Do you know when to report a data breach? At what level do you need to report a data breach when it happens? Let us take a look into that in this article.
When to Report a Data Breach
In the event of a data breach, companies in the UK need to report the breach to the GDPR within 72 hours of discovering it. In the US, some senators are starting a bill just last June 2021. This will oblige companies to report a breach within 24 hours. When it is passed, that will then be the standard of when to report a data breach. Today, though, there is no timeline yet. But when in doubt, report it!
If you do not report a breach on time, you may be subject to penalties. But what kind of data breach do you need to report? Well, a data breach occurs when a person’s data is compromised. This could be any of the following:
- Unauthorized access to personal data.
- Loss of personal data.
- Intentional or accidental destruction of personal data.
The above should be reported to the relevant authorities immediately. Notification must also be sent out to those concerned. Informing them of what has happened and what they may do to protect themselves.
To know when a breach needs to be reported, you need to know the three major types of breaches as this will indicate whether a breach needs to be reported or not:
- Security incident. This is when an incident involving a company’s security is detected by the company or any other external party. This may include a law enforcement agency, regulator, or even customers.
- Phishing attack. This is when an email is sent out by an attacker impersonating a legitimate organization to trick users into entering their information into false websites and/or disclose sensitive information. You should report this if it compromises both user and corporate databases in your organization. You should also report on phishing attacks if your employees have fallen victim to them but did not disclose it.
- Malware infection. This happens when malicious software (i.e., virus) infects your computer systems, either through a download from the internet or through removable media. Do note that ransomware can also encrypt files on your computers, making it difficult for you to retrieve them without paying the attacker money in exchange for their encryption keys.
If you notice that you have been a victim of any of these three, then immediately report it to the relevant authorities. If you suspect but are not sure if there is a data breach, you can always contact the authorities and ask for guidance.
For example, if you suspect that there is a malware infection in your organization but do not know for sure, you can send an email to the relevant authorities asking for information on how to proceed. You should also report this situation if you have experienced any of the three but are not sure if the breach falls under the scope of a law or regulation or not.