For SMEs, understanding when and how to notify regulators after a data breach is critical. Here’s a country-by-country guide with regulators, who it applies to, reporting deadlines, examples, and contact details.
Download our FREE Incident Response Procedure to guide you through the process of what to do in the event of a cyber hack.
Australia
| Who It Applies To | Regulator & Contact | When to Contact | Timeframe / Deadline | Example |
|---|---|---|---|---|
| AFS licensees, credit licensees, insurance brokers, super funds | ASIC – 1300 300 630, asic.gov.au | Significant breaches of license conditions or personal data | As soon as practicable, per RG-78 guidance | Financial planner loses client personal information |
| Banks, insurers, super funds, credit unions | APRA – 1300 558 849, info@apra.gov.au, apra.gov.au | Material security incidents affecting operations | Immediately or per CPS 234 / CPS 232 | Bank’s online banking system is compromised |
| Any organization experiencing a cyber security incident | ACSC – 1300 CYBER1 (1300 292 371), cyber.gov.au | Cybersecurity incidents | Report as soon as possible | Ransomware attack on a small business network |
| Businesses handling personal data > $3m turnover, or sensitive info | OAIC / NDB Scheme – 1300 363 992, oaic.gov.au | Eligible data breaches | Within 30 days of becoming aware | Health clinic patient records exposed |
United States
| Who It Applies To | Regulator & Contact | When to Contact | Timeframe / Deadline | Example |
|---|---|---|---|---|
| Businesses that collect consumer personal info; financial institutions under GLBA | FTC – 1‑877‑FTC‑HELP, ftc.gov | Data breaches or unfair/deceptive practices | No fixed hours; notify consumers if required | E-commerce site customer database leaked |
| Publicly traded companies, investment advisers, broker-dealers | SEC – 1‑800‑SEC‑0330, sec.gov | Material cybersecurity incidents | 8-K filing within 4 business days | Listed company suffers a network breach |
| Banks, credit unions, federally regulated financial institutions | FDIC – 1‑877‑275‑3342, fdic.gov OCC – 1‑800‑613‑6743, occ.gov Federal Reserve – 202‑452‑3000, federalreserve.gov |
Computer-security incidents affecting operations | Within 36 hours to primary regulator | Small bank hacked |
| Healthcare providers, health plans, clearinghouses | HHS / OCR – 1‑800‑368‑1019, OCRComplaint@hhs.gov, hhs.gov | PHI breaches | 60 days if >500 individuals affected | Clinic patient records exposed |
| All businesses with state residents’ personal info | State Attorneys General – see state websites, e.g., CA: oag.ca.gov | Data breach affecting residents | Varies by state; often immediate notice | Retailer leaks customer info in CA, NY |
| Critical infrastructure operators; DoD contractors | CISA – 1‑888‑282‑0870, cisa.gov DoD / DFARS – dcsa.mil/dfars |
Cybersecurity incidents | 72 hours | Small utility or defense contractor system compromised |
United Kingdom
| Who It Applies To | Regulator & Contact | When to Contact | Timeframe / Deadline | Example |
|---|---|---|---|---|
| All organizations processing personal data | ICO – 0303 123 1113, ico.org.uk | Notifiable data breach | Within 72 hours | Retail business database exposed |
| Financial firms, banks, insurance, investment advisers | FCA – firmnotification@fca.org.uk, fca.org.uk | Significant operational or data incidents | As per SUP 15, notify promptly | Mortgage broker loses client data |
| Banks, building societies, insurers (dual-regulated) | PRA – supervision@bankofengland.co.uk, bankofengland.co.uk | Operational or security incidents | As per SUP 15, notify promptly | Bank IT system compromised |
| Public electronic communications service providers | Ofcom – contact@ofcom.org.uk, ofcom.org.uk | Personal data breach under PECR | Without undue delay | ISP customer data leak |
| NHS organizations, healthcare providers | NHS Digital – enquiries@nhsdigital.nhs.uk, digital.nhs.uk | Patient data breach | Immediately | Clinic patient records exposed |
Prompt notification of the correct regulator protects your business, reduces legal risk, and helps safeguard your customers. Keep this guide handy for quick reference.
