Data Breach.
An incident in which personal or sensitive data is exposed to unauthorized parties — whether by attack, accident, or insider — triggering legal notification requirements under GDPR, CCPA, HIPAA, state breach laws, and sectoral rules.
The 72-hour GDPR notification clock from awareness (not discovery — the rule turns on when the controller knew or should have known) is the operational pressure point. Incident-response processes that don't pre-stage breach counsel, notification templates, and regulator-contact paths burn the clock on logistics; processes that pre-stage burn the clock on actual investigation. Both clocks run together.
Common questions
What's the legal definition of a data breach?
How long do I have to notify after a breach?
Does GDPR require notification for all breaches?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
HIPAA and CIAM: The Healthcare Identity Compliance Checklist for 2026
HIPAA's Security Rule constrains how CIAM handles healthcare identity. The technical safeguards, the auditor's checklist, and vendor-selection implications for 2026.
PCI DSS 4.0 and CIAM: Identity Requirements for Payment Workloads
PCI DSS 4.0's Requirements 7, 8, and 10 directly constrain CIAM design for any system handling cardholder data. MFA, audit logs, role separation, and the gotchas that fail QSA audits.
The True Cost of a CIAM Breach: Downside Modeling for Identity Incidents
A CIAM breach is rarely 'just' a breach. Direct response, regulatory exposure, customer churn, and brand damage compound for years — modeled honestly for finance and security leaders.