This is from a US perspective. For we Europeans, a lot of these requirements are mandated by the regulator (here is the ICO advice on notification). It’s worth keeping up to date with what happens elsewhere in the world so have a read of the original article…:
Fulfilling a company’s data breach and cybersecurity incident notification and disclosure requirements is an increasing challenge. Companies operating across industry sectors and around the world must satisfy a wide range of statutory, regulatory and contractual requirements, often with differing thresholds, timelines and formats. This article offers six steps companies should consider when navigating this complex process.