Why breach notification delays can trigger lawsuits and liability

On August 14, 2025, in Boston federal court, two former employees of DTiQ Technologies filed a class action lawsuit claiming the company failed to promptly notify them after their sensitive information was exposed in a cyberattack. The plaintiffs allege they did not learn of the breach until more than six months after DTiQ discovered it, leaving them vulnerable to fraud and identity theft. The case, O’Brien et al. v. DTiQ Technologies, Inc., seeks at least $5 million in damages.

This lawsuit highlights a growing risk for businesses everywhere. Data breach notification is not optional, and delays can bring legal and reputational consequences.

The legal landscape of notification

In the United States, breach notification laws are set at the state level. California was the first to enact such a law in 2003, and today every state has one. These laws typically require businesses to notify affected individuals “in the most expedient time possible and without unreasonable delay.” Some states impose specific time frames, such as Florida’s 30-day rule.

At the federal level, the Federal Trade Commission (FTC) enforces data security under its authority to prevent unfair or deceptive practices. The FTC has issued guidance reminding companies that unreasonable delays in notifying victims can themselves be considered unlawful.

Internationally, the European Union’s General Data Protection Regulation (GDPR) sets one of the strictest standards. Under GDPR, organizations must notify the relevant data protection authority within 72 hours of becoming aware of a breach, and in some cases must also notify affected individuals. Canada, Australia, and other jurisdictions have their own notification laws.

For U.S. companies seeking reliable sources on breach notification rules, start with:

• The National Conference of State Legislatures (NCSL) summary of state data breach laws

• The FTC’s guidance on data breach response

• The International Association of Privacy Professionals (IAPP), which tracks global legal requirements

Why timeliness and clarity matter

Time is everything in a data breach. A victim who knows their Social Security number or bank account information has been exposed can immediately monitor their accounts, place fraud alerts, or freeze credit. Without timely notice, people lose the chance to act early, which makes the consequences of identity theft much worse.

Clarity also matters. And is often mandated by regulation. A vague notification letter that glosses over details is no better than no letter at all. Victims need to know what kind of data was exposed, how it might be used, and what specific steps they should take.

What companies should do

When a breach occurs, companies should:

• Immediately investigate and confirm the scope of the breach

• Confer with legal consul and communications teams

• Notify affected individuals as quickly as possible, in plain language, with specific details

• Provide concrete tools for protection, such as credit monitoring and identity theft protection

• Notify regulators if required, within the mandated time frames

The DTiQ lawsuit shows that what happens after a breach can be as important as the breach itself. A slow or soft response is not only harmful to victims. It can also be what lands a company in front of a judge.

Protect your business before a breach happens

The best way to avoid the costs and consequences of delayed notification is to prevent breaches in the first place. ThreatLocker gives businesses the tools to do just that, with Application Control, Ringfencing™, and privileged access management designed to keep cybercriminals out of your systems. Notification laws may vary, but one truth is universal: no breach means no breach lawsuits. Schedule a ThreatLocker demo today.

‍