There should be a purpose to notifying individuals of a breach. It may be that there are steps they need to take to protect themselves, Bumbles may be legally or contractually obliged to report breaches or we may need to manage potential reputational damage.
The following, (non-exhaustive), list identifies key external stakeholders who may require notification:
- Police – in the case of criminal activity
- Individuals whose data has been compromised
- Information Commissioner’s Office (ICO) - All serious breaches should be reported within 72 hours.
- Social Services / Gateway team in terms of Child Protection
- Others – e.g. banks where steps may be required to protect accounts.
What to say
The Manager / Proprietor will advise on the content of any message sent. Any notification message should not be sent without careful consideration, it is important that we understand the extent of the breach and are able to provide useful information, whilst at the same time if there are important steps that individuals need to take this should be communicated promptly. Notifications will be sent in writing, never over the phone so that we have a reference to influence our timeline in Bumbles.
You should consider including the following:
- Details of the what happened and when the breach occurred
- What data was involved
- What steps have been taken to contain the breach and prevent reoccurrence
- Advice on what steps they should take e.g. contact banks
- How will you help and keep them informed (if necessary)
- Providing multiple ways to be contacted