Presently in the United States, all states have breach notification laws that will require you to notify affected parties and provide remediation services. These laws may even require you to notify several attorneys general. These laws differ from state to state and you'll have to comply with all statutes relevant to the incident - not just the law in your home state.
In the UK and EU, businesses have a duty to report data breaches within 72 hours of becoming aware of the breach, required by the General Data Protection Regulation (GDPR).
It's pretty daunting, which is why many select a cyber insurer to take care of all this and pay the bills.
Always refer to the relevant agency for the most up to date information. If you would like any further details regarding your local regulations, it's recommended to contact the relevant agency for clarification.