I've worked in this area.
Which breach notification law applies depends on where the affected individuals reside, not where the company is headquartered. So, Garmin has to worry about whether a breach has occurred by the definition of every jurisdiction in which they have customers.
Now...just because a company has been hacked does not mean a breach, as defined by a state's breach notification law, has happened.
For example, I live in Virginia. Garmin would have to notify me if there was an exposure of a) my first initial and last name or first and last name combined with b) my social security number, drivers license number, financial account information, military ID number, or passport number.
Garmin has my name, but not as far as I can remember any of that other information. So....even if my name was exposed, or my running routes, or my email address, Garmin does not need to notify me.
Most states have similar definitions of PI - some combination of name and numerical or financial information. If you want to have fun, here's one chart of the various notification laws in the US.
https://www.perkinscoie.com/images/content/2/3/v3/234941/Security-Breach-Notification-Law-Chart-06.22.2020.pdfIn Europe, under the GDPR, there is a broader definition of "personal data". And notification is required if the data is destroyed, accessed, altered.
But....if all the personal information has been encrypted, and Garmin has no reason to believe that it has been exposed, stolen, or destroyed, then there's no notification requirement. The fact that Garmin is down does not in itself constitute a notifiable breach under any law that I am aware of (it's been a few years since I worked in this area).
Also worth noting...if there was a notifiable breach, the notification takes a LOT of time, and cannot be instant. In the US, each state has its own requirements around the form of the communication - how it is sent, what is stated in it, etc. And some states require that the attorney general or similar review and approve the notification before it is sent out.
And once you've got all those notifications drafted and approved, you still have to get them sent out. Which is a massive amount of work when you have many many users (there are vendors who specialize in doing the mass mailing for you, and tracking returns, as well as maintaining a call center to field questions).