In the case of a confirmed or suspected personal data breach (generally meaning the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data), a breach disclosure (also known as breach communication or breach notification) is the process of notifying the individuals whose personally identifiable information (PII) or personal data was involved, that the breach incident has, or may have, occurred. The individuals may include employees, clients or customers, and possibly other third-parties such as vendors or processors. It is a transparency mechanism that highlights the security failure, allowing affected parties to take additional measures to protect their PII or personal data, mitigate damage, or take other steps to remediate injuries caused by the breach.

Breach reporting, breach notification, or breach disclosure is also the process of notifying regulating and other agencies that there was a confirmed or suspected breach incident.

The data controller/owner is almost always the required entity to notify regulators, authorities, and affected individuals of a breach incident affecting the confidentiality and security of personal data. If a vendor (processor, third-party, consultant, etc.) has a breach, they must notify the data controller/owner.

Laws, regulations, and industry standards dictate specific requirements including time frames, mandatory information, how the information is presented, obligations (free credit monitoring), etc. They can be based on the location of the business and the location of the affected individuals.

United States:  Referred to as breach reporting, breach disclosure or breach notification

European Union: Referred to as breach notification or breach disclosure.