How to communicate a cyber security incident?


When a cyber security incident occurs, the incident response team should immediately create a concrete communication plan for the specific incident. Companies must develop a communication strategy based on their overall preparations and coordinate all external communications with legal and public relations representatives.

The first and most important rule is to think before you communicate! Your cyber security incident response team will already have several tools if you are well prepared. Your organization has compiled a list of all potential stakeholders to contact (internal, external, and official stakeholders) and their contact information (a specific person and his/her backup) during the preparation phase.

The first step in creating an incident-specific communication plan is deciding who you’ll communicate with. To do so, you must first determine which potential stakeholders may be (adversely) affected by the cyber security incident at hand and whether you are required by law to notify certain entities, such as the National Data Protection Authority or the industry regulator.

  • Internal stakeholders: top management, impacted managers, employees
  • External stakeholders: media, customers, suppliers, other partners, etc.
  • Official stakeholders: National Data Protection Authority, industry regulator, National Crisis Centre, police

A good rule of thumb is to communicate only what you need to know when deciding what to communicate and with whom. There will be stakeholders with whom you must communicate to keep the cyber security incident under control. There will be stakeholders with whom you must communicate, either because they demand information (e.g., the media) or because you are legally required to do so (e.g., the government) (e.g., National Data Protection Authority, industry regulators, individuals whose data has been compromised).

It is advisable to notify the National Data Protection Authority if personal data is lost or stolen (data breach). In some cases, you will be required to do so by law. For example:

  • Providers of a publicly available electronic communication service (telecom providers) are legally obligated to report personal data breaches to the National Data Protection Authority and the individuals whose data were compromised.
  • Under GDPR, there is a legal obligation to report any personal data breach that is likely to incur a risk for the individuals whose data was compromised to the National Data Protection Authority (within 72 hours) and those whose personal data was compromised.

When to communicate a cyber security incident?

After you’ve decided who you’ll contact and what you’ll tell them, you’ll need to figure out when you’ll contact them. The communication’s goals should determine the timing. The importance of timing cannot be overstated.

  • Some stakeholders will need information as soon as possible because they can help contain the cyber security incident (e.g., your organization’s top management and employees);
  • Other stakeholders (e.g., National Data Protection Authority) have to be contacted within a certain legally imposed timeframe; and, finally,
  • Others (e.g., media) may contact you; in such a case, you should have your answers ready.

Keep in mind that, to avoid alerting the perpetrator, a no-communication period may be necessary from the time the incident is detected until you have a complete picture of the incident and an action plan. If the perpetrator is discovered, they will most likely flee and destroy all evidence, or worse, do some final damage, such as stealing the last of your company’s crown jewels or installing backdoors. You can keep a list of people aware of the cyber security incident to avoid a leak during this no-communication phase.

When information appears leaked, it will be easier to figure out who is to blame. Anyone who leaks information can face legal consequences.

A NIS incident must be reported as soon as possible. There’s no need to wait until all the necessary data is available. When it’s clear that the incident needs to be reported and at least one of the criteria has been met, it should be done as soon as possible.

Reporting to authorities

Reporting to authorities is a very specific part of communication. It is important for various reasons:

  • In some cases, there is a legal requirement to report data leakage or other security incidents.
  • Certain authorities can help you. The cyber security incident you are faced with may not be an isolated incident. Authorities may have information that can help you contain your incident more quickly.
  • If you want to file a complaint against the criminal behind the cyber security incident, you must contact law enforcement authorities. In principle, this will be the police.
  • Furthermore, reporting to the authorities is necessary, allowing them to inventories and measure cybercrime in the country. Increased knowledge and understanding of the phenomenon and its prevalence will help improve the overall security landscape, e.g., by shaping preventive measures and counter-measures.

Reporting a personal data breach to the national data protection authority

The National Data Protection Authority must be notified of certain personal data breaches. Personal data refers to any information about a living person who can be identified directly or indirectly. In many cases, a number, such as an IP address, will be considered personal data. The obligation to notify concerns data subjects’ rights and freedoms being jeopardized. One example is the loss of communication confidentiality, resulting in invoice data, addresses, and other information being temporarily visible to third parties. The notification period is 72 hours after the data breach is discovered.

When your company notifies the National Data Protection Authority, the latter will be able to estimate the impact of the data breach in collaboration with the person in charge of processing it and will be able to make recommendations on data processing rules and the need to secure it. Furthermore, the person(s) in charge of data processing will have to rethink how data processing is organized and secured, both now and in the future. Organizations in specific sectors, such as financial services providers or providers of electronic communications networks, should be aware that they are already required to report any personal data breach to the National Data Protection Authority.

Notifying individuals whose personal data has been compromised

Individuals whose data is involved in a data breach must sometimes be notified. The person in charge of data processing must communicate to all individuals affected by the data breach to ensure that the information is received as soon as possible.

Assume that identifying the victims of the breach is impossible. In that case, the data processor can inform them through public media while also pursuing the individuals’ identities to inform them individually. The individuals involved must be informed clearly and understandably.

The National Data Protection Authority recommends providing, as a minimum, the following information:

  • Name of person responsible for data processing;
  • Contact information for further information;
  • Short description of the incident during which the data breach occurred;
  • (Probable) date of the incident;
  • Type and nature of personal data involved;
  • Possible consequences of the breach for the individuals involved;
  • Circumstances in which the data breach occurred;
  • The data processor took measures to prevent the data breach;
  • Measures that the person responsible recommends the individuals involved take to limit possible damages.