Do you need to tell any public authorities or regulators?
Consider whether your organisation or any individual is under any legal or regulatory obligation to tell any public authority of the incident, such as:
- the authority responsible for matters relating to data privacy
- a central government ministry or other government body, eg the Cyber Crime Unit of the National Crime Agency (UK)
- any relevant sector regulator
- any relevant regional or local authority
If such obligations arise, your incident management (IM) team should also consider the form and timing of any notification.
To understand the scope of the disclosure obligations that could arise from an incident, you will need to consider which jurisdictions are involved.
