Incident and Breach Management


On this topic page, you’ll find news, resources, tools and insights covering cyber incidents and data breaches, with guidance on how best to respond as an organization or individual in the occurrence of being impacted by a breach.

Featured Resources

Zero Day Exploits for Privacy Pros

This web conference explores risks associated with zero-day exploits and other advanced cyber attacks, such as the basics of such an attack, companies’ obligations to maintain “reasonable security” when using impacted software, financial and reputational risks of over- or under-investing in mitigating zero-day risks and the value of recent CISA and other alerts as a baseline for demonstrating “reasonable security” with new threats.
Read More

Ransomware: Tips for organizations

This article offers tips for organizations that have just experienced a cyberattack or security incident, or for organizations that want to better prepare for when they have to face situations of this nature.
Read More

State Data Breach Notification Chart

To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.
Read More


Latest News and Resources

FTC signals expanded breach notice obligations

On May 20, 2022, the U.S. Federal Trade Commission staff made a remarkable statement on an agency blog: “In some instances, the FTC Act creates a de facto breach disclosure requirement because the failure to disclose will, for example, increase the likelihood that affected parties will suffer harm.” The blog, signed by the agency’s Team CTO and its Division of Privacy and Identity Protection, is both momentous and frustrating. Momentous because it purports to recognize a breach notification requ... Read More

Ransomware attacks lead to national emergency in Costa Rica

In the wake of cyberattacks targeting multiple government agencies, Costa Rica has declared a national emergency, BleepingComputer reports. The Conti ransomware group allegedly published 97% of the 672 GB of data it obtained from the agencies. The Ministry of Finance, Ministry of Labor and Social Security, and Ministry of Science, Innovation, Technology and Telecommunications are among the agencies impacted. President Rodrigo Chaves said the national emergency was enacted to give the country “a ... Read More

Report: Ransomware gangs may have resources to hire AI experts
(IAPP, April 2022)
Millions at risk of data breach through Log4j flaw
(IAPP, December 2021)
EDPB adopts breach notification guidance
(IAPP, November 2021)
APWG – Phishing Activity Trends Report
(APWG, November 2021)
Data Visualization: World’s Biggest Data Breaches & Hacks
(Information is Beautiful, October 2021)
As data breaches near ‘all time high,’ Senate committee talks regulation
(IAPP, October 2021)
Ransomware, data protection and compliance
(IAPP, August 2021)
Singapore’s PDPA: What to Know For Incident Response
(BreachRx, August 2021)
Report: 94% of organizations experienced insider data breach in past year
(IAPP, July 2021)
Hiscox Cyber Readiness Report
(Hiscox, June 2021)
Chronicling two years of NHS data breaches
(IAPP, July 2021)
What the world of sports teaches us about incident preparedness and response
(IAPP, June 2021)
Verizon Data Breach Investigations Reports
Kroll: 2021 Data Breach Outlook
(Kroll, June 2021)
Handbook on How to Guard Against Common Types of Data Breaches
(PDPC, May 2021)
EPDS Infographic — Personal Data Breaches in a Nutshell
(EPDS, May 2021)
Data Masking in the Enterprise
(Tsaaro and Cloud Compliance, April 2021)
ICO Data security incident trends
(ICO, March 2021)
Web Conference: Cyber Risk, Breaches and Security in 2021
(IAPP, January 2021)
DLA Piper GDPR Data Breach Survey 2021
(DLA Piper, January 2021)
Experian Data Breach Industry Forecast
(Experian, December 2020)
When Should Law Firms Notify Clients About Data Breaches?
(Business Law Today, November 2020)
Web Conference: Breaching the Company through the C-Suite
(IAPP, September 2020)
Web Conference: Top 6 Reasons Why the Consumer Response to a Data Breach Will Fail
(IAPP, August 2020)
Your privacy practices predict your data-breach future
(IAPP, August 2020)
Heightened cyber and corporate crime risks in the COVID-19 pandemic
(Norton Rose Fulbright, July 2020)
Study: 92% of firms feel data breach vulnerability
(IAPP, April 2020)
Web Conference: The Privacy Incident Benchmark Report: Data to Drive Operational Excellence
(IAPP, March 2020)
The Osano Data Privacy and Data Breach Link
(IAPP, April 2020)
How to evaluate your privacy-incident response program
(IAPP, October 2019)
Online Trust Alliance: Cyber Incident and Breach Trends Report
(Online Trust Alliance, July 2019)
Managing data breaches in the cloud
(IAPP, January 2020)
How to use 2020 to improve your incident response
(IAPP, January 2020)
What should organizations consider when notifying consumers of a data breach?
(Bryan Cave Leighton Paisner, January 2020)
A Consumer’s Checklist for Handling Identity Theft
(Commonwealth of Massachusetts, June 2019)
How to accelerate breach-notification timeframes
(IAPP, May 2019)
How to operate under Canada’s new breach notification landscape
(IAPP, May 2019)
Bryan Cave Data Breach Litigation Report
(Bryan Cave, May 2019)
How long should it take to risk-score a privacy incident?
(IAPP, August 2019)
Web Conference: To Notify or Not to Notify? That Is the Question.
(IAPP, August 2019)
Complying with Breach Notification Obligations in a Global Setting: A Legal Perspective
(Global Investigations Review, July 2019)
Seeking Solutions: Aligning Data Breach Notification Rules Across Borders
(U.S. Chamber of Commerce and Hunton Andrews Kurth, April 2019)
How often do notification exceptions apply? We look to the data
(IAPP, February 2019)
Data breach insurance: A three-part problem
(IAPP, January 2019)
Web Conference: Changing Global Data Breach Notification Laws
(IAPP, November 2018)
Benchmarking for GDPR: How often are orgs reporting data breaches to authorities and subjects?
(IAPP, March 2019)
72 hours and counting: Do’s and don’ts of incident response
(IAPP, February 2019)
Best Practices for Victim Response and Reporting of Cyber Incidents
(U.S. Department of Justice Cybersecurity Unit, September 2018)
White Paper – Some Privacy Practices May Result in Under-Reporting of Breach Incidents
(IAPP, May 2018)
How startups can beat breaches on a budget
(IAPP, September 2016)
The misconceptions of data breach fatigue
(IAPP, February 2016)
Top five company fails in prepping for a breach
(IAPP, August 2016)
2016 Data Protection & Breach Readiness Guide
(Online Trust Alliance, February 2016)
2017 Data Breach Litigation Report
(Identity Theft Resource Center, 2017)
Web Conference: Canada’s Data Breach Notification Law Update
(IAPP, December 2018)
What To Do When Faced With a Privacy Breach: Guidelines for the Health Sector
(Information and Privacy Commissioner of Ontario, October 2018)
Data security requirements in multistate breach settlements
(IAPP, October 2017)
Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector
(IAPP, October 2017)
Quick-Response Cyberattack Checklist
(U.S. HHS Office for Civil Rights, August 2017)
Benchmarking your Privacy Incident Management Program – Article Series
(IAPP, July 2017)
Web Conference: 2017 Midyear Update: Incident Readiness and Identity Theft
(IAPP, June 2017)
How to Shop Smart for Cyberinsurance – Article Series
(IAPP, May 2017)
Incident Response – Article Series
(IAPP, March 2017)
Get ready to practice breach response in the EU
(IAPP, November 2016)
From devastation to salvation: How to benefit from a breach
(IAPP, July 2016)
Ponemon Annual Benchmark Study on Privacy & Security of Healthcare Data
(Ponemon Institute, May 2016)
2016 Data Security Incident Response Report
(BakerHostetler, 2016)
My company has had a breach: Whom do I have to notify?
(IAPP, March 2016)
Planning for and Responding to a Health Information Data Breach
(IAPP, August 2014)
Identity Theft: Complying with the Red Flags Rule
(ABA Bank Compliance, January 2014)
Best Practices for a Healthcare Data Breach: What You Don’t Know Will Cost You
(Experian, April 2013)
Not All Breaches Are Created Equal Whitepaper
(AllClear ID, January 2013)
Ten steps every organization should take to address global data security breach notification requirements
(IAPP, September 2011)
Do I need to report this breach?
(IAPP, August 2017)
White Paper — Managing Your Data Breach
(IAPP, October 2014)
What If You Had An Employee Data Breach?
(IAPP, August 2015)
View More Resources


Breach Disclosure

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure. Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws Associated term(s): Breach notification... Read More

Data Breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure. Associated term(s... Read More

Privacy Breach (Canadian)

A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial privacy legislation. Associated term(s): Data Breach, Privacy Breach Response (Canadian)... Read More

Privacy Breach Response (Canadian)

The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches. Associated term(s): Data Breach, Privacy Breach (Canadian)... Read More

Substitute Notice

Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods. In Connecticut, for example, “Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agen... Read More

Tools and Templates

Data Breach Notification in the United States and Territories

This report from Privacy Rights Clearinghouse took a close look at the current landscape of data breach notification statutes across the country and identified key disparities in the level of protections that each statute affords. Their analysis compares each state’s data breach notification statutes along with key provisions. Click To View ... Read More

U.S. State Data Breach Lists
(IAPP, October 2021)
Data Security Breach Handbook
(Bryan Cave Leighton Paisner, August 2019)
Security Breach Response Plan Toolkit
(IAPP, March 2013)
Data Breach Cost Calculators
Quick-Response Cyberattack Checklist
(U.S. HHS Office for Civil Rights, August 2017)
View More Resources