Who Should You Notify in Case of a Data Breach?
One of the first things that you should do after discovering a data breach (and investigating it) is to send out data breach notifications. But, do you know who to notify in case of a data breach, and why you need to notify them?
Knowing your data breach notification requirements is crucial for achieving compliance, protecting your customers, and avoiding major penalties down the road. So, who should you send data breach notifications to? Here’s a short list of who to contact after a major security breach in your organization:
Who to Notify in Case of a Data Breach? Any and All Affected Customers or Employees
This is an obvious notification to make, but it’s an important one. ANYONE who may have been directly affected by the data breach—especially anyone whose personally identifiable information (PII) may have been compromised—should be notified of the cybersecurity breach and what info was compromised.
This should be done as soon as reasonably possible because after a data breach, there’s a limited window of opportunity for people to protect themselves against identity theft and other forms of fraud.
In the data breach notification email (or text message, or voicemail, or letter), it can help to provide some tips for preventing fraud from the compromise of the customer/employee data. Some tips recommended by Experian include:
- Adding fraud alerts to existing accounts;
- Collecting copies of credit reports;
- Notifying financial institutions of the breach;
- Changing existing account passwords; and
- Gathering identification papers and other information for future reference.
What Are My Other Data Breach Notification Requirements?
Aside from simply notifying any and all affected parties, what are your other data breach notification requirements? This question is a little more complicated, because these requirements may vary from one state to another—though all 50 states do have some form of data breach notification requirement.
Typically, you’ll need to notify local law enforcement agencies and possibly some federal agencies, such as the FBI or the U.S. Secret Service. To make sure you know who to notify in case of a data breach, it’s important to check with your state’s government offices. If your business operates in multiple states, you’ll want to check the requirements for each state individually.
Additionally, who you need to notify of the breach may change depending on the type of information that was compromised. For example, as noted by the Federal Trade Commission (FTC), if the compromised data is covered by the Health Breach Notification Rule, then “you must notify the FTC and in some cases, the media.”
Another concern is if your business handles the PII of foreign citizens—especially ones from the European Union (EU). This is because EU citizens’ personally identifiable information would fall under the EU’s General Data Protection Regulation (GDPR). Article 33 of GDPR stipulates a strict time limit on data breach notifications, saying that:
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
What Are the Consequences for Not Meeting Data Breach Notification Requirements?
So, what happens if your company fails to follow data breach notification requirements? The consequences of failing to send out data breach notifications in a timely manner may vary, but commonly include:
- Fines and Other Penalties. A company found to have withheld data breach notifications may be subjected to fines from government organizations. One example of the potential cost of a fine from failing to meet data breach notification requirements is outlined in Article 83 of GDPR, which could be 20 million euros or 4% of the company’s total worldwide annual turnover, whichever is higher.
- Loss of Reputation and Business. Failing to promptly notify customers, employees, and business partners of a major data breach can ruin a company’s reputation. This, in turn, can drive away business—leading to lost sales and partnerships.
- Customers Being Exposed to Fraud. If a data breach notification isn’t delivered in a timely manner, it leaves your customers vulnerable to fraud attempts made using their exposed PII. This can cause them severe financial losses—which they may attempt to recoup in a lawsuit against your company. The faster you can send out data breach notifications, the better the chances are that your customers will be able to take action to prevent fraud from occurring.
Sending out data breach notifications isn’t just a good idea for compliance, it’s a necessary and effective strategy for protecting your business from the fallout of a major cybersecurity compromise.