IR-08(01) Breaches
Include the following in the Incident Response Plan for breaches involving personally identifiable information:
(a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
(b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
(c) Identification of applicable privacy requirements.
Baselines
- L
- M
- H
- P
Guidance
Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements.
Related controls 6
- PT-01 Policy and Procedures L M H P
- PT-02 Authority to Process Personally Identifiable Information L M H P
- PT-03 Personally Identifiable Information Processing Purposes L M H P
- PT-04 Consent L M H P
- PT-05 Privacy Notice L M H P
- PT-07 Specific Categories of Personally Identifiable Information L M H P