A data breach is the unauthorized access, disclosure, or loss of personal data held by an organization. It occurs when sensitive information is compromised through theft, hacking, accidental exposure, or other security failures. Data breaches trigger mandatory notification requirements and potential regulatory penalties under applicable privacy laws.
Data Breach
Regulatory Definitions
- GDPR (EU Regulation 2016/679): Article 33 defines a personal data breach as 'a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.' Notification to supervisory authorities is required within 72 hours of discovery (Article 33(1)) unless the breach is unlikely to result in risk to rights and freedoms (Article 34).
- HIPAA (45 CFR §§ 164.400-414): A breach of unsecured protected health information (PHI) is defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule. The Security Rule (45 CFR § 164.404) requires notification to affected individuals without unreasonable delay and no later than 60 calendar days after discovery of the breach.
- CCPA/CPRA (California Civil Code §§ 1798.82, 1798.100 et seq.): A breach of personal information is defined as unauthorized access and exfiltration, theft, or disclosure of personal information. The CPRA (effective January 1, 2023) expands this to include any breach of unencrypted or unredacted personal information. Notice must be provided 'without unreasonable delay' (CA Civil Code § 1798.82(a)), and notice to the California Attorney General is required for breaches affecting more than 500 California residents (§ 1798.150).