In breach notification contexts, which scenario triggers notification obligations?

The main idea here is that breach notification obligations depend on whether the personal information involved is unsecured. Encryption and other safeguards matter: if data is encrypted and the attacker only accesses the encrypted data, with the encryption key still protected, many laws do not treat that as a reportable breach. In contrast, when personal information is unsecured—meaning it’s readable or usable without additional safeguards—a breach typically triggers notification requirements. So, the scenario where unsecured personal information is breached is the one that activates the obligation. Storing data securely on a protected server helps prevent a breach from occurring, and breaches of encrypted data or small breach counts do not universally trigger notifications under all regimes, though some jurisdictions have thresholds or exceptions.