Do any regulatory authorities need to be notified?
Consider whether the organisation or any individual is under any legal or regulatory obligation to notify any regulatory authority of the IT systems failure, such as:
- the authority responsible for matters relating to data privacy
- a central government ministry or other government body
- any relevant sector regulator
- any relevant regional or local authority
If such obligations arise, the incident management team should carefully consider the form and timing of any notification.
If the IT systems failure has led to a loss of personal data, see A loss or theft of personal data.
