Cybersecurity Incident Reporting Requirements in the US

Federal and state laws in the US impose distinct obligations on organizations to report cybersecurity incidents to specific government bodies within defined timeframes. These obligations vary by sector, incident type, and organizational profile — creating a layered compliance landscape that spans CISA, HHS, the SEC, and state attorneys general. Understanding how these frameworks interact is essential for legal counsel, compliance officers, incident response teams, and regulated entities operating across multiple jurisdictions.

Definition and scope

A cybersecurity incident, for regulatory purposes, is an event that compromises the confidentiality, integrity, or availability of an information system or the data it holds. The Cybersecurity and Infrastructure Security Agency (CISA) defines a "significant cyber incident" under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) (Public Law 117-169) as one that is likely to result in demonstrable harm to national security, economic security, or public health and safety.

Reporting obligations apply differently depending on who experienced the incident, what data was involved, and which sector the organization belongs to. The scope breaks into three layers:

1. Federal sector-specific mandates — Healthcare entities under HIPAA, financial institutions under the Gramm-Leach-Bliley Act, federal contractors under DFARS 252.204-7012, and publicly traded companies under SEC rules each face distinct timelines and disclosure recipients.
2. Cross-sector CISA reporting — Under CIRCIA, operators of critical infrastructure must report covered cyber incidents within 72 hours and ransomware payments within 24 hours, once CISA finalizes its implementing regulations (notice of proposed rulemaking issued in 2024).
3. State-level breach notification laws — All 50 states maintain breach notification statutes, with varying definitions of "breach," "personal information," and reporting deadlines, documented in detail on the Data Breach Notification Laws (US) reference.

How it works

The reporting process differs by framework, but common structural phases apply across most mandates:

1. Detection and classification — The organization identifies an event and assesses whether it meets the statutory or regulatory threshold (e.g., unauthorized access, exfiltration, system disruption, ransomware payment).
2. Internal escalation — Legal, IT security, and executive leadership are notified according to internal incident response plans, typically aligned to the NIST Cybersecurity Framework (NIST SP 800-61, Computer Security Incident Handling Guide).
3. Regulatory notification — Reports are submitted to the relevant body within the applicable window. sec.gov/rules/final/2023/33-11216.pdf)). HIPAA-covered entities must notify HHS within 60 days of discovering a breach affecting 500 or more individuals (45 CFR § 164.408).
4. Consumer or individual notification — Where personal data is involved, affected individuals must be notified, with state law setting the timeline (commonly 30–90 days, varying by state).
5. Supplemental reporting — Some frameworks require follow-up reports. CIRCIA anticipates a supplemental report within 72 hours of submission if new material information emerges.

The federal agency that receives a report depends on the incident type and sector. CISA operates as the central cross-sector coordinator. The FBI's Internet Crime Complaint Center (IC3) accepts voluntary reports of cybercrime. Sector-specific reports flow to HHS (healthcare), the SEC (public companies), the FTC (consumer financial data), NCUA (credit unions), and OCC or FDIC (banking institutions).

Common scenarios

Ransomware attack on a hospital network — A healthcare provider encrypted by ransomware triggers simultaneous obligations: HIPAA breach notification to HHS if patient health information (PHI) was accessed, CIRCIA reporting to CISA if the entity qualifies as critical infrastructure, FBI/IC3 notification, and state breach notification to affected patients. For more on the healthcare-specific framework, see Healthcare Cybersecurity — HIPAA Standards.

Data exfiltration at a publicly traded company — Once the board determines the breach is material under the SEC's December 2023 final rule, the company must file an 8-K within 4 business days. If the attacker accessed payroll or customer financial records, state breach notification obligations also activate, potentially across all 50 states if the customer base is national.

Third-party software supply chain compromise — A federal contractor discovers that a vendor's software update introduced malicious code. Reporting obligations under DFARS 252.204-7012 require notifying the Department of Defense within 72 hours of discovery. CISA may also receive a report if the contractor operates systems linked to federal networks. See Government Contractor Cybersecurity Requirements for the full DFARS and CMMC context.

Small business phishing-related account takeover — A business with fewer than 500 employees experiencing account compromise may not trigger HIPAA or SEC thresholds, but state breach notification laws activate if personal information of state residents was accessed. See Small Business Cybersecurity Requirements for applicable thresholds.

Decision boundaries

Whether a reporting obligation attaches depends on three threshold questions, not general risk perception:

Trigger type — Not every security event is a reportable breach. Unauthorized access to encrypted data where the key was not compromised may not constitute a "breach" under HIPAA's Safe Harbor provision (45 CFR § 164.402). The SEC framework distinguishes between a "cybersecurity incident" (any unauthorized occurrence) and a "material cybersecurity incident" (one requiring 8-K disclosure).

Regulated entity classification — Organizations subject to HIPAA differ from those subject only to the FTC's Safeguards Rule (16 CFR Part 314). A healthcare clearinghouse faces different obligations than a non-bank financial institution. The US Cybersecurity Regulations and Compliance reference maps the primary regulatory frameworks by entity type.

Jurisdictional overlay — A national organization may trigger breach notification duties in every state where affected residents reside. California's Consumer Privacy Act (CPPA) and New York's SHIELD Act impose notification windows and content requirements that differ from federal floors. State-by-state comparison is covered at State Cybersecurity Laws by State.

The contrast between voluntary and mandatory reporting is operationally significant: CISA's voluntary reporting channels (including its 24/7 reporting line and online portal) remain open to all organizations, while CIRCIA will impose mandatory timelines once final rules take effect. FBI/IC3 reporting remains entirely voluntary but supports federal threat intelligence. Mandatory reporting, once triggered, carries penalty exposure — HIPAA civil monetary penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS Penalty Structure).

References

• Cybersecurity and Infrastructure Security Agency (CISA) — CIRCIA Rulemaking
• HHS Office for Civil Rights — HIPAA Breach Notification Rule
• SEC Final Rule on Cybersecurity Risk Management and Incident Disclosure (2023)
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• eCFR — 45 CFR Part 164 Subpart D (HIPAA Breach Notification)
• FBI Internet Crime Complaint Center (IC3)
• Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Public Law 117-169
• FTC Safeguards Rule — 16 CFR Part 314