In the event of a data breach involving personal data, do you commit to notifying the customer within 72 hours?

Explanation & Context

Explanation of the Question:

This question is asking whether your organization has a policy to inform customers within 72 hours if there is a data breach that compromises their personal information. Personal data typically includes names, addresses, social security numbers, and other sensitive information that can identify an individual.

Why It Matters:

Quick notification is crucial because it allows affected customers to take immediate action to protect themselves, such as changing passwords or monitoring their accounts for fraudulent activity. Many regulations, like the General Data Protection Regulation (GDPR) in the European Union, mandate that organizations notify individuals of a data breach within a specific timeframe to ensure transparency and trust. Failing to notify customers promptly can result in legal penalties and damage to your organization’s reputation.

Example of Evidence:

To demonstrate fulfillment of this requirement, your organization might provide a documented incident response plan that outlines the steps taken in the event of a data breach. This plan should detail how the breach is identified, assessed, and how notifications are sent to affected customers within the 72-hour window. Additionally, maintaining logs of past breach notifications, including timestamps and communication records, can serve as evidence that the policy is being followed.

Example Responses

Example Response 1

We commit to notifying our customers within 72 hours of detecting a data breach involving personal data. Our incident response plan, which is reviewed quarterly, includes immediate assessment of the breach, containment measures, and a communication protocol for notifying affected customers via email and our platform.

Example Response 2

In the event of a data breach involving personal data, we have a comprehensive incident response plan that mandates customer notification within 72 hours. This plan is integrated with our AWS-hosted infrastructure and involves automated alerting systems, dedicated breach response teams, and a multi-channel notification strategy to ensure timely communication with affected customers.

Example Response 3

As our software is exclusively on-premises and does not involve the storage or processing of personal data in the cloud, the 72-hour notification requirement does not directly apply to our operations. However, we maintain robust security practices and incident response protocols to protect customer data and address any potential breaches promptly.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron