Breach notification timelines: GDPR (72 hours to supervisory authority), HIPAA (60 days to HHS, individuals), PCI DSS (immediately to card brands), State laws (30-60 days to individuals, varies by state).
Notify legal counsel first — they guide the notification process. GDPR 72-hour clock starts when you become aware. HIPAA notification to individuals if PHI was accessed. Some states (California CCPA) have strict notification requirements. Document the decision-making process for all notifications made (and not made).