There is a case ongoing which is known as The United States versus Love. As always when I mention the law on this site, I am not a Lawyer, therefore I will link to all of my sources inline and allow you to draw your own conclusions. I support Lauri Love and I would like to detail some reasons as to why you should too. I also wish to highlight some things you should be seriously concerned amount regardless of your opinion on Lauri or his case specifically.
I’m going to go ahead and open with: I am not a lawyer. If you’ve had a data breach and you need to know if you should notify an authority, or the public, you should speak to a lawyer. Don’t take legal advice from a blog post. I was researching the requirement to disclose under UK law and I thought it was interesting so here are some (probably incomplete) notes to explain (my interpretation of) the current UK Law.
Interpreting and understanding law is a difficult thing. However many Information Security, Ethical Hacking, and Cyber Security degree courses feature understanding the law as a requirement. There’s also an awful lot of law and literature out there about the many offences that an individual could commit during the normal course of careers in offensive security roles such as penetration testing.