Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?
Explanation
Breach history is what reviewers want surfaced: whether you have had a personal data breach in the last three years that triggered notice to a government agency, to individuals, or to another organization.
A personal data breach refers to any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Personal data includes any information relating to an identified or identifiable natural person (e.g., names, email addresses, financial information, health records).
The question specifically focuses on breaches that triggered reporting requirements, which typically means they met certain thresholds of severity or impact. Many jurisdictions have laws requiring notification of breaches (like GDPR in Europe, HIPAA for healthcare in the US, or various state-level breach notification laws).
This question is being asked in a security assessment because:
- Past breaches can indicate potential security weaknesses or vulnerabilities in your systems or processes
- It helps assess your organization's experience in handling security incidents
- It provides insight into your transparency and compliance with regulatory requirements
- It may reveal patterns that could affect the risk assessment of your services
When answering this question:
- Be completely honest - assessors can often verify this information through public records
- If you have had reportable breaches, provide context about the incident, how it was handled, and what remediation steps were taken
- If you have not had any reportable breaches, a simple statement confirming this is sufficient
- Remember that having had a breach doesn't automatically disqualify you, especially if you demonstrate that you've learned from it and improved your security posture
Example Responses
Example Response 1
No, our organization has not experienced any personal data breaches in the past three years that required reporting to governmental agencies, notification to individuals, or notification to other organizations We maintain a comprehensive security incident response program that includes monitoring, detection, and containment procedures While we have experienced minor security events, none have risen to the level of a reportable personal data breach.
Example Response 2
Yes, in November 2021, we experienced a data breach affecting approximately 2,500 customer records containing names, email addresses, and encrypted passwords (no financial information was compromised) We reported this incident to the relevant data protection authorities in compliance with GDPR requirements and notified all affected individuals within 72 hours of discovery Following the incident, we conducted a thorough investigation with the assistance of a third-party forensics firm, implemented additional security controls including enhanced access management and encryption protocols, and conducted company-wide security awareness training We have since passed two independent security audits and have had no further incidents.
Example Response 3
We have not had any breaches requiring governmental reporting in the past three years However, we did experience a minor security incident in February 2022 where an employee's email account was compromised Our investigation determined that while the account contained some customer contact information, there was no evidence that the data was accessed or exfiltrated by the unauthorized party After consulting with our legal counsel and following our incident response procedures, we determined that this incident did not meet the threshold requirements for mandatory reporting under applicable regulations As a precautionary measure, we reset all potentially affected passwords and implemented multi-factor authentication across all employee accounts.
Context
- Tab
- Privacy
- Category
- General Privacy
Related questions
- Does your solution process FERPA-related data?
- Does your solution process GDPR-related or PIPL-related data?
- Does your solution process personal data regulated by state law(s) (e.g., CCPA)?
- Does your solution process user-provided data that may contain regulated information?
- Web Link to Product/Service Privacy Notice
- Use this area to share information about your privacy practices that will assist those who are assessing your company data privacy program.*

