When a data breach happens, companies often face a difficult choice: disclose quickly and deal with the fallout, or stay quiet and hope no one notices. The second option carries serious legal risk.
In the U.S., failing to report a breach is not just bad practice. It can result in significant penalties, lawsuits, and lasting reputational damage. Here is what the legal landscape actually looks like.
Penalties For Not Reporting A Breach Vary By State And Industry.
Because the U.S. relies on a mix of state laws and industry-specific federal regulations, penalties for non-disclosure vary widely. A healthcare company in Florida faces different rules than a retail business in California.
But across the board, regulators have made one thing clear: silence after a breach is not an option. The consequences generally fall into three categories:
- Regulatory fines imposed by state attorneys general or federal agencies
- Civil lawsuits filed by affected individuals or class action groups
- Criminal charges in cases involving willful concealment
Regulators Have Fined Companies Millions For Breach Non-Disclosure.
State attorneys general have become increasingly aggressive in pursuing companies that delay or avoid breach notifications. Here are a few examples to make this clear:
- Morgan Stanley was fined $35 million by the SEC in 2022 for failing to properly secure and dispose of customer data.
- Drizly’s CEO was personally held liable by the FTC following a 2020 breach, a signal that individual executives, not just companies, can face consequences.
- Under HIPAA, fines for unreported healthcare breaches range from $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category.
The FTC has also expanded its enforcement posture under the updated Health Breach Notification Rule, bringing non-healthcare apps and platforms into scope.
Failing To Notify Affected Users Often Leads To Class Action Lawsuits.
When companies fail to notify affected individuals on time, or at all, civil litigation often follows. Affected consumers can sue for:
| Claim Type | Basis |
| Negligence | Failure to protect or disclose |
| Breach of contract | Violated privacy policy terms |
| Statutory violations | State breach notification law breaches |
| Identity theft damages | Actual financial harm caused |
According to Statista, the number of data breach victims in the U.S. reached over 353 million in 2023. That is a large pool of potential plaintiffs, and plaintiff attorneys have taken notice.
Class action settlements in breach cases have reached hundreds of millions of dollars in recent years.
Executives Can Face Personal Criminal Liability For Covering Up A Breach.
Most breach notification failures result in fines or civil suits. But in cases involving deliberate concealment, criminal charges are possible.
The clearest example is Uber. In 2016, the company suffered a breach affecting 57 million users. Instead of disclosing it, Uber paid the hackers $100,000 to stay quiet.
Its former Chief Security Officer, Joe Sullivan, was convicted in 2022 of obstructing justice and concealing a felony and sentenced to three years of probation. It was a landmark case that sent a clear message to corporate security teams across the country.
Reporting A Breach Too Late Still Carries Legal Consequences.
Even when companies do eventually report a breach, reporting too late can trigger penalties. Most states require notification within 30 to 60 days of discovering a breach.
California’s law requires notification in the “most expedient time possible.” Missing those windows, even without intent to conceal, can still result in fines.
The Legal And Financial Cost Of Silence Is Higher Than Disclosure.
IBM’s 2023 Cost of a Data Breach Report found that companies that contained a breach within 200 days saved an average of $1.12 million compared to those that took longer.
Transparency, while uncomfortable, is consistently the less costly path, legally and financially. If your organization handles personal data, the question is not whether to report. It is about being ready to report correctly and on time.
