Data Breach Notification

A data breach is the exposure of confidential, protected or sensitive information to an unauthorised party which leads to the files being viewed or shared without permission. Organisations subject to a data breach must inform the relevant authorities in their country within a certain time period and take other required steps, such as informing the individuals affected if the breach presents a significant risk to them.

Following the introduction of the General Data Protection Regulation (GDPR), the need to detect, respond to and report data breaches is now greater than ever for all organisations that process any form of personal information. Organisations that fail to demonstrate appropriate controls and/or fail to report a data security breach to a relevant authority within 72 hours risk significant financial penalties.

In the UK, if your business is affected by a data breach, it must be reported to the Information Commissioner’s Office within 72 hours of discovery through a breach notification letter. The information you provide should include a description of the breach, the type and quantity of data compromised, an outline of the likely consequences of the breach, and how you intend to address it. If the impact of a breach represents a high risk to the rights and freedoms of individuals, you should also directly notify those people.

A data breach notification letter is the method through which organisations comply with their legal obligation to inform the Data Protection Authorities (DPAs) or individuals for their country. Because your notification letter is your primary communication with stakeholders regarding your data security incident, it plays a key role in controlling your message and managing breach population fears.

Breach notification letters should include a brief description of what your organisation is doing to investigate the breach and how it aims to take action to minimise the impact on individuals and to prevent any further breaches. Kroll experts will work with your team to implement a personalised, plain-language notification letter that provides pertinent information and maintains message control.

In Kroll’s 2021 Data Breach Outlook report, 43% of the organisations interviewed still felt they were not ready to notify in the event of a breach. Given the significant growth in data breaches, we strongly recommend that organisations take proactive steps to prepare for a notifiable data breach incident. Our five key recommendations for better preparing for a breach event are:

• Negotiate and retain key vendors to assist during incident response
• Conduct tabletop exercises with leadership and incident response specialists
• Provide education, training and technical support to employees
• Understand where data resides in your organisation
• Don’t rely on encryption as your only method of defence

In today’s global economy, where data can cross many jurisdictions, your organisation may be required to comply with a patchwork of stringent notification regulations. This can make acting in the event of a data breach even more complex. Our data breach notification solutions enable companies under pressure to deal with data issues across different areas, with call centres staffed by multilingual representatives. As data privacy regulations evolve, we track them closely, developing capabilities to fulfil the needs of organisations in various jurisdictions.