Under the FACT Act, what triggers breach notification obligations?

The key concept is that breach notification obligations arise when there is exposure of personal information that is not adequately protected. Specifically, if personal information is unencrypted and a breach occurs that could lead to identity theft, organizations must provide timely notice to affected individuals (and often to regulators as required). Encryption matters: data that is properly encrypted generally reduces risk, and breaches involving encrypted data may not trigger the same notice requirements. Everyday system updates, routine backups, or temporary loss of network access don’t by themselves constitute a breach with exposed personal information, unless they actually result in unencrypted data being exposed. So the scenario described—unencrypted personal information being breached with potential to cause identity theft—best matches the trigger for notifying individuals in a timely manner.