Do You Need to Notify Individuals About a Data Breach?
Data Breach
A data breach can have far-reaching effects. Cyber criminals can use stolen personal information to steal the victim’s identity, access their bank accounts and credit cards, or even commit tax identity theft. In addition to the harm that can be done to individuals, organizations can face fines, financial loss, and reputation damage, which can be difficult or impossible to repair.
While it’s important for organizations to quickly respond to a data breach, they must also ensure that they are adequately communicating with impacted individuals and that they have a plan in place to mitigate any harm that could occur as a result of the breach. This is particularly true when assessing whether to notify affected individuals.
A major factor in determining whether to notify individuals is the severity of the harm that could be caused. To determine this, an organization must assess the impact of the breach on them, including the nature and likelihood of this harm.
In the Equifax data breach, attackers gained access to the names, addresses, dates of birth, and Social Security numbers for 153 million people, making them a target for identity theft. The Sony PlayStation Network and Qriocity data breaches exposed passwords, which posed a risk for victims because many people reuse the same password across multiple websites and services. In the NetEase breach, the compromised data included digitized copies of handwritten forms, spreadsheets, and descriptions of lunar missions, as well as sensitive documents from private companies such as Ticketmaster, Lending Tree, Advanced Auto Parts, and Santander Bank.