Do you need to inform any public authorities or regulators?

  • the breach team should urgently consider whether the company or any individual is under any legal or regulatory obligation to notify any public or regulatory authority as a result of the information breach

  • such authorities could include:
    • a central government ministry or other government body. Where the information breach relates (or contains information on) central government functions, in particular the functions of the armed forces, other security or policing agencies, specific consideration should be given to whether notifications need to be made to relevant government bodies
    • any relevant sector regulator
    • any relevant regional or local authority
    • the police (if information has been stolen)
  • the breach team should also consider, if relevant, whether notifications need to be made (or dialogue entered into) in relation to any underlying problem the information breach has disclosed
  • if any notification obligations arise, the breach team should also consider the form which any notification must take and any requirements as to the timing of such notification