Include the following in the Incident Response Plan for breaches involving personally identifiable information:
(a) A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
(b) An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
(c) Identification of applicable privacy requirements.
|
|
| Control Identifier | IR-8(1) |
| Latest Sync Date | 19/12/24 09:18:14 |
| Discussion | Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements. |
| Related Controls | PT-1, PT-2, PT-3, PT-4, PT-5, PT-7. |