Once the nature, size and seriousness of the breach are ascertained, the biggest decision (where applicable) is to decide whether to come clean over the breach, and how to go about notifying interested parties.

Although disclosure laws are increasingly forcing organisations to make public their personal data failings, there remains a tendency to sweep the problem under the carpet.

The image and monetary implications mean companies prefer to deal with the problem in house. According to a recent report from an RSA Conference survey, as many as nine out of ten incidents went unreported in 2007.

‘With 29% of respondents stating that they experienced the leakage of employee or customer data, it is alarming to see that only 11% of those types of incidents were reported,’ says Tim Mather, chief security strategist for security specialist RSA.

But, as identity fraud continues to soar, organisations, consumers and regulators are increasingly agitated about the lax attitude towards confessing to data leakage, and the trend is certainly for greater disclosure.

Indeed, some industries have self-regulatory schemes that insist that members disclose. ‘There are some industry-specific obligations to notify regulators – for example, the Financial Services Authority and some self-regulatory schemes under which notices must be given to regulators,’ says Jay. ‘In addition, organisations may find they have contractual obligations to those for whom they provide services, or obligations to partners within joint ventures or partnerships.’

The credit card industry’s PCI DSS standard also has strict guidelines and fines to match.

Increasingly, though, depending on where your organisation is based and does business, you may have little choice about owning up to the data breach, embarrassing as it might seem.

Choose one person from within the organisation to co-ordinate the notification process, including choosing which methods to use (letter, website and possibly telephone). Make sure they have all the latest information about the breach and your response.

The Data Protection Act in the UK puts the emphasis on prevention rather than enforced disclosure as a method to ensure companies take data guardianship seriously.

‘All data controllers have a responsibility under the Data Protection Act 1998 to ensure appropriate and proportionate security of the personal data they hold,’ the law dictates, and there is currently no specific obligation for a company that has suffered a breach to make it public.

Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be reported.

The ICO’s perspective on whether organisations should report a breach depends on the potential for harm caused by the breach, and the scale.

If the incident could cause exposure to identity theft through the release of non-public identifiers such as passport numbers, or could reveal sensitive details about someone’s personal life, the rule of thumb is that they should be reported. Again, there’s no obligation.

The ICO says that the larger the volume of leaked material the greater the need for disclosure, and although the regulator declines to give hard and fast figures, it suggests 1,000 records is considered a sufficiently large number to warrant a report.

‘We would expect to be informed of the theft of an unencrypted laptop computer holding names and addresses, dates of birth and National Insurance numbers of 1,000 individuals,’ the regulator says. ‘But it may be appropriate to report much lower volumes in some circumstances where the risk is particularly high, perhaps because of the circumstances of the loss, or the extent of information about each individual.’

The regulator will not usually impose enforcement procedure or fines due to a data leak. ‘Our powers only extend to imposing obligations as to future conduct,’ the ICO says.

In fact, the commissioner’s office will not normally make public any information regarding a reported breach. ‘We do not see it as our responsibility to publicise security breaches not already in the public domain or to inform any individuals affected.’

However, the ICO may recommend that the data controller should make public a breach where it is clearly in the interests of the individuals concerned.

If you choose to inform the ICO, the notification should include the items below.

In the United States, the vast majority of states now have data breach disclosure laws that govern when and how companies hit by a breach should react.

California’s landmark SB1386 came into effect in 2003 and, since then, some 43 other legislatures have introduced laws dictating that companies must declare data breaches quickly. The problem for businesses is that knowing exactly which laws apply in which instances can be as complex as wiring up a robot.

In most cases, state laws require that companies notify that state’s residents that there has been a breach. So, regardless of where the company is based, an affected resident in a state which has notification rules should be informed. However, there are variations to this situation, such as in Wisconsin, whose law also requires that all companies based in the state notify all its consumers of any breach, regardless of which state or even country they reside in.

In general, most state laws follow the basic tenets of California’s original law, but subtle and hugely important differences between states muddy the water. Universally, companies must immediately disclose a data breach to customers and authorities, but while California has neither civil nor criminal penalties for failure to disclose promptly, neighbouring states Oregon, Nevada and Arizona all do.

As in California, many state data breach laws give the right of private action, so consumers can sue a company over the breach but, once again, the situation varies from state to state.

Anyone reacting to a data breach also needs to understand a complex set of exemptions, which could mean a breach doesn’t need to be reported. For example, in some states, data that is properly encrypted is exempt from the disclosure requirement. Unreadable data is also not liable in many states, while immaterial breaches and leaks involving publicly available government data are also given a free pardon in certain states but not in others.

States with no security breach law (in 2008) were Alabama, Kentucky, Mississippi, Missouri, New Mexico, and South Dakota.

It’s a minefield for the unwary, and it is absolutely critical that companies urgently consult local legal representation to assess exactly what the law requires in regard to their specific breach. While it might be best practice to report and disclose all breaches, many companies will try to wriggle out of notification if the breached data falls into an exempt category.

If notification is going ahead, then there are three main groups who need to be told about the breach – law enforcement and regulatory officials, affected businesses and individuals.

In the US, for example, state laws in most circumstances urge victim companies to call their local police department immediately if the compromise could result in harm to either a person or business. The police may tell you to postpone informing the public if they feel doing so could hamper their investigations.

In the UK, hack attacks may breach the Computer Misuse Act, and hardware theft is also a crime, so the police should be informed if the leak is going to be disclosed elsewhere. In practice, this rarely happens.

With so many partnerships and so much data sharing in modern commerce, any data loss can affect more than just your business – banks, credit card companies and suppliers could all suffer fallout from your breach.

According to the US Federal Trade Commission (FTC), if credit card or bank account numbers have been stolen from you, but you do not maintain the accounts, you should notify the institution that does, so that it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of any information compromise, as well.

Finally, customers will need to be informed, which is normally done in writing.

Of course, notifying customers of the breach is by no means the end of the process. Once consumers have been made aware of the breach, they will inevitably have questions about what the breach means to them, what you are going to do about it, and how they can help to protect themselves.

The focus moves from a security issue to a customer relationship management problem. ‘You need to offer back-up, maybe somewhere people can call, so that they can talk their concerns through and where you can tell them that “this is what we can offer to waylay issues,”’ says Equifax’s Monroe.

These help lines need to be staffed and paid for, and should be seen as part of the cost of managing the breach, but bear in mind that normal call centre staffing levels may be insufficient – it’s one thing to inform customers that you have lost their personal details, another to keep them on hold for ages while they try to get in touch about your mistake.

One of the uncharted concepts for data disclosure stems from what customers and partners will think if your company suffers a leak and hides it under the carpet.

While many companies attempt to save their reputations by trying to prevent information about the breach reaching the outside world, failure to notify can also be a public relations disaster if the subterfuge is later made public.

‘Companies that do try and keep it in house are storing up a potential problem that could simply get worse,’ says Kully Dhadda, director of PR firm Flame. ‘The viral nature of the Web means that it’s very difficult to hide any information like this for long.’

‘If a company is later found to have sat on information that could have helped protect customers, they could take a huge hit on their reputation and you simply can’t put a price on that.’