Crisis Management: Who You Should Notify in Case of a Data Breach

While your organization should have a cybersecurity strategy in place that calls for regular updates and checking system endpoints for signs of attempted cyber attacks, there is still always a chance that a breach may occur. That’s why we want to share some important information about responding to a data breach.

Crisis management should be an integral part of your cybersecurity strategy so let’s look at some best practices for whom to contact after a data breach and the subsequent crisis management:


  1. Identify the Relevant Parties.
  2. Compile the Necessary Information.
  3. Communicate the right information with a Data Breach Template.

Identify Relevant Parties

The first step is to determine who needs to be notified inside and outside of your organization in the event of a data breach. Depending on where the breach occurs, there may be specific laws regarding who organizations must identify the moment they learn of it. For example, if a breach occurs in Europe, where privacy laws are extremely strict, organizations should have a person on their team familiar with the General Data Protection Regulation framework. In the United States, there is no clear overarching framework, so organizations will need to do their research to understand the guidelines and requirements for incident reporting in each state. 


As a general rule of thumb, when a breach is detected, all affected parties should be notified as soon as possible. Hence, they know they will need to update their security details immediately. This list should include contacts from law enforcement, other businesses that may be affected, and of course, all individuals involved. The Federal Trade Commission has published a guide that businesses can order for free, which provides guidelines to remain HIPAA compliant and meet their standards as well. 


Compile Necessary Information

You will need to create a list of contact information for these individuals, including their names, titles, phone numbers, and email addresses. You’ll want to know whom to contact directly should any highly sensitive information like social security numbers or bank account information be stolen.


This means having a dedicated cybersecurity forensics team ready on standby to mitigate any data leaks as quickly as possible. Frequent cybersecurity communication and testing with major institutions you engage with, such as banks or hospitals, should be a part of the cybersecurity strategy. All contact information should be easily and readily available.


Communicate the Right Information With a Data Breach Template

Once you have compiled this list, you should create a template notification that can be easily customized for each person on the list. 

The template should include:


  • Data controller identification information;
  • Data processing identification information;
  • Data protection officer identification or a person of contact;
  • Purpose of the notification;
  • When the breach occurred;
  • Number of natural persons whose personal data is collected, stored, or processed;
  • Processing activities affected by the breach;
  • Location of the breach.


In the template notification, be sure to include all pertinent information about the data breach, such as when it occurred, what type of data was involved, and how many people were affected.


Again, depending on the jurisdiction where the breach occurred, the template your security team develops may include additional fields. You may need to include the cause of the breach, whether it was accidental or the result of a malicious attack, and if it was the result of an attack, was it internal or from a third party? These are some of the things your security team should consider as they develop their cybersecurity strategy.




What Happens if I Don’t Report a Data Breach?

There are severe consequences, both legal and reputational, that occur when an organization fails to report a cybersecurity breach. 


Financial and Legal Penalties

Withholding information regarding a known cybersecurity data breach can result in fines or tickets from the government. Article 83 of GDPR calls for up to 20 million euros or 4% of a company’s net worth. They go for whatever amount is higher!


Reputational Damage 

While reporting a breach may be a little scary, at the end of the day it is very important and will go a long way when it comes to maintaining your brand or organizational reputation, and could, in the long run, actually lead to increased credibility. When breaches occur, companies suffer from significant financial losses when seeking remediation in the form of regulatory fines and liability expenses, so minimizing reputational brand harm can mitigate stock value changes and maintain the ability to attract new customers.

In conclusion, the objective at the end of the day is to pre-empt a cybersecurity breach or leak with a comprehensive cybersecurity strategy that includes ongoing testing, system updates, and endpoint improvement to stay ahead of the cybercriminals. Having a cybersecurity strategy in place in case a breach should occur is also an important step in keeping your organization’s network and user data secure. 


New Call-to-action