Incident and Breach Management


On this topic page, you’ll find news, resources, tools and insights covering cyber incidents and data breaches, with guidance on how best to respond as an organization or individual in the occurrence of being impacted by a breach.

Featured Resources

Zero Day Exploits for Privacy Pros

This web conference explores risks associated with zero-day exploits and other advanced cyber attacks, such as the basics of such an attack, companies’ obligations to maintain “reasonable security” when using impacted software, financial and reputational risks of over- or under-investing in mitigating zero-day risks and the value of recent CISA and other alerts as a baseline for demonstrating “reasonable security” with new threats.
Read More

Ransomware: Tips for organizations

This article offers tips for organizations that have just experienced a cyberattack or security incident, or for organizations that want to better prepare for when they have to face situations of this nature.
Read More

State Data Breach Notification Chart

To assist practitioners, the IAPP created a chart containing information from each state or territory’s data breach notification law concerning entities that own, control or process personal data.
Read More

Latest News and Resources

Web Conference: Cyber Incident Reporting Simplified with Privacy Best Practices

Original broadcast date: 20 Oct. 2022 Like privacy breach notification laws, decisions around cybersecurity regulations require a nuanced understanding of risk assessment to avoid damaging your brand’s reputation. Take a page from the privacy playbook and learn how to qualify “risk of harm” to bolster your cyber policies before disaster strikes. In this web conference, RadarFirst Chief Privacy Officer Lauren Wallace, CIPP/US, provides insights on cyber notifications as they pertain to events and individuals to better define a cyber “state of harm.” Read More

Third circuit shows how to establish standing in data breach cases

A recent decision by the U.S. Court of Appeals in Philadelphia gives new hope to plaintiffs in class-action lawsuits over data breaches. The case is Clemens v. ExecuPharm Inc., decided Sept. 2, and it is the first appellate decision on standing in data breach cases since the U.S. Supreme Court seemed to close the door on many such cases in 2021. The ruling is further evidence that some courts will continue to find ways to let data breach litigation go forward even if the affected consumers have ... Read More

Number of US data breaches dropped in first half of 2022

Publicly reported data breaches fell in the first half of 2022, Government Technology reports. Citing a report from the Identity Theft Resource Center, cybercriminals adjusted their targets toward businesses and government institutions. In the first half of this year, 817 data breaches were reported in the U.S., which represents a 4% decrease from the same timeframe in 2021. The volume of affected persons decreased to 53.4 million, a decline of 45% from last year. 2021 saw the highest number of ... Read More

Ransomware attacks on the rise in 2022

Ransomware damages are expected to exceed $30 billion worldwide in 2023, InfoSecurity reports. Citing cybersecurity firm Acronis’ mid-year cyberthreat report, almost half of all data breaches in 2022 began with stolen credentials. Six hundred malicious email campaigns were launched in the first half of 2022, 58% of which were phishing emails and 28% contained malware, per Acronis’ report. Cybercriminals have shifted toward attacking key entry points on networks that rely on cloud services or see... Read More

APWG – Phishing Activity Trends Report
(APWG, September 2022)
Data Visualization: World’s Biggest Data Breaches & Hacks
(Information is Beautiful, September 2022)
Exploring Organisational Experiences of Cyber Security Breaches
(U.K. Department for Digital, Culture, Media and Sport, August 2022)
Encrypted messaging service hacked as result of cloud communications company breach
(IAPP, August 2022)
Privacy with Microsoft Video Series – Episode 3: Privacy Incident Management Program Development
(Microsoft, August 2022)
ICO Data security incident trends
(ICO, August 2022)
Verizon Data Breach Investigations Reports
Hiscox Cyber Readiness Report
(Hiscox, August 2022)
Experian Data Breach Industry Forecast
(Experian, August 2022)
Report: Average data breach costs $4.4M
(IAPP, July 2022)
FTC signals expanded breach notice obligations
(IAPP, June 2022)
Ransomware attacks lead to national emergency in Costa Rica
(IAPP, May 2022)
Measures that Educational Institutions Should Take to Prepare for Ransomware Attacks
(BakerHostetler, April 2022)
Report: Ransomware gangs may have resources to hire AI experts
(IAPP, April 2022)
Millions at risk of data breach through Log4j flaw
(IAPP, December 2021)
EDPB adopts breach notification guidance
(IAPP, November 2021)
As data breaches near ‘all time high,’ Senate committee talks regulation
(IAPP, October 2021)
Ransomware, data protection and compliance
(IAPP, August 2021)
Singapore’s PDPA: What to Know For Incident Response
(BreachRx, August 2021)
Report: 94% of organizations experienced insider data breach in past year
(IAPP, July 2021)
Chronicling two years of NHS data breaches
(IAPP, July 2021)
What the world of sports teaches us about incident preparedness and response
(IAPP, June 2021)
Kroll: 2021 Data Breach Outlook
(Kroll, June 2021)
Handbook on How to Guard Against Common Types of Data Breaches
(PDPC, May 2021)
EPDS Infographic — Personal Data Breaches in a Nutshell
(EPDS, May 2021)
Data Masking in the Enterprise
(Tsaaro and Cloud Compliance, April 2021)
Web Conference: Cyber Risk, Breaches and Security in 2021
(IAPP, January 2021)
DLA Piper GDPR Data Breach Survey 2021
(DLA Piper, January 2021)
When Should Law Firms Notify Clients About Data Breaches?
(Business Law Today, November 2020)
Web Conference: Breaching the Company through the C-Suite
(IAPP, September 2020)
Web Conference: Top 6 Reasons Why the Consumer Response to a Data Breach Will Fail
(IAPP, August 2020)
Your privacy practices predict your data-breach future
(IAPP, August 2020)
Heightened cyber and corporate crime risks in the COVID-19 pandemic
(Norton Rose Fulbright, July 2020)
Study: 92% of firms feel data breach vulnerability
(IAPP, April 2020)
Web Conference: The Privacy Incident Benchmark Report: Data to Drive Operational Excellence
(IAPP, March 2020)
The Osano Data Privacy and Data Breach Link
(IAPP, April 2020)
How to evaluate your privacy-incident response program
(IAPP, October 2019)
Online Trust Alliance: Cyber Incident and Breach Trends Report
(Online Trust Alliance, July 2019)
Managing data breaches in the cloud
(IAPP, January 2020)
How to use 2020 to improve your incident response
(IAPP, January 2020)
What should organizations consider when notifying consumers of a data breach?
(Bryan Cave Leighton Paisner, January 2020)
A Consumer’s Checklist for Handling Identity Theft
(Commonwealth of Massachusetts, June 2019)
How to accelerate breach-notification timeframes
(IAPP, May 2019)
How to operate under Canada’s new breach notification landscape
(IAPP, May 2019)
Bryan Cave Data Breach Litigation Report
(Bryan Cave, May 2019)
How long should it take to risk-score a privacy incident?
(IAPP, August 2019)
Web Conference: To Notify or Not to Notify? That Is the Question.
(IAPP, August 2019)
Complying with Breach Notification Obligations in a Global Setting: A Legal Perspective
(Global Investigations Review, July 2019)
Seeking Solutions: Aligning Data Breach Notification Rules Across Borders
(U.S. Chamber of Commerce and Hunton Andrews Kurth, April 2019)
How often do notification exceptions apply? We look to the data
(IAPP, February 2019)
Data breach insurance: A three-part problem
(IAPP, January 2019)
Web Conference: Changing Global Data Breach Notification Laws
(IAPP, November 2018)
Benchmarking for GDPR: How often are orgs reporting data breaches to authorities and subjects?
(IAPP, March 2019)
72 hours and counting: Do’s and don’ts of incident response
(IAPP, February 2019)
White Paper – Some Privacy Practices May Result in Under-Reporting of Breach Incidents
(IAPP, May 2018)
How startups can beat breaches on a budget
(IAPP, September 2016)
The misconceptions of data breach fatigue
(IAPP, February 2016)
Top five company fails in prepping for a breach
(IAPP, August 2016)
2016 Data Protection & Breach Readiness Guide
(Online Trust Alliance, February 2016)
2017 Data Breach Litigation Report
(Identity Theft Resource Center, 2017)
Web Conference: Canada’s Data Breach Notification Law Update
(IAPP, December 2018)
What To Do When Faced With a Privacy Breach: Guidelines for the Health Sector
(Information and Privacy Commissioner of Ontario, October 2018)
Data security requirements in multistate breach settlements
(IAPP, October 2017)
Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector
(IAPP, October 2017)
Quick-Response Cyberattack Checklist
(U.S. HHS Office for Civil Rights, August 2017)
Benchmarking your Privacy Incident Management Program – Article Series
(IAPP, July 2017)
How to Shop Smart for Cyberinsurance – Article Series
(IAPP, May 2017)
Incident Response – Article Series
(IAPP, March 2017)
Get ready to practice breach response in the EU
(IAPP, November 2016)
From devastation to salvation: How to benefit from a breach
(IAPP, July 2016)
Ponemon Annual Benchmark Study on Privacy & Security of Healthcare Data
(Ponemon Institute, May 2016)
2016 Data Security Incident Response Report
(BakerHostetler, 2016)
My company has had a breach: Whom do I have to notify?
(IAPP, March 2016)
Planning for and Responding to a Health Information Data Breach
(IAPP, August 2014)
Identity Theft: Complying with the Red Flags Rule
(ABA Bank Compliance, January 2014)
Best Practices for a Healthcare Data Breach: What You Don’t Know Will Cost You
(Experian, April 2013)
Not All Breaches Are Created Equal Whitepaper
(AllClear ID, January 2013)
Ten steps every organization should take to address global data security breach notification requirements
(IAPP, September 2011)
Do I need to report this breach?
(IAPP, August 2017)
White Paper — Managing Your Data Breach
(IAPP, October 2014)
What If You Had An Employee Data Breach?
(IAPP, August 2015)
View More Resources


Breach Disclosure

The requirement that an organization notify regulators and/or victims of incidents affecting the confidentiality and security of personal data. The requirements in this arena vary wildly by jurisdiction. It is a transparency mechanism that highlights operational failures, which helps mitigate damage and aids in the understanding of causes of failure. Associated law(s): FCRA, GLBA, HIPAA, various U.S. state laws Associated term(s): Breach notification... Read More

Data Breach

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. Breaches do not include good faith acquisitions of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector—provided the personal information is not used for a purpose unrelated to the data collector's business or subject to further unauthorized disclosure. Associated term(s... Read More

Privacy Breach (Canadian)

A privacy breach occurs when there is unauthorized access, collection, use or disclosure of personal information. Such activity is “unauthorized” if it occurs in contravention of applicable privacy legislation, such as PIPEDA or similar provincial privacy legislation. Associated term(s): Data Breach, Privacy Breach Response (Canadian)... Read More

Privacy Breach Response (Canadian)

The guidelines for privacy breach responses were drafted in 2007 and consist of four steps: (1) Containment of the breach and preliminary assessment; (2) evaluating the associated risks; (3) notifying affected parties; (4) taking adequate steps to prevent future breaches. Associated term(s): Data Breach, Privacy Breach (Canadian)... Read More

Substitute Notice

Most legislation recognizes that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods. In Connecticut, for example, “Substitute notice shall consist of the following: (A) Electronic mail notice when the person, business or agency has an electronic mail address for the affected persons; (B) conspicuous posting of the notice on the website of the person, business or agen... Read More

Tools and Templates

Data Breach Notification in the United States and Territories

This report from Privacy Rights Clearinghouse took a close look at the current landscape of data breach notification statutes across the country and identified key disparities in the level of protections that each statute affords. Their analysis compares each state’s data breach notification statutes along with key provisions. Click To View ... Read More

U.S. State Data Breach Lists
(IAPP, October 2021)
Data Security Breach Handbook
(Bryan Cave Leighton Paisner, August 2019)
Data Breach Cost Calculators
Quick-Response Cyberattack Checklist
(U.S. HHS Office for Civil Rights, August 2017)
View More Resources