. https://www.itgovernanceusa.com/blog/when-should-an-organization-report-a-data-breach/


From May 25, 2018, compliance with the EU General Data Protection Regulation(GDPR) will be mandatory for organizations that process EU residents’ personal information. The Regulation joins a number of US federal and state laws that hold organizations accountable for mitigating and managing information security risk. No matter what its size or cybersecurity posture, your organization is vulnerable to cyber crime and data breaches. Under federal, state, and international laws, once organizations become aware of a breach they have a certain amount of time to report it to the relevant supervisory authority. Sitting on an incident without reporting it puts organizations at risk of legal and other ramifications. The NYDFS cybersecurity regulation, which came into effect in August 2017 and requires covered entities to submit certification documentation by February 15, set a 72-hour rule for reporting information breaches. Under the GDPR, any business worldwide that has EU residents’ personal information compromised is required to notify supervisory authorities within 72 hours of uncovering the breach. As of yet, there is no requirement under the GDPR specifying when affected EU residents must be notified. The UK’s Information Commissioner’s Office (ICO) warns, “In light of the tight timescales for reporting a breach, it is important to have robust breach detection, investigation and internal reporting procedures in place.” READ MORE