IR-8(1): Breaches

Control Family:

Incident Response

CSF v2.0 References:


  • Privacy
Info icon.

Control is new to this version of the control set.

Control Statement

Include the following in the Incident Response Plan for breaches involving personally identifiable information:

  1. A process to determine if notice to individuals or other organizations, including oversight organizations, is needed;
  2. An assessment process to determine the extent of the harm, embarrassment, inconvenience, or unfairness to affected individuals and any mechanisms to mitigate such harms; and
  3. Identification of applicable privacy requirements.

Supplemental Guidance

Organizations may be required by law, regulation, or policy to follow specific procedures relating to breaches, including notice to individuals, affected organizations, and oversight bodies; standards of harm; and mitigation or other specific requirements.