PCOM-01

Have you had a personal data breach in the past three years that involved reporting to a governmental agency, notice to individuals (including voluntary notice), or notice to another organization or institution?

Explanation

This question is asking whether your organization has experienced a personal data breach in the past three years that was significant enough to require formal notification to governmental agencies, affected individuals, or other organizations. A personal data breach refers to any security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. Personal data includes any information relating to an identified or identifiable natural person (e.g., names, email addresses, financial information, health records). The question specifically focuses on breaches that triggered reporting requirements, which typically means they met certain thresholds of severity or impact. Many jurisdictions have laws requiring notification of breaches (like GDPR in Europe, HIPAA for healthcare in the US, or various state-level breach notification laws). This question is being asked in a security assessment because: 1. Past breaches can indicate potential security weaknesses or vulnerabilities in your systems or processes 2. It helps assess your organization's experience in handling security incidents 3. It provides insight into your transparency and compliance with regulatory requirements 4. It may reveal patterns that could affect the risk assessment of your services When answering this question: - Be completely honest - assessors can often verify this information through public records - If you have had reportable breaches, provide context about the incident, how it was handled, and what remediation steps were taken - If you have not had any reportable breaches, a simple statement confirming this is sufficient - Remember that having had a breach doesn't automatically disqualify you, especially if you demonstrate that you've learned from it and improved your security posture

Example Responses

Example Response 1

No, our organization has not experienced any personal data breaches in the past three years that required reporting to governmental agencies, notification to individuals, or notification to other organizations We maintain a comprehensive security incident response program that includes monitoring, detection, and containment procedures While we have experienced minor security events, none have risen to the level of a reportable personal data breach.

Example Response 2

Yes, in November 2021, we experienced a data breach affecting approximately 2,500 customer records containing names, email addresses, and encrypted passwords (no financial information was compromised) We reported this incident to the relevant data protection authorities in compliance with GDPR requirements and notified all affected individuals within 72 hours of discovery Following the incident, we conducted a thorough investigation with the assistance of a third-party forensics firm, implemented additional security controls including enhanced access management and encryption protocols, and conducted company-wide security awareness training We have since passed two independent security audits and have had no further incidents.

Example Response 3

We have not had any breaches requiring governmental reporting in the past three years However, we did experience a minor security incident in February 2022 where an employee's email account was compromised Our investigation determined that while the account contained some customer contact information, there was no evidence that the data was accessed or exfiltrated by the unauthorized party After consulting with our legal counsel and following our incident response procedures, we determined that this incident did not meet the threshold requirements for mandatory reporting under applicable regulations As a precautionary measure, we reset all potentially affected passwords and implemented multi-factor authentication across all employee accounts.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron