How to Report a Data Breach: Step-by-Step Guide

Data breaches are every organization's worst nightmare and sometimes an unavoidable part of working with customers' data. Customer data is essential for keeping track of performance (analytics) and is a critical component of regular business operations across industries. Still, statistics reveal that data breaches are almost inevitable, with 45% of US companies experiencing a data breach in 2021. While you can't stop working with customer data or guarantee that your organization won’t experience a breach, you can determine your response when a breach occurs.

Discovering and containing data breaches can take time, with most organizations taking an average of 80 days to contain a breach after it's discovered. Once you've identified the breach, the first decision you need to make is how, when, and to whom to report it. This article breaks down the legal requirements for data breach reporting according to the two most commonly used privacy standards - the European GDPR and California's CCPA.

If you're looking for solutions for your developers to protect PII and other sensitive data, learn more about Piiano and our Data Privacy Vault.

What to Consider Before Reporting a Breach

Before you report a breach and issue a breach notification to your customers, you need to look at several factors that come into play. The first is what's legally required of your organization by the regulatory bodies that have jurisdiction over you. The second consideration is your organization's official transparency policy (disclosing the breach to affected parties and the media). These two factors will control your response to the breach.

While we'll discuss your legal requirements later, transparency is less clear-cut. Some breaches are too minor to fall under legal requirements, and the decision of whether to publicize or report the breach lies in the organization's hands. Although reporting a breach to customers can foster a feeling of trust, be prepared for adverse reactions. Not informing customers of a breach can also lead to negative consequences if the customers learn of the breach by other means.

How the GDPR Defines a Breach

The GDPR applies to any organization that stores data belonging to EU citizens. Officially, the GDPR only applies to breaches that involve personal data. The GDPR defines personal data as:

“... any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

This includes publicly accessible and personal details such as their name, ZIP code, phone number, or health records. A data breach is defined as:

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

These breaches usually occur when cybercriminals intentionally access an organization's database due to vulnerabilities or employee negligence. Regardless of its cause, a data breach that puts consumers' privacy at risk will result in regulatory action from the GDPR.

Reporting a Breach per the GDPR

The CCPA requires businesses to protect their data with reasonable security measures. Failure to protect information that results in a breach requires that the organization notify the proper authorities as soon as possible. Organizations are required to contact any Californian residents affected by the breach, and if the incident affects over 500 residents, the state’s Attorney General must also be notified.

The CCPA has strict formatting requirements for the notice report, requiring it to be written in plain language, titled "Notice of Data Breach," with clear and visible headings and titles, and text no smaller than 10-point type. If issuing such a report to each affected party would cost over $250,000, or if the affected individual's number is over 500,000 or the company doesn't have updated contact information for individual customers, the organization must implement all the following steps:

• Post clear and conspicuous information on the breach on the organization's website for a minimum of 30 days (this can include a link to the full notice located on the home page, in large text or visibly bright colors)
• Notify major statewide media and organizations based in California and notify the California Office of Information Security.

The CCPA Data Breach Report - What Needs to Be Reported?

The report must include the following essential information:

• The organization's name and contact information
• A summary of the incident
• Details of the categories of personal information involved in the breach
• The timing of the breach (date, date range, or an estimated date for when the breach occurred)
• Phone numbers and addresses of credit reporting agencies if the breach included social security numbers, driver's license information, or California identification card numbers). In these cases, organizations must also offer pro-bono identity theft prevention services for at least 12 months and provide affected parties with additional information on how to utilize these services.

Optional information to include:

• The measures the organization has taken to protect customers affected by the breach

• Advice to affected individuals on what measures to take to protect themselves

Reporting a Breach in US States Not Covered by the CCPA

While the first response to any breach is always to secure the network and address any newly discovered vulnerabilities, most states have legal guidelines that organizations need to follow after a breach. Like the CCPA and the GDPR, notifying the relevant authorities is a legal requirement in all US states, the District of Columbia, Puerto Rico, and the Virgin Islands.

Notification may involve releasing notice publicizing the breach, contacting the State’s Attorney General, and contacting law enforcement (local police, the FBI, or the US Secret Service). In some cases, all three must be contacted. Click here for more information on what to report and to whom in each of the US states. Other regulations don’t vary by location but by industry.

For example, if the breach involves electronic personal health records, you must check if your breach falls under the Health Breach Notification Rule. If this rule applies, you will need to notify the FTC and, in some cases, the media. You will also need to investigate whether you are covered by the HIPAA Breach Notification Rule. If so, you will need to fill in the notification form to notify the Secretary of the US Department of Health and Human Services (HHS) and in some cases, the media as well.

Responding to a Data Breach

While the GDPR and CCPA are far from the only regulatory bodies that require a data breach report, their comprehensive requirements offer a great starting point. Although experiencing a data breach can feel like a significant setback, responding correctly and quickly can help mitigate the damage it causes. Additionally, implementing protective measures to guard your most vulnerable data before the breach occurs may not prevent a breach, but it can surely mitigate the damage breaches cause by preventing or reducing access to PII data and shielding your customers from identity theft.