There are 33 laws that govern when and how you should notify the people named in exposed files. California SB 1386 is the standard bearer, but the Federal Trade Commission has its own list of recommendations. “Time is of the essence,” says Larry Ponemon, head of the Ponemon Institute, a research firm in Traverse City, Mich., covering privacy, data protection and information security policies. The worst practice is to take the cheap route and communicate by e-mail, Ponemon said.”]
Source: https://www.csoonline.com/article/2122081/what–when-and-how-to-respond-to-a-data-breach.html