Why breach notification delays can trigger lawsuits and liability

On August 14, 2025, in Boston federal court, two former employees of DTiQ Technologies filed a class action lawsuit claiming the company failed to promptly notify them after their sensitive information was exposed in a cyberattack. The plaintiffs allege they did not learn of the breach until more than six months after DTiQ discovered it, leaving them vulnerable to fraud and identity theft. The case, O’Brien et al. v. DTiQ Technologies, Inc., seeks at least $5 million in damages.

This lawsuit highlights a growing risk for businesses everywhere. Data breach notification is not optional, and delays can bring legal and reputational consequences.

The legal landscape of notification

In the United States, breach notification laws are set at the state level. California was the first to enact such a law in 2003, and today every state has one. These laws typically require businesses to notify affected individuals “in the most expedient time possible and without unreasonable delay.” Some states impose specific time frames, such as Florida’s 30-day rule.

At the federal level, the Federal Trade Commission (FTC) enforces data security under its authority to prevent unfair or deceptive practices. The FTC has issued guidance reminding companies that unreasonable delays in notifying victims can themselves be considered unlawful.

Internationally, the European Union’s General Data Protection Regulation (GDPR) sets one of the strictest standards. Under GDPR, organizations must notify the relevant data protection authority within 72 hours of becoming aware of a breach, and in some cases must also notify affected individuals. Canada, Australia, and other jurisdictions have their own notification laws.

For U.S. companies seeking reliable sources on breach notification rules, start with:

• The National Conference of State Legislatures (NCSL) summary of state data breach laws

• The FTC’s guidance on data breach response

• The International Association of Privacy Professionals (IAPP), which tracks global legal requirements

Why timeliness and clarity matter

Time is everything in a data breach. A victim who knows their Social Security number or bank account information has been exposed can immediately monitor their accounts, place fraud alerts, or freeze credit. Without timely notice, people lose the chance to act early, which makes the consequences of identity theft much worse.

Clarity also matters. And is often mandated by regulation. A vague notification letter that glosses over details is no better than no letter at all. Victims need to know what kind of data was exposed, how it might be used, and what specific steps they should take.

What companies should do

When a breach occurs, companies should:

• Immediately investigate and confirm the scope of the breach

• Confer with legal consul and communications teams

• Notify affected individuals as quickly as possible, in plain language, with specific details

• Provide concrete tools for protection, such as credit monitoring and identity theft protection

• Notify regulators if required, within the mandated time frames

The DTiQ lawsuit shows that what happens after a breach can be as important as the breach itself. A slow or soft response is not only harmful to victims. It can also be what lands a company in front of a judge.

Breach readiness checklist

IT operations

• Route system and application logs to a SIEM or cloud logging platform; configure automated alerts for anomalies.
• Routinely validate that patches are successfully installed according to the schedules your company has established and report any gaps to your leadership.
• Schedule quarterly backup and log file restoration drills to ensure business continuity after a breach.

GRC and compliance staff

• Maintain and rehearse the incident response plan quarterly, including tabletop exercises to verify staff readiness.
• Start a simple list of security controls sourced from a well-rounded security standard or framework (e.g., NIST CSF) to pivot into formal breach readiness policy.
• Verify that your incident response runbook includes communication steps, not just technical ones.

Security architects

• Reassess network segmentation regularly, applying least-privilege access between workloads. Enforce policies with software-defined networking or Zero Trust network tools.
• Conduct periodic breach simulations using red/blue team exercises or automated BAS (Breach and Attack Simulation) platforms to uncover gaps in defenses.

CISOs and security leaders

• Establish a recurring executive-level review of breach readiness posture, presenting metrics from simulations and incident response drills.
• Institutionalize ongoing security awareness by deploying routine phishing simulations and automated refresher training.
• Subscribe to relevant threat intelligence feeds and ensure that findings flow into SOC operations and risk assessments.

Next step: Detect breaches fast enough to notify on time

You can’t notify victims quickly if you don’t detect breaches quickly. ThreatLocker Detect provides real-time monitoring and isolation so you see suspicious activity the moment it happens. Faster detection means faster investigation and notification, before delays turn into lawsuits.

Learn more about Detect

‍