Data controllers are compelled to publicly report data breaches so that the public know it has occurred and can take action where possible and to incentivise data controllers to maintain secure data handling practices.
European Union: Under Article 33 of the General Data Protection Regulation, data controllers are required to notify data subjects “no later than 72 hours” after having become aware of it.
Mexico: Under the Federal Personal Data Law, the data controller must immediately inform the data subject if a breach of violation of security has been made to the data controller’s security measures that could affect the moral and economic rights of the data subject.
South Korea: Under the Personal Information Protection Act, the data controller must provide individual breach notices to data subjects and file a personal information leakage report to the Ministry of Government Administration and Home Affairs and Korea Internet Security Agency.
Turkey: Under the Data Protection Law, data breaches must be disclosed to the Data Protection Authority and data subjects.
United States: 47 States and the District of Columbia have enacted state-level security breach notification laws. There are no notification laws at Federal level.
The lack of understanding around data breaches may cause consumer panic when they receive notifications.
Notifications on their own may not suffice. They may need to happen in concert with other measures.