One of the first things that you should do after discovering a data breach (and investigating it) is to send out data breach notifications. But, do you know who to notify in case of a data breach, and why you need to notify them?
Knowing your data breach notification requirements is crucial for achieving compliance, protecting your customers, and avoiding major penalties down the road. So, who should you send data breach notifications to? Here’s a short list of who to contact after a major security breach in your organization:
This is an obvious notification to make, but it’s an important one. ANYONE who may have been directly affected by the data breach—especially anyone whose personally identifiable information (PII) may have been compromised—should be notified of the cybersecurity breach and what info was compromised.
This should be done as soon as reasonably possible because after a data breach, there’s a limited window of opportunity for people to protect themselves against identity theft and other forms of fraud.
In the data breach notification email (or text message, or voicemail, or letter), it can help to provide some tips for preventing fraud from the compromise of the customer/employee data. Some tips recommended by Experian include:
Aside from simply notifying any and all affected parties, what are your other data breach notification requirements? This question is a little more complicated, because these requirements may vary from one state to another—though all 50 states do have some form of data breach notification requirement.
Typically, you’ll need to notify local law enforcement agencies and possibly some federal agencies, such as the FBI or the U.S. Secret Service. To make sure you know who to notify in case of a data breach, it’s important to check with your state’s government offices. If your business operates in multiple states, you’ll want to check the requirements for each state individually.
Additionally, who you need to notify of the breach may change depending on the type of information that was compromised. For example, as noted by the Federal Trade Commission (FTC), if the compromised data is covered by the Health Breach Notification Rule, then “you must notify the FTC and in some cases, the media.”
Another concern is if your business handles the PII of foreign citizens—especially ones from the European Union (EU). This is because EU citizens’ personally identifiable information would fall under the EU’s General Data Protection Regulation (GDPR). Article 33 of GDPR stipulates a strict time limit on data breach notifications, saying that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
So, what happens if your company fails to follow data breach notification requirements? The consequences of failing to send out data breach notifications in a timely manner may vary, but commonly include:
Sending out data breach notifications isn’t just a good idea for compliance, it’s a necessary and effective strategy for protecting your business from the fallout of a major cybersecurity compromise.
Do you need help with your company’s cybersecurity so you can prevent data breaches? Reach out to the team at Compuquip for help and advice!