Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

08) Does your organisation have a process for reporting information security breaches that affect your clients to them in a timely manner?

January 30, 2023
Business Resilience
Breach Notification

Answer yes if your organisation has a documented process for reporting information security breaches to all affected clients within 72 hours of the breach being discovered. Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

If your organisation holds data on behalf of your clients then you must have a documented process that can be used to notify them in a timely manner of any security breaches that may affect them. You should ensure that any process that you have implemented reports the incidents quick enough to be compliant with any client contract, legal or regulatory requirements your company may be subject to. For example:

  • Personal data disclosure: If a security breach includes the personal data of a UK or EU subject then a time limit of 72 hours is triggered between the incident being discovered to when the data regulator has to be notified. If you hold client data and suffer an incident in which this client data is disclosed, you must report the breach to your clients immediately so that they can fulfill their legal notification requirements to their relevant data regulator.
  • Digital Service Provider service disruption: Current UK and EU NIS regulation requires that disruptions of services must be reported to the Competent Authority regulator within 72 hours of discovery.
  • Additional Sovereign and State legislation may apply additional reporting requirements, for example UK and EU PECR law requires public electronic communications service providers to report a breach of security to the country or state regulator within 24 hours

How to implement the control

It is important to have a breach notification process in place so that if your company were to suffer a security incident you can report this incident to your clients in a timely manner. This is important to ensure compliance with your client contractual requirements and a variety of regulatory requirements.

Consult with your regulator’s published guidance and your Legal Counsel to ensure that requirements are clearly defined and supported by your process. Your breach notification process should be linked to your incident response plan and should be linked to any regulatory notification processes implemented within your company.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.