Do any other parties need to be informed of the information breach?
- As well as giving consideration to your duties with regards to public authorities, you also need to determine whether you need to inform any other parties. To decide this you should consider:
- whether any body, entity or person’s information is the subject of the information breach. If personal data is involved, see the section A loss or theft of personal data
- are you subject to any contractual obligations to notify a person or entity?
- do contracts or duties with employees/customers oblige you to notify them?
- irrespective of contractual obligations, do contractual counter-parties, customers, suppliers and employees need to be informed in any event, before they hear about the information breach from other sources?
- should other group companies be notified?
- You also need to consider whether you are subject to any confidentiality obligations that prevent you from informing any other parties
- If you decide to notify other parties, consider:
- the dangers of "over-notifying" (where the notification would serve no practical purpose, or would risk having a disproportionately detrimental effect on those notified)
- whether you can assist that party in mitigating or managing any risk
- the form of notification. Notification should generally be drafted to avoid any legal acknowledgement of responsibility for the breach, or of any relevant breach of contract or law
