Incident and Breach Management


Incident and Breach Management Topic Page

On this topic page, you’ll find news, resources, tools and insights covering cyber incidents and data breaches, with guidance on how best to respond as an organization or individual in the occurrence of being impacted by a breach.

Featured Resources


Privacy Risk Study 2023

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Read More


Managing Data Breach Liability & Exposure

Organizations no longer can afford to ignore or delay their privacy and security responsibilities. This web conference will cover the legal issues surrounding data breaches and how to lessen their impacts.
Read More


State Data Breach Notification Chart

To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.
Read More


AI incident response plans: Not just for security anymore

Artificial intelligence systems, much like any other technology system, are susceptible to failure. This article explains how preparation for potential failure across the design, development, sale and operation phases of a given system “can make all the difference between a timely, controlled response and chaos.”
Read More


Privacy Incident Management Simplified

This web conference discusses the short- and long-term benefits of digital transformation and how embracing technology is a value-add to your privacy program.
Read More


Liability for software insecurity: Striking the right balance

The U.S. National Cybersecurity Strategy is spawning new consideration for potential legal liability against providers concerning insecure software deployments. This article explores the delicate balance required to roll out liability standards.
Read More

Additional News and Resources

Genetic data of 4M service users leaked online

A new dataset containing records of 4 million 23andMe users has been leaked online after genetic data of 1 million users was published on the dark web last week, TechCrunch. A hacker who goes by Golem, who published the dataset, said it includes data from "the wealthiest people living in the U.S. and Western Europe." A 23andMe spokesperson said the genetic testing service is "reviewing the data to determine if it is legitimate."Full story... Read More

IBM report shows 15% increase in data breach costs

SiliconAngle reports analysis by IBM Security and the Ponemon Institute of 553 data breaches between March 2022 to March 2023 revealed a 15% increase over the last three years in costs associated with a breach. The average cost of a breach spiked USD4.45 million, with breach detection and escalation costs increasing by 42% during the three-year span.Full story... Read More

Reporting cyber incident requirements in some Latin American jurisdictions

Cyber events are global issues that manifest in many ways and generally impact several countries simultaneously. It is critical to comprehend the requirements and procedures set by each jurisdiction to ensure compliance and, at the same time, the security of personal data and data subjects. This article examines the cyber incident notification requirements in Brazil, Argentina, Colombia and Mexico. Multijurisdictional incident response The duty to notify regarding an information security incid... Read More

AEPD creates tool for data controllers to identify relevant authorities to report a breach

Spain’s data protection authority, the Agencia Española de Protección de Datos, created a tool designed to help organizations determine whether to notify a data protection regulator following a breach. The tool, “Brecha Advisory,” is free to use. It aims to help data controllers identify who should be notified, what elements in the breach contain personal data and which data protection regulator to report to.Full Story... Read More

Cyber Incident Reporting Simplified with Privacy Best Practices

Original broadcast date: 20 Oct. 2022 Like privacy breach notification laws, decisions around cybersecurity regulations require a nuanced understanding of risk assessment to avoid damaging your brand’s reputation. Take a page from the privacy playbook and learn how to qualify “risk of harm” to bolster your cyber policies before disaster strikes. In this web conference, RadarFirst Chief Privacy Officer Lauren Wallace, CIPP/US, provides insights on cyber notifications as they pertain to events and individuals to better define a cyber “state of harm.” Read More

Third circuit shows how to establish standing in data breach cases

A recent decision by the U.S. Court of Appeals in Philadelphia gives new hope to plaintiffs in class-action lawsuits over data breaches. The case is Clemens v. ExecuPharm Inc., decided Sept. 2, and it is the first appellate decision on standing in data breach cases since the U.S. Supreme Court seemed to close the door on many such cases in 2021. The ruling is further evidence that some courts will continue to find ways to let data breach litigation go forward even if the affected consumers have ... Read More

Number of US data breaches dropped in first half of 2022

Publicly reported data breaches fell in the first half of 2022, Government Technology reports. Citing a report from the Identity Theft Resource Center, cybercriminals adjusted their targets toward businesses and government institutions. In the first half of this year, 817 data breaches were reported in the U.S., which represents a 4% decrease from the same timeframe in 2021. The volume of affected persons decreased to 53.4 million, a decline of 45% from last year. 2021 saw the highest number of ... Read More

Ransomware attacks on the rise in 2022

Ransomware damages are expected to exceed $30 billion worldwide in 2023, InfoSecurity reports. Citing cybersecurity firm Acronis’ mid-year cyberthreat report, almost half of all data breaches in 2022 began with stolen credentials. Six hundred malicious email campaigns were launched in the first half of 2022, 58% of which were phishing emails and 28% contained malware, per Acronis’ report. Cybercriminals have shifted toward attacking key entry points on networks that rely on cloud services or see... Read More

Exploring Organisational Experiences of Cyber Security Breaches

The U.K. Department for Digital, Culture, Media and Sport published its qualitative report detailing the experiences of organizations that suffered a data breach. The report looked at an organization’s level of cybersecurity pre-breach, the type of cyberattack, how the organization responded in the short, intermediate and long term, and what cybersecurity improvements were made in the aftermath. Read More

Encrypted messaging service hacked as result of cloud communications company breach

Hackers breached cloud communications company Twilio, Vice reports. The company provides infrastructure to companies that send automated text messages to users, so the hackers had an opportunity to take over users’ accounts that were tied to their phone number on a service backed by Twilio. One such service was encrypted messaging application Signal. Signal announced approximately 1,900 users were targeted by the hackers. For those users, hackers may have registered the stolen phone numbers on t... Read More

Hiscox Cyber Readiness Report

The Hiscox Cyber Readiness Report provides an up-to-the-minute picture of the cyber readiness of businesses big and small, and offers a blueprint for best practice in the fight to counter an ever-evolving threat. Read More

FTC signals expanded breach notice obligations

On May 20, 2022, the U.S. Federal Trade Commission staff made a remarkable statement on an agency blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” The blog, signed by the agency’s Team CTO and its Division of Privacy and Identity Protection, is both momentous and frustrating. Momentous because it purports to recognize a breach notification requ... Read More

Report: Ransomware gangs may have resources to hire AI experts

WithSecure Chief Research Officer Mikko Hyppönen told Protocol it may only be a matter of time before ransomware gangs are able to deploy artificial intelligence–powered ransomware. Previously, entities that protected against ransomware attacks were the sole parties that could utilize AI technology; however, Hyppönen claimed that is no longer the case. He said the wealth of ransomware gangs may afford them the ability to bring on AI experts to exploit “zero day” vulnerabilities and hire penetrat... Read More

Zero Day Exploits for Privacy Professionals: Risks, Mitigation and Due Diligence

Original broadcast date: 2 March 2022 This web conference will explore issues and risks associated with zero-day exploits and other advanced cyber attacks, such as: (1) the basics of such an attack – how they’re accomplished and available technical responses; (2) companies’ obligations to maintain “reasonable security” when using impacted software under various legal regimes; (3) financial and reputational risks of over- or under-investing in mitigating zero-day risks in a vendor’s products and in the supply chain; and (4) the value of recent CISA and other alerts as a baseline for demonstrating “reasonable security” with new threats. Read More

Ransomware: 5 critical tips for organizations

You may have noticed ransomware attacks and information security incidents, such as personal data breaches, have been growing rapidly and gaining frequent space in the media. With each passing week, one or more events of this nature becomes the subject of articles in newspapers, magazines, radio and television. After helping several organizations (from a legal perspective) respond to security incidents and manage the crises generated by these events, I realized some central aspects to properly ... Read More

As data breaches near ‘all-time high,’ Senate committee talks regulation

This week, the United States came just 230 data breaches away from an “all-time high,” according to Identity Theft Resource Center Chief Operating Officer James Lee, but data security requirements either within a federal privacy law or a standalone regulation “would substantially improve data protection” and bring “stronger protections and greater clarity to the marketplace,” Kelley Drye Of Counsel Jessica Rich said. With 446 reported data breaches from July through September, “we’re in for rai... Read More

Ransomware, data protection and compliance   

If you were hit by ransomware, you are part of the rapidly growing number of organizations that have had to decide how to respond — legally, quickly and often quietly. The veil of silence that shrouds many businesses’ response and recovery makes leveraging best practices at that moment all the more difficult. Many businesses and their advisors face hurried, whispered conversations due to threats from the attackers, demand for payment in short timetables, concern about influencing company valuati... Read More

Report: 94% of organizations experienced insider data breach in past year

Software security company Egress’ "Insider Data Breach Survey 2021" found 94% of organizations experienced an insider data breach in the last 12 months, with human error being the leading cause, The Manila Times reports. During a hearing before Illinois’ House Committee on Cybersecurity, Data Analytics, and IT, CEO of LexisNexis Risk Solutions’ Government Division Haywood Talcove called on lawmakers to invest in cybersecurity protections, saying attacks will only worsen, News Channel 20 repor... Read More

Chronicling two years of NHS data breaches

The Independent reports on data breaches experienced by the National Health Service from April 2019 to March 2021. According to the U.K. Information Commissioner's Office, the NHS reported 866 data breaches, including personal data mailed to the wrong person and the loss of paperwork and laptops. Of those breaches, 12 cases involved a party altering data without patient consent.Full Story... Read More

What the world of sports teaches us about incident preparedness and response

Privacy and security incidents have become ubiquitous across organizations of all sizes and sectors. According to Verizon’s most recent Data Breach Investigations Report, data breach volume doubled from 2018 to 2019. Whether an organization operates in the financial services sector or the manufacturing industry, the importance of preparing for these inevitable events is well understood. However, knowing what constitutes best practice for incident preparedness is not fully appreciated, even thoug... Read More

Kroll: 2021 Data Breach Outlook

Digital service provider Kroll published its "2021 Data Breach Outlook," which reviewed the effects of data breaches on its clients in 2020. The report shows a 140% increase in data breach notifications compared to 2019, with the most affected industries being health care, education and financial services. Kroll said the rise in incidents is linked to a combination of remote work, the evolution of ransomware, impacts to supply chain attacks, and heightened awareness to privacy rights and regulat... Read More

Your privacy practices predict your data-breach future

What if I told you I could predict your organization's likelihood of experiencing a data breach by looking at your company? No, I'm not a hacker, peering into the code to look for vulnerabilities. In fact, anyone should be able to perform the same trick. All it takes is a perusal of the various statements you make about privacy — your cookie notice, EU General Data Protection Regulation statement, privacy notice, terms and conditions, and other such necessary parts of every major company. The p... Read More

Study: 92% of firms feel data breach vulnerability

According to a study by cloud security firm Fugue, 92% of firms believe they are vulnerable to a data breach, and 84% are concerned they’ve been unknowingly hacked, MediaPost reports. Forty-seven percent spend more than 50 hours per week on cloud misconfiguration, and 76% anticipate that will increase or remain the same. For the majority, cloud misconfiguration is typically caused by a lack of awareness of security and policies, and the primary incident is unauthorized access to databases. Edito... Read More

Breaches at our front door: What we can learn from Clearview AI

A new competitor has entered the ring to dethrone Cambridge Analytica as the biggest privacy scandal of recent times: Clearview AI. In case you missed it, Clearview AI is a facial-recognition app that scraped millions of photos from the web to help law enforcement identify unknown people. Not long after The New York Times exposed it as the company that might end privacy as we know it, the plot thickened. The company was breached. In response to the incident, Clearview AI observed that “data bre... Read More

Managing data breaches in the cloud

The day-to-day business penetration of cloud services has reached an all-time high and is expected to grow further in 2020. With the adoption of cloud services, the regular data controller and data processor setup is also becoming more obsolete and transforms into a data controller (regular data processor), one or more cloud service provider (sub-processor), or data controller (one or more CSP data processors set up in the EU). This implies the threat landscape and privacy risks data controllers... Read More

How to use 2020 to improve your incident response

Maybe it’s just a sign of this time of year, but I’ve found myself preoccupied lately with performance statistics. For instance, fitness trackers, always so popular in January as we make our resolutions to undo the effects of end-of-year celebrations and hearty meals. Fitness trackers allow us to see how we’re performing against our own best metrics. Did you walk 10,000 steps today? Have you been keeping to your goal for climbing stairs? Are you getting the right amount of deep sleep? These trac... Read More

How to evaluate your privacy-incident response program

If you’ve ever participated in an organized sport, you’re likely well aware of the importance of context when it comes to evaluating your performance as a player. Say, for example, I play soccer every weekend (which I do). Let’s imagine I’m arguably the best defender on my team — or even across all the recreational players involved (it’s fun to pretend). I might start feeling pretty good about myself and how I perform on the pitch. Now imagine I’m suddenly pulled into an Major League Soccer game... Read More

How long should it take to risk-score a privacy incident?

If you’ve been in the privacy world for any amount of time, you recognize there has been a marked increase in the speed at which our world operates. New threats to our data are introduced every day. With the expanding scope of what constitutes protected and sensitive data, the number of privacy cases we must manage at any given time is increasing. Privacy professionals are being asked to do more and faster than ever. A big forcing function of this acceleration came when the EU General Data Prot... Read More

How to accelerate breach-notification timeframes

Have you ever picked up a rock to find hidden underneath a colony of industrious ants working away? By removing the rock, you have left them exposed, to be sure. But there are also benefits of this: You shed more light on their work, providing them greater transparency and perhaps an appreciation of what they are doing. In some ways, privacy professionals who have been in the game for a while might identify with these hard-working ants. Though in the past, we may have gone unnoticed, we’ve alwa... Read More

How to operate under Canada's new breach notification landscape

Last year was a big year for Canadian privacy professionals handling data breach notifications. That's because new requirements came into effect in August under Alberta's Health Information Act, and federal requirements under the Personal Information Protection and Electronic Documents Act came into effect a few months after that in November.  These new mandates have made waves in the Great White North, and privacy professionals and regulators have used this new legal landscape as an opportunit... Read More

Seeking Solutions: Aligning Data Breach Notification Rules Across Borders

This report, published in April 2019 by the U.S. Chamber of Commerce and Hunton Andrews Kurth focuses on the best practices for an effective global data breach notification framework, while also laying out the differences between current notification rules. The proposed framework was created to be replicated at scale and implemented in a culturally respectful manner. Click To View (PDF) ... Read More

How often do notification exceptions apply? We look to the data

This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar, a provider of purpose-built decision support software designed to help privacy professionals perform consistent incident risk assessments and ensure timely notification, with real-time access to incident management reports and metrics. Find earlier installments of this series here. The privacy regulatory landscape grows more complex with each passing y... Read More

Data breach insurance: A three-part problem

Last October, the British supermarket chain Morrisons lost an appeal against a High Court ruling that found it was partly liable for a data breach. Andrew Skelton, an internal auditor, was given eight years in prison for fraud, after he maliciously leaked the personal data of around 100,000 other employees via the Tor network. In a class-action suit, 5,000 of those employees have sued Morrisons for compensation. In response to Morrisons’ argument that the compensation costs could be ruinous, th... Read More

Benchmarking for GDPR: How often are orgs reporting data breaches to authorities and subjects?

This article is part of an ongoing series on privacy program metrics and benchmarking for incident response management, brought to you by Radar. Find earlier installments of this series here. Do you find yourself thinking about what you were doing this time last year? Maybe it’s the prevalence of social media and the memories that show up in our feeds like our own personal versions of “this day in history,” but in any case, when I think about this time last year, I think about the EU General Da... Read More

72 hours and counting: Do's and don'ts of incident response

It usually happens on a Friday afternoon. A call comes in. Your company has a data security incident. Data about consumers, employees, business customers or others may be exposed. Your company is looking for guidance. What needs to be done? Should we call law enforcement? What about the EU General Data Protection Regulation's requirement to notify in 72 hours? Should we warn consumers/employees/others? This article outlines some key do's and don'ts in such scenarios. Although there is no one-siz... Read More

Web Conference: Canada’s Mandatory Breach Notification Law Update

On June 18, Canada passed into law Bill S-4, The Digital Privacy Act, which made a number of important amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), many of which are now in force. The IAPP now has a web conference recording available that looks at the key changes and their potential impacts for all organizations handling personal information about Canadians. Hear Alex Cameron of Fasken Martineau DuMoulin and Peggy Byrne of CIBC discuss the new rules, h... Read More

Data security requirements in multistate breach settlements

Businesses that operate across U.S. state lines must comply with multiple state consumer protection statutes. In the past two years, attorney general offices from multiple states have worked together to pursue companies for data breach violations, resulting in settlements with a number of companies. Eric Langland, in this Privacy Tracker post, offers a survey of the data security requirements handed down in these settlements, writing, "In the absence of uniform state or federal laws mandating da... Read More

Do I need to report this breach?

How does a data controller know, in the case of a personal data breach, whether it must report the breach to the supervisory authorities? How can we prevent "notification fatigue" or meaningless notifications to authorities? This article will explore such questions.  In the majority of jurisdictions, personal data protection regulations impose a mandatory requirement to notify individuals and/or supervisory authorities when a personal data breach has occurred, even where personal data is not af... Read More

Benchmarking your Privacy Incident Management Program – Article Series

Last Updated: August 2018 This series written for The Privacy Advisor by the team at Radar is about establishing program metrics and benchmarking your privacy incident management program. Radar provides purpose-built software designed to guide users through a consistent, defensible process for incident management and risk assessment. A significant volume of incidents involving regulated personal data is processed through the Radar platform, and that number grows every day. The Radar team will... Read More

How to Shop Smart for Cyberinsurance – Article Series

Last Updated: May 2017 This series on why your company needs cyberinsurance and how to shop smart for it addresses the need for cyberinsurance, discusses how to assess your company’s cyber exposure and select the right coverage, explains the application process, and offers advice on how to manage a claim to maximize your company’s insurance recovery. Why your company needs cyberinsurance, especially if it’s not a Fortune 500 How to shop smart for cyberinsurance Don’t just check yes: The ... Read More

Incident Response – Article Series

Last Updated: February 2017 This two-part series by Mahmood Sher-Jan first published in The Privacy Advisor in early 2017. Part 1: Building your incident response team: It takes a village Part 2: Is it an incident or a breach? How to tell and why it matters ... Read More

Get ready to practice breach response in the EU

Privacy professionals who deal with EU regulations will need to rehearse their procedures for handling security breaches, panelists speaking at IAPP's Data Protection Congress 2016 in Brussels, Belgium, recently agreed. "You have to rehearse this stuff and it needs to be rehearsed from the CEO downwards. It's about the company's reputation," said Adrian Davis, EMEA managing director for ISC². David Meyer reports on experts’ “how-to-prepare” advice. Read More

How startups can beat breaches on a budget

Data security and privacy concerns are everyone’s challenge because any modern business is dependent on technology in some way. However, security and privacy is not an equal challenge for every business. For established companies, addressing the issue of data security may be a nuisance, but their vast resources can make compliance easier by facilitating the hire of a sophisticated IT security vendor or an experienced data security expert. For cash-strapped startup companies that prioritize growt... Read More

Top five company fails in prepping for a breach

Over the last couple of years, there has been an optimistic increase in company breach-preparedness levels. For example, from 2013 to 2015, the percentage of organizations with data breach response plans increased from 61 percent to 81 percent – a significant (and necessary) surge given today’s landscape. Additionally, the involvement of senior leadership in data breach preparedness increased from 29 percent in 2014 to 39 percent in 2015. However, within that same time period, some of the larges... Read More

From devastation to salvation: How to benefit from a breach

Similar to business continuity or disaster recovery, breach preparedness is difficult to calculate the importance of until you need it. This makes it more susceptible to receiving less organizational focus or financial backing, especially during times of fiscal restraint. Organizationally, it can be difficult to invest in the “what ifs." But when those “what ifs” become “oh nos,” there is an opportunity to change this, if the privacy professional seizes it. A privacy breach can actually benefit an organization by transforming an “oh-no” moment into a calculated opportunity for improvement and positive organizational change, writes Rachel Hayward. Read More

My company has had a breach: Whom do I have to notify?

Increasingly, c-suite executives and board members have questions about their companies' cyber security practices — or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cyber security policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part four explained how the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity could help companies to protect themselves from legal risk. In part five, Jeffrey Kosseff discusses what to do if your company has had a data breach: who do you notify? "Companies must pay careful attention to all state breach notification laws. Failure to adhere to the requirements can result in state regulatory investigations and significant fines. And about a dozen states allow customers to bring private lawsuits against companies that fail to provide the required notice," Kosseff writes. Read More

The misconceptions of data breach fatigue

An increase in reported incidents has led to significantly more attention and awareness by senior leaders at companies who are asking their teams how prepared they are to manage these issues. But has this increase in attention had the opposite effect on consumers who have their information exposed? Proponents of data breach fatigue would say yes. But falling for the fatigue fallacy can cause companies in crisis to make decisions in their response that could ultimately further harm their brand and reputation. People care when their information is exposed and they will take action, reports Michael Bruemmer. Read More

What If You Had An Employee Data Breach?

While more organizations than ever now have a data breach incident response plan in place, companies should think critically about whether they’ve accounted for different types of data loss, including both customer information and employee records. After all, an employee data breach carries legal risk similar to the breach of customer data, writes Michael Bruemmer, CIPP/US. Read More

Managing Your Data Breach

While there are a number of data breach guides out there, we have chosen to focus on the many relationships and stakeholders involved in breach preparedness and response. Responding to a breach correctly involves a suite of people both inside and outside your organization. Understanding the best way to most efficiently utilize those people goes a long way toward ensuring that your response manages costs, manages business impact and puts the breach behind your organization as quickly as possible. Read More