Data Breach Victim Notification Program (DBVNP)

Program Overview

Resecurity's Data Breach Victim Notification Program (DBVNP) is a proactive initiative designed to identify data breaches and provide timely notifications to consumers and enterprises worldwide affected by cyber incidents. 

The program leverages advanced cyber threat intelligence (CTI) and digital identity protection, global monitoring capabilities, and established partnerships with regulators and law enforcement agencies to report compromised data and mitigate potential consequences for victims by increasing transparency about possible incidents and their root causes. By combining technology with a victim-centric approach, the program ensures that affected individuals and organizations are promptly informed, enabling them to take action to secure their information, prevent further harm, and protect their rights.

The goal of the program is to shift from a reactive to a proactive approach by detecting data breaches and supporting existing data protection regulations, especially in complex cross-border incidents affecting US and EU consumers who share their personal information with online services and data processors located abroad. For example, in cases of previously undisclosed data breaches, impacted consumers remain extremely vulnerable due to a lack of proper mechanisms to inform them of such incidents or frameworks to cover potential damages. The program aims to establish transparency in responsible data breach disclosure and to facilitate the harmonization of cybersecurity practices worldwide to protect consumers and organizations.

Why It Matters

With the increasing frequency and sophistication of cyberattacks, DBVNP bridges the gap between data breach detection and victim protection. It ensures that both consumers and enterprises are not only alerted to potential threats but are also equipped with the tools and knowledge to respond effectively. This great initiative underscores Resecurity's commitment to improving global cyber resilience and protecting those most vulnerable to cybercrime.

Unfortunately, many data breaches remain undisclosed, are delayed in reporting, misreported, or are not reported at all. This is a widespread issue, despite regulatory frameworks like GDPR and HIPAA that mandate timely breach notifications. Many organizations delay notifying affected individuals or the public about breaches. For example, 66% of breaches take months or even years to detect, according to the recent Verizon Data Breach Investigation Report.

Even after detection, notifications are often delayed due to legal or reputational concerns. For instance, organizations may delay reporting data breaches if law enforcement is investigating, as disclosing the breach could compromise the case; or, what is more concerning, they may never disclose the breach.

While regulations like GDPR require notification within 72 hours of discovering a breach, compliance is inconsistent. In the U.S., HIPAA mandates reporting of breaches of personal health data, but enforcement varies, and delays remain common. Some organizations exploit legal loopholes to avoid reporting breaches. For example, in California, a breach may not need to be reported unless there is "reasonable belief" that data was acquired.

In the U.S., laws such as the California Consumer Privacy Act (CCPA) and other state-specific laws allow individuals to seek compensation for data breaches. For example, under the CCPA, individuals can claim up to $750 per incident or actual damages, whichever is greater, if their data is mishandled or leaked.

Intention

Delayed or undisclosed breaches increase the risk of identity theft and fraud because individuals and businesses are unable to protect themselves in time. Victims often remain unaware of breaches for months or longer. Inaction or unawareness also leads to more significant issues, including espionage and national security risks, particularly concerning defense contractors, financial institutions, e-government providers and critical infrastructure. 

In some cases, breached data is also used in unfair business practices that violate consumers' rights—such as being sold to third parties (data brokers, telemarketing agencies, foreign governments and enterprises) or offered for illegal use without their consent. Enterprises and government agencies face an increasing threat of intellectual property (IP) theft resulting from data breaches, which often originate from compromises within third parties.

Data breaches are also used by criminals (organized crime, gangs, child predators) to target those who cannot defend themselves, which increases the risks of extortion, sextortion, kidnapping, and exploitation. Such incidents already took place in 2024-2025, when minors, females, and cryptocurrency investors were targeted after their information was leaked online. Transnational organized crime (TOC) groups are increasingly leveraging hackers to steal valuable data, utilizing advanced techniques to enhance traditional criminal operations or to facilitate new, highly profitable data-centric crimes.

By combining good-faith cybersecurity research and pro bono engagement, DBVNP by Resecurity aims to increase transparency around data breaches, protect consumers and enterprises worldwide, and improve litigation practices In this regard. The impact of this program should decrease the risk of ransomware and cyber-enabled fraud when stolen data is used for extortion and theft, preventing massive financial losses for the economy

Key Features and Benefits

1. Early Detection of Data Breaches
   Resecurity's state-of-the-art threat intelligence platform continuously monitors underground forums, dark web marketplaces, and other malicious sources to identify stolen or leaked data in real time. This enables the program to detect breaches early, often before they are publicly disclosed or become known to typical dark web-compromised identity-monitoring services.

2. Comprehensive Notifications
   Victims receive detailed notifications outlining the nature of the breach, the type of data compromised (e.g., personal, financial, or enterprise information), and actionable steps to mitigate their risk.

3. Consumer and Enterprise Protection
   The program supports both individuals and organizations by providing tailored recommendations to secure accounts, monitor for additional suspicious activity, and implement data protection best practices.

4. Collaboration with Law Enforcement
   Resecurity collaborates with global law enforcement agencies, CERTs (Computer Emergency Response Teams), and regulatory bodies to assist in breach investigations and ensure the responsible handling of compromised data.

5. Proactive Risk Mitigation
   By addressing breaches early, Resecurity helps victims reduce the risk of identity theft, fraud, and reputational damage. Enterprises can also avoid potential regulatory penalties, civil and criminal liabilities, and safeguard their customers' trust.

6. Advocacy, Awareness, and Education
   Resecurity empowers users with educational resources on cybersecurity best practices and how to respond to potential threats, fostering a culture of cyber awareness.

Compliance with Laws and Regulations

DBVNP is designed to comply with a wide range of global privacy laws, data protection regulations, and cybersecurity standards. These laws ensure the responsible handling of sensitive data while facilitating the notification of victims following a data breach. 

In jurisdictions where data protection regulations are not yet mature, we intend to facilitate capability-building and the implementation of best practices for handling data breaches and protecting consumers, which, in turn, will lead to positive changes.

Below is an overview of the key laws with which such a program is compliant:

1. General Data Protection Regulation (GDPR) – European Union

• Key Requirements: 
  • Article 33: Requires organizations to notify supervisory authorities within 72 hours of detecting a data breach.
  • Article 34: Requires organizations to notify affected individuals of breaches that pose a high risk to their rights and freedoms.

• How the Program Complies: 
  • Ensures timely notifications to individuals and enterprises impacted by breaches.
  • Protects personal data by following GDPR principles, including data minimization and secure processing.

2. California Consumer Privacy Act (CCPA) – United States

• Key Requirements: 
  • Provides California residents with rights over their personal data, including the right to know, delete, and opt out of data sharing.
  • Requires notification of consumers if their personal data is exposed in a breach.

• How the Program Complies: 
  • Proactively notifies consumers of breaches that involve their personal data.
  • Adheres to CCPA's focus on transparency and consumer data protection.

3. Health Insurance Portability and Accountability Act (HIPAA) – United States

• Key Requirements: 
  • The HIPAA Breach Notification Rule requires covered entities and business associates to notify individuals, the Health and Human Services (HHS), and sometimes the media in the event of a breach involving protected health information (PHI).

• How the Program Complies: 
  • Ensures healthcare-related breaches are identified and reported to both victims and relevant authorities in compliance with HIPAA regulations.

4. Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada

• Key Requirements: 
  • Organizations must notify affected individuals and the Office of the Privacy Commissioner of Canada (OPC) when a breach poses a "real risk of significant harm."

• How the Program Complies: 
  • Provides timely notifications to Canadian consumers and enterprises, ensuring compliance with PIPEDA's transparency and risk assessment requirements.

5. Data Breach Notification Laws – United States (State-Level)

• Key Requirements: 
  • All 50 U.S. states, Washington, D.C., and U.S. territories have data breach notification laws that require organizations to notify affected residents of breaches involving their personal information.
  • Some states, like New York (via the SHIELD Act), have stricter requirements for notification timelines and security measures.

• How the Program Complies: 
  • Aligns with state-specific requirements, ensuring notifications are delivered within mandated timeframes and that data protection measures meet state standards.

6. Cybersecurity Law of the People's Republic of China

• Key Requirements: 
  • Organizations operating in China must notify individuals and relevant authorities of data breaches in accordance with the law's data protection and cybersecurity guidelines. Under the Administrative Measures for Reporting National Cybersecurity Incidents (effective November 1, 2025), China mandates extremely strict breach reporting timelines. Network operators must report incidents to the Cyberspace Administration of China (CAC) within 4 hours for general incidents, or as fast as one hour for critical information infrastructure operators (CIIOs).

• How the Program Complies: 
  • Adheres to China's strict cybersecurity regulations by ensuring breach notifications are handled responsibly and securely within the region. In fact, our intention is not only to notify the affected parties but also to detect the possible presence of foreign data stored on Chinese infrastructure, which often occurs through cross-border data transfers (for example, in banking, logistics, and trade operations with China).

7. Australian Privacy Act (APA) and Notifiable Data Breaches (NDB) Scheme

• Key Requirements: 
  • Organizations must notify the Australian Information Commissioner and affected individuals of breaches that are likely to result in serious harm.

• How the Program Complies: 
  • Provides notifications to Australian consumers and enterprises, in accordance with APA guidelines, to safeguard personal data.

8. Other Relevant Regulations:

• Brazil's General Data Protection Law (LGPD): 
  Ensures timely breach notifications and data protection for Brazilian residents.
  
  
• Singapore's Personal Data Protection Act (PDPA): 
  Requires breach notifications to affected individuals and the Personal Data Protection Commission in the event of significant harm.
  
  
• South Africa's Protection of Personal Information Act (POPIA): 
  Mandates breach notifications to regulatory authorities and individuals.

Additional Standards and Frameworks:

• ISO/IEC 27001: 
  Ensures the program aligns with global information security management best practices.
  
  
• NIST Cybersecurity Framework (CSF): 
  Enables enterprises to implement breach detection and notification processes.
  
  
• PCI DSS (Payment Card Industry Data Security Standard): 
  If the breach involves payment card data, the program follows PCI DSS requirements for secure handling and notification.

Global Impact

The need for information sharing about data breaches and security incidents was one of the central topics at the past RSA Conference 2026 in San Francisco. The experts agreed on the importance of increasing transparency around breaches, as well as establishing voluntary reporting channels.

Resecurity's Data Breach Victim Notification Program (DBVNP) operates in compliance with global data protection and breach-notification laws, ensuring that consumers and enterprises receive timely, transparent, and actionable notifications. By aligning with these regulations, the program not only protects consumers worldwide but also helps organizations avoid potential legal and financial penalties associated with non-compliance.