Skip to main content

Report Data Privacy Security Incidents

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain what constitutes a data privacy security incident.
  • Identify potential data privacy security incidents.
  • Know what to do when you suspect or know a data privacy security incident has happened.

What Is a Security Incident?

Many authorities around the world have adopted security incident notification laws, from the European Union (EU) to countries in Latin America (LATAM) to Japan and Asia-Pacific (JAPAC) regions to every United States (US) state and territory. Recently in the US, the president signed into law the Strengthening American Cybersecurity Act of 2022, which requires critical infrastructure companies to report significant cybersecurity incidents and all ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Depending on the country your organization operates out of, there are numerous incident reporting laws and regulations for specific industries such as government, healthcare, energy, telecoms, and financial services providers, with each adopting their own definition of what constitutes a security incident (or data breach). Depending on the security incident notification laws that impact your organization, your customer service level agreements (SLAs) or contracts should contain security incident notification requirements that apply to customer data.

A data privacy security incident is any unauthorized use of personal data or customer data, whether accidental or intended. Consider these examples of common security incidents.

  • A sales representative sends an email with customer data to the wrong customer.
  • A manager prints a resume of a candidate, but on his way home, he leaves the document on the train.
  • A former employee who has left the company still has access to your organization’s systems and accesses customer records.
  • An intern opens an email attachment containing malware, which results in deleted or encrypted customer contact information.
  • A shared drive is overly permissioned, granting too many people access to personal data.
  • A customer’s credentials or secret keys are exposed on a public GitHub repository.
  • An employee’s work device (for example, a laptop or smartphone) is lost or stolen.
  • An employee accidentally discloses personal data in a response to an email that turns out to be part of a phishing attack.

All these incidents qualify as potential security incidents and should be reported to your organization’s security team.

Reporting a Security Incident

If you suspect a potential data privacy incident, report it immediately, even if you’re not 100% sure the incident qualifies as a data breach or security incident. If your organization has an annual security awareness training program in place, make sure to review it for up-to-date information regarding how to report suspicious activity or suspected security incidents at your organization.

When reporting an incident, you should provide as much information as possible, including:

  • What happened
  • Who the individuals or groups involved were
  • The time, date, and time zone of when the incident occurred
  • Which services were involved or potentially impacted
  • Point of contact for follow-up questions

Security Incident Reporting Timelines

Your organization may have a legal obligation to report data privacy incidents within a short time frame to regulators, customers, and affected individuals. You have an obligation to report security incidents immediately to your internal security team, to allow them time to investigate the incident and meet external reporting requirements. In some cases, failure to notify applicable parties of a data privacy incident within the required time frames can lead to substantial fines, a potential breach of your contractual obligations, damage to customer trust, and tarnishing of your organization’s reputation.

As you can see, it’s critical to report all potential security incidents right away, even if you made the mistake that led to the exposure of personal or customer data.

A stopwatch that symbolizes a ticking clock for reporting an incident

Sum It Up

In this module, you’ve been introduced to data privacy laws and principles. You’ve also learned how to identify customer data and who is allowed to handle that data. Lastly, you’ve been introduced to reporting requirements of data privacy incidents.

Interested in learning more about cybersecurity careers and technologies? Head on over to the Cybersecurity Learning Hub to explore other security topics and hear from real security practitioners.

Resources

Keep learning for
free!
Sign up for an account to continue.
Sign Up Login
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities
Skip for now