How and When Should a Data Breach Be Reported?

A company must report a data breach to the relevant regulator and its customers when personal data is breached and at risk of further unauthorized disclosure.

The threshold for reporting will depend on the type of personal data, the potential impact on individuals, and the likelihood of further unauthorized disclosure.

Data breaches can have a significant reputational impact on companies. For example, cyber-attacks are reported widely by media outlets, leading to negative PR for the company that has been targeted.

There is a high risk that if you fail to report a breach when required you could be fined by regulators or incur other financial penalties from customers or other third parties.

For more information on the legal ramifications, visit Keller Postman Data Breach.

Which Regulator Should Be Notified About a Data Breach?

It depends on the type of data that has been breached. The regulator notification duty will differ depending on the type of data breach.

If the personal data is health data or financial data, both the Information Commissioner’s Office (“ICO”) and the Financial Conduct Authority (“FCA”) must be notified.

In the event of a breach affecting payment data, the Payment Card Industry Data Security Standard (“PCI DSS”) requires the breach to be reported to the ICO.

In addition, the breach must be reported to the card associations, and the relevant supervisory authority in the European Union where the breach is likely to “result in a risk to the security of personal data” and where the company is not directly regulated by the ICO.

What Information Must Be Provided to the Regulator?

The regulator will require certain information to be provided in the breach notification, including the nature of the breach, the risks and likelihood of damage resulting from it, the type of data concerned and the number of individuals affected.

The regulator will also require the company to conduct an investigation into the breach, and provide a written report with further information and analysis.

What Information Must Be Provided to Customers?

Where applicable, the company must provide the affected individuals with information about the breach, including the nature of the breach, the type of data and the likely consequences of the breach.

Where the breach is likely to result in a financial loss or financial risk to the individuals, the company must also provide advice on what action the individuals should take in response to the breach.

Confirming a Data Breach Has Occurred

In order to confirm a breach has occurred, a company must first identify the type of data that has been breached.

This may be straightforward in certain circumstances, such as where the breach involves payment data.

However, it may be more complex in other circumstances, such as where the breach involves health data or sensitive personal data.

Once a company has identified the type of data that has been breached, it must assess the likelihood and potential severity of the breach.

This will depend on a number of factors, including the nature of the data, the extent to which the data is protected, how the data was obtained, and the likelihood that the breach will be discovered.

On the other hand, one of the ways to prevent a data breach is understanding HIPAA compliance, which is a crucial component of network security compliance.

The security rule sets standards for protecting health information created, received, used, or maintained by covered entities. The security rule requires health information to be protected against unauthorized access and disclosure.

Key Takeaways

If a company has breached the data protection obligations and there is a risk of further unauthorized disclosure of personal data, it should be reported to the relevant regulator and customers as soon as possible.

Although the reporting requirements may seem daunting, the rewards of being fully compliant with the GDPR will far outweigh any negative impact on the business.