The frameworks your IT director already recognizes.
One page. Three jurisdictions. Notification clocks and reporting paths called out where they exist.
United States — federal
Covered municipal infrastructure (water, transit, emergency services).
Reference →Any compromise touching FBI-shared criminal-justice information.
Reference →Municipal EMS, public-health clinics, employee health plans.
Voluntary framework referenced in state and local cyber grants (SLCGP).
Reference →Free for US SLTT entities. Coordination and threat intel, not regulator.
Reference →United States — state
PII of California residents, including those served by your municipality.
Written information security program required for entities holding MA-resident PII.
Reasonable security and breach notification for NY-resident data.
60-day notification for breaches affecting Texas residents.
Every state has a breach-notification statute. Notification scope is determined by where the affected residents live, not where the municipality is.
Canada — federal
Federal private-sector law. Limited municipal applicability but relevant for vendor relationships.
Reference →Federal coordinating body for SLTT cyber incidents. Free programs and incident coordination.
Reference →Canada — provincial
Ontario municipal public-sector privacy law. Mandatory breach notification to IPC Ontario for significant breaches.
Provincial public-sector privacy law. Each province has its own commissioner and timelines.
Québec municipal privacy framework, recently strengthened by Law 25. CAI is the regulator.
United Kingdom
All UK local authorities. 72-hour notification to the ICO for significant breaches.
National Cyber Security Centre guidance specifically for local government.
Operators of essential services — applies to some municipal water and transport operators.
Cross-cutting
Constrain how incidents can be discussed in council and what must be disclosed. Every jurisdiction has these — usually with a security-matters exception for closed session.
Election-administration advisory for jurisdictions running federal elections.
US states
Top jurisdictions at launch. More states added as visitor volume warrants.
Without unreasonable delay; AG copy required if >500 residents affected.
60 days to affected residents and AG (if >250 affected).
Most expedient time possible without unreasonable delay.
As soon as practicable and without unreasonable delay.
30 days to affected residents; AG notification if >500 affected.
Canadian provinces
Five provinces at launch. Others added as demand warrants.
Promptly for significant breaches; no fixed statutory clock for municipalities (yet).
Without unreasonable delay if real risk of significant harm.
Promptly — Law 25 imposes notification for confidentiality incidents posing risk of serious injury.
Without unreasonable delay if real risk of significant harm.
As soon as practicable for material breaches.
Common questions about municipal breach notification
Every US state has its own clock — California requires notice without unreasonable delay (with an AG copy if more than 500 residents are affected), Texas requires 60 days, and most other states fall between. CIRCIA adds a federal 72-hour clock to CISA for covered municipal infrastructure, and 24 hours for ransomware payments.
Provincial public-sector privacy laws (MFIPPA in Ontario, FIPPA in BC/AB/MB/NL/NS/PEI/YT, Law 25 in Québec) each set their own thresholds, generally requiring notification to the privacy commissioner and to affected individuals when there is a real risk of significant harm.
Only to the parts of your municipality that act as a covered entity — typically EMS, public-health clinics, and employee group health plans. The 60-day individual notification clock and immediate HHS notification for breaches affecting more than 500 people apply to those operations.
If your municipality operates covered critical infrastructure (water, transit, emergency services) you fall under CIRCIA — that's 72 hours for a covered cyber incident and 24 hours for any ransomware payment. Voluntary reporting through MS-ISAC is available to every US SLTT entity at no cost.