07) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?
Business Resilience Breach Notification
Written by Haydn Brooks
Created on March 18, 2019
Modified on September 3, 2020

Answer yes if your organisation has a documented process for reporting information security breaches to all affected Clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

If your organisation holds data on behalf of your clients then you must have a documented process that can be used to notify them in a timely manner of any security breaches that may affect them. You should ensure that any process that you have implemented reports the incidents quick enough to be compliant with any client contractual requirements or legal requirements your company may be subject to.

If a security breach includes the personal data of a UK or EU subject then a time limit of 72 hours is triggered between the incident being reported to when the data regulator has to be notified. If you hold client data and suffer an incident in which this client data is disclosed, you must report the breach to your clients immediately so that they can fulfill their legal notification requirements to their relevant data regulator.

How to implement the control:

It is important to have a breach notification process in place so that if your company were to suffer a security incident you can report this incident to your clients in a timely manner. This is important to ensure compliance with your client contractual requirements and a variety of regulatory requirements.

Your breach notification process should be linked to your incident response plan and should be linked to any regulatory notification processes implemented within your company.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.