customer data to the wrong email address
• A misconfigured cloud storage bucket makes files publicly accessible
• A vendor you share data with suffers a breach and your customers' data is exposed
• A laptop containing business data is lost or stolen unencrypted

Legal Obligations

Most U.S. states have breach notification laws requiring you to notify affected individuals within a set timeframe (often 30-72 hours for certain data types). HIPAA covers health data. GDPR applies if you have EU customers. Depending on your sector, PCI DSS or other regulations may apply.

The key question after an incident: did anyone's personal, financial, or health data get exposed? If yes, involve a lawyer who specializes in breach notification requirements for your jurisdiction immediately.