Breach Notification Deadlines
(The 72-Hour Rule)
A breach discovered on Day 91 becomes a regulatory nightmare when customers aren't told for three more months — and regulators are done tolerating those delays. The 72-hour rule is no longer a guideline but a hard deadline, and organizations that notify after forensics instead of in parallel are already operating in the liability zone.
They Were In Your System For 90 Days.
It started in June. Nobody noticed until September. That's the thing about a patient attacker — they don't make noise. They query a database here, pull a few records there, and test what they can reach. By the time the systems at Prosper Marketplace, an online financial technology company, flagged the intrusion on September 1, 2025, the attackers had spent three months inside the peer-to-peer lender's customer databases. Social Security numbers. Bank account numbers. Passport numbers. Driver's licenses. Tax records. Seventeen-point-six million people's most complete financial identity — already gone.
What happened next is where this story stops being about hackers and starts being about your organization.
Prosper's team did what every well-trained security team does: contained the breach, brought in forensic experts, notified law enforcement, and investigated. These are the right moves. The problem wasn't what they did — it was what they failed to do at the same time. Customers received their first notification on December 9, 2025. Not September 1, when the breach was discovered. December. Three months after discovery. Six months after the first unauthorized query hit their databases.
For three months, 17.6 million people went about their lives — paying bills, applying for mortgages, filing taxes — without knowing that their entire financial identity was potentially circulating on criminal marketplaces. They couldn't freeze their credit because they didn't know they needed to. They couldn't monitor their accounts with any particular vigilance because nobody told them to. That window — the gap between when a company knows and when its customers know — is exactly what regulators have been trying to close for eight years.
The Rule Everyone Knows and Nobody Is Ready For
The 72-hour breach notification requirement isn't new. GDPR introduced it in 2018 for European regulators. NYDFS adopted it for New York financial entities. The OCC, Fed, and FDIC went even tighter: 36 hours for banks experiencing serious incidents. DORA, the EU's Digital Operational Resilience Act that entered full enforcement in January 2025, added a 4-hour initial alert requirement for major ICT incidents in financial services.
Every compliance team in financial services knows these numbers. The problem isn't awareness. The problem is that knowing a rule and having the organizational infrastructure to meet it under active crisis conditions are two entirely different things — and most companies don't discover the gap until they're already in it.
For organizations operating across multiple jurisdictions, the practical notification window is determined by the most restrictive framework that applies. A US bank with EU depositors and a New York entity isn't managing three separate 72-hour windows. It's managing one: the shortest one in the stack.
The 72 hours isn't a grace period for investigation — it's the deadline to notify while the facts are still incomplete.
What Regulators Actually Fine You For
The Prosper enforcement picture is still developing. But regulators don't need to wait for Prosper to make the point. In August 2025, NYDFS fined Healthplex, a dental insurance management firm, $2 million specifically for notifying regulators more than four months after a breach determination. Not for the breach itself. For the delay. The consent order was explicit: the 72-hour requirement is "a critical safeguard that enables the Department to carry out its consumer protection function."
The SEC fined Intercontinental Exchange, parent of the New York Stock Exchange, $10 million for waiting five days to notify after a breach. Five days. Morgan Stanley has paid over $120 million across two separate settlements for data security failures. These numbers exclude legal fees, mandatory audits, remediation costs, and increased insurance premiums — expenses that typically multiply the regulatory fine two to five times over.
The Math Regulators Want You To Do:
IBM's 2025 Cost of a Data Breach Report puts the average financial services breach at $5.56 million. That number rises sharply when notification delays trigger regulatory escalation — because delays don't just add fines. They extend the window of customer harm, which amplifies class action exposure, which drives legal costs, which feeds back into the total. The cheapest path through a breach is almost always also the fastest one to notification.
The Cultural Problem No Framework Can Fix
Every financial services CISO and General Counsel knows the tension: accuracy before disclosure is professionally ingrained. Boards don't want to alarm customers unnecessarily. Legal teams don't want to trigger notification obligations without confirmed scope. Communications teams don't want to send a letter they'll have to correct. PR is worried about the headline. Finance is worried about the stock price.
These instincts aren't wrong. They're just operating on a timeline that regulators no longer recognize as valid.
The legal architecture already solves the accuracy problem. DORA's tiered structure — initial alert, intermediate report, final report — was designed precisely so organizations can notify early with incomplete information and update as facts develop. GDPR has always permitted phased disclosure. The frameworks don't require certainty. They require motion. What most organizations haven't built is the cultural and procedural machinery to notify in parallel with investigation.
Five Things Your IR Plan Must Fix Before the Next Incident
-
1. Define "awareness" below the certainty threshold.
Your plan must document what triggers the notification clock — anomaly alerts, threat intel flags, third-party notifications. If your plan requires confirmed breach before notification prep begins, rewrite it. Regulators define awareness as reasonable suspicion, not forensic proof.
-
2. Run parallel workstreams from hour one.
Assign a dedicated notification lead separate from your forensic lead. Containment and notification drafting happen simultaneously — not sequentially. The two tracks serve different stakeholders on different timelines.
-
3. Pre-draft tiered notification templates.
You cannot write a GDPR Article 33 notification from scratch at 2am under a board's breath on your neck. Template the structure. Build in the blanks. Regulators accept incomplete initial notifications — they do not accept missed deadlines.
-
4. Map your jurisdiction stack in advance.
Know which regulators, which windows, which entity types, and who is authorized to pull the notification trigger. Multi-jurisdiction exposure needs a decision tree built before the incident — not assembled during one. -
5. Put legal in the tabletop, not on speed dial.
The decision to notify — or to invoke a delay exception — is a legal decision, not a technical one. If your legal counsel has never rehearsed a real-time notification scenario with the security team, the first time they do it together will be the wrong time.
The Windows Are Closing
New York introduced a hard 30-day consumer notification deadline in December 2024, explicitly eliminating the scope-assessment delays that had let companies stall indefinitely. California followed with SB 446, effective January 1, 2026, closing the same loophole for the country's largest state economy. Australia is moving its Notifiable Data Breaches window from 30 days to 72 hours for serious incidents. India's DPDP Act, in implementation since 2025, tracks the GDPR benchmark. Brazil's LGPD is tightening enforcement.
The industry benchmark is moving toward 72 hours for regulatory notification and 30 days for consumer notification — and the trend line strongly suggests both will tighten further within this decade. Are you still operating in the liability zone?
Citations:
Prosper Marketplace Breach
Official Breach Notice (December 9, 2025) [Link]
NYDFS Healthplex Enforcement
NYDFS Official Press Release — Healthplex Consent Order (August 14, 2025) [Link]
ICE / NYSE $10M SEC Fine
SEC.gov — Official Press Release (May 22, 2024) ICE agrees to pay a $10 million penalty for causing nine wholly-owned subsidiaries, including the New York Stock Exchange, to fail to timely inform the SEC of a cyber intrusion as required by Regulation SCI. [Link]
Morrison Foerster Analysis (May 28, 2024) Legal analysis noting ICE's four-day delay in reporting to the SEC violated Regulation SCI, and this appears to be the second-highest civil penalty the SEC has levied in connection with a cyber incident. [Link]
IBM Cost of a Data Breach Report 2025
IBM — Cost of a Data Breach Report 2025 (Official) Financial services averaged $5.56 million per breach in 2025, second only to healthcare. [Link]
Regulatory Frameworks
DORA (EU) — Regulation (EU) 2022/2554, full enforcement January 17, 2025 [Link]
NYDFS 23 NYCRR Part 500 — Cybersecurity Regulation (amended November 2023) [Link]
GDPR Article 33 — Personal Data Breach Notification to Supervisory Authority [Link]
OCC / Federal Reserve / FDIC — Computer-Security Incident Notification Rule (effective May 2022) 36-hour notification requirement for banking organizations. [Link]
Next Issue:
Vendor Risk: Your Weakest Link