The legal aftermath can outlast the attack

This is a legal exercise, not an IT exercise

Step 6 is not optional and not delegable to IT. The decisions made here — what to disclose, to whom, in what timeframe, and in what language — have legal consequences that can include regulatory fines, class action exposure, and loss of operating licenses. Breach counsel should be leading this work, with IT providing the technical inputs.

The questions to answer in this phase:

• Was personally identifiable information (PII), protected health information (PHI), or other regulated data exposed or accessed?
• Which regulations apply to that data, given the jurisdictions of the affected individuals?
• What are the notification deadlines and required content under each applicable regulation?
• What contractual notification obligations exist with customers, vendors, or partners?
• Does the incident require disclosure to investors, lenders, or auditors?

NYDFS 23 NYCRR Part 500 — for NY-licensed financial entities

If your business holds any New York Department of Financial Services license — including insurance, banking, mortgage origination, money transmission, or investment management — NYDFS Part 500 applies. Ransomware almost always triggers reporting obligations under this regulation.

Key requirements:

• 72-hour notification to the NYDFS Superintendent for cybersecurity events that have a reasonable likelihood of materially harming the entity's operations
• 24-hour notification required for any extortion payment
• Required annual certification (due February 15) must accurately reflect the incident and remediation
• Documentation of incident response must be maintained for examination

NYDFS examiners review post-incident documentation closely. Missing or inadequate documentation creates enforcement exposure even if the incident itself was handled well.

HIPAA Breach Notification — for healthcare entities and business associates

If your business is a HIPAA covered entity (provider, plan, clearinghouse) or business associate, and the ransomware incident affected protected health information, HIPAA breach notification rules apply.

Key requirements:

• Notification to affected individuals within 60 days of discovery
• Notification to HHS Office for Civil Rights — within 60 days if 500+ individuals affected, annually if fewer
• Notification to local media if 500+ affected individuals in a single state
• Specific content requirements: what happened, what data was involved, what steps individuals should take, what the entity is doing

Ransomware affecting PHI is presumed to be a breach unless the entity can demonstrate low probability that PHI was compromised — a four-factor analysis that must be documented. Most law firms recommend treating ransomware affecting PHI as a notifiable breach unless forensics definitively rules out access.

SEC Cybersecurity Disclosure Rules — for public companies and registered advisers

Public companies and SEC-registered investment advisers face cybersecurity disclosure requirements that have tightened significantly. Material cybersecurity incidents must be disclosed on Form 8-K within four business days of materiality determination.

What this means practically:

• Materiality is assessed promptly — not when the incident is fully resolved
• The four-day clock starts when materiality is determined, not when the incident is discovered
• Disclosure must cover the incident's nature, scope, timing, and material impact
• Investment advisers face additional rules around incident response programs and disclosures to clients

State data breach notification laws

All 50 US states have data breach notification laws. The two most relevant for businesses operating in the Northeast:

New York SHIELD Act

• Applies to any business holding private information of NY residents
• Notification "in the most expedient time possible and without unreasonable delay"
• Includes notification to the NY Attorney General, Department of State, and Division of State Police

Connecticut Data Breach Law and CTDPA

• Notification of affected CT residents required within 60 days
• Notification to the CT Attorney General required
• CTDPA (Connecticut Data Privacy Act) adds additional obligations for businesses meeting threshold criteria
• CTDPA threshold drops to 35,000 CT consumers in July 2026 — significantly more businesses will be covered

Contractual notification obligations

Beyond regulatory requirements, your contracts likely contain breach notification clauses. These are commonly missed because they don't have the same publicity as statutory requirements.

Where to look:

• Customer master services agreements — especially for B2B services
• Vendor contracts where you process data on their behalf
• Business Associate Agreements under HIPAA
• Data Processing Agreements under privacy regulations
• Loan and credit agreements — banks often have material adverse event clauses
• Cyber insurance policies — which usually have their own internal notification obligations beyond the carrier itself

Failure to notify contractually-required parties on time can result in claims for damages even when no regulatory breach has occurred.

Document everything — for the next audit, exam, and lawsuit

The post-incident documentation package is what regulators, auditors, and litigants will examine. Build it as you go:

• Incident discovery timeline with timestamps
• Response actions taken, by whom, when, and with what result
• Forensic findings and final scope determination
• All notifications sent — to regulators, customers, employees, partners — with dates and copies
• Remediation actions taken and their completion dates
• Lessons learned and changes to the security program

This documentation supports regulatory examinations, insurance claims, board reporting, and your defense in any litigation that may follow. It is the most important non-technical output of the incident response.

What's next: Step 7: Harden Environment

Once you've completed this step, the next priority is hardening your environment so the same attack cannot succeed again. That's covered in Step 7 of this guide.