LET'S TALK
← All work
PrivacyBreach NotificationMulti-JurisdictionDeep Prototype

BreachNotifier — Multi-Jurisdiction Breach Timer

When a breach is detected, every jurisdiction's clock is already running. BreachNotifier shows each one in real time: GDPR 72-hour, NYDFS 72-hour, HIPAA 60-day, California 30-day, plus 6 US states + EU + UK + Canada + Australia + Singapore — with the regulator address, the citation, and the required action.

BreachNotifier — Multi-Jurisdiction Breach Timer preview
Open live →

What it is

The screen the incident-response lead opens at hour 0 of a breach. Inputs: detected-at, people affected, cause, data types affected, resident regions. Output: every notification clock running in parallel, sorted by urgency.

What’s in it

  • 17 notification rules covering: GDPR DPA notification (72hr), GDPR individual notification (72hr if high risk), UK ICO (72hr), HIPAA OCR (60 days for ≥500 affected, annual for <500), HIPAA individual notification (60 days), NYDFS 23 NYCRR §500.17 (72hr), NYDFS board notification (24hr), California Civ. Code §1798.82 (30 days), NY SHIELD Act (30 days), Texas Bus. & Com. Code §521.053 (60 days), Florida FIPA (30 days), Illinois PIPA (45 days), Massachusetts ch. 93H, COPPA for children’s data, Canada PIPEDA, Australia NDB scheme, Singapore PDPA (3 calendar days).
  • Configurable inputs: detected timestamp, people affected, cause (external attack / insider / lost device / misconfiguration / third-party), 8 data types, 11 resident regions.
  • 4 fixture scenarios: healthcare PHI breach, financial data breach, B2B SaaS credential breach, retail card data breach.
  • Per-rule output: regulator address, deadline countdown (“36h overdue” or “44h left”), specific action language, citation.
  • Stat strip: notifications required, past deadline, due ≤24h, within window, individuals affected, hours since detection.

Why this matters

Multi-jurisdiction breach response is paralyzing without the schema. The pattern at every breach: legal counsel + privacy + security all working from different memos of which state requires what. BreachNotifier puts every clock on one screen.

The healthcare PHI scenario is the most demanding: 4 simultaneous clocks (HHS OCR 60d, individual notification 60d, state-level 30-60d each per resident, plus EU + UK if EU residents). Get one wrong, the fine math from PenaltyCalc kicks in.

How it ships

Single HTML file, ~28KB. Zero dependencies. The 17-rule registry with regulator addresses, deadline math, region/data-type matching, and live countdown are 280 lines of vanilla JavaScript.

Open the tool →