Which law requires organizations to disclose data breaches?

The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) both mandate organizations to disclose data breaches under specific circumstances. The GDPR requires that any data breach that poses a risk to the rights and freedoms of individuals must be reported to the relevant supervisory authority within 72 hours. Furthermore, if the breach is likely to result in a high risk to those individuals, they must also be informed without undue delay.

Similarly, the CCPA has provisions that require businesses to notify consumers of a data breach that involves their personal information. This notice is part of the CCPA's broader commitment to transparency and consumer rights regarding personal data.

In contrast, while the Health Insurance Portability and Accountability Act (HIPAA) does require covered entities to report breaches of protected health information, it is specific to the healthcare sector. The Fiber Privacy Act and the Fair Information Practices Act do not encompass comprehensive breach disclosure requirements applicable to all sectors. Thus, the combination of GDPR and CCPA is more encompassing and reflects the current legal landscape regarding data breach notifications.