If the data breach is of a high danger to the people impacted, they should all be informed immediately. Unless sufficient technological and organizational safeguards – or other protection measures – have been put in place to ensure that the risk is no longer likely to occur, notification should happen has soon as possible. You can look here for more information about security breach notification laws by state here.
Assuming there is not a high degree of danger and workers can help in alerting third parties, consider giving notice to pertinent personnel of the threat and how to maintain a strategic distance from it. Such a communication may incorporate steps to caution other external people of the cyberthreat. This can include contact information and other important data in case a company’s workers or clients have fallen victim to the phishing attack.
But there’s more to consider when weighing the pros and cons of warning outside recipients a phishing email from a compromised account – and they’re not all about legality. Here are some pros and cons to consider before sending out a breach notification:
- Reduces the vast number of emails and phone calls asking if the compromised email is legitimate or not
- Shows concern for your business partners
- Demonstrates care and concern for clients
- Accepting responsibility for something out of your control
- Their filter may have worked better than yours and they never got the phishing email
- Raises concerns about your security and vulnerability, reputation damage
In a general sense, and when there is not a high-level of danger involved, it is the recipient’s responsibility – not the sender’s – to authenticate emails. This is a crucial reason why security awareness training (SAT) is a MUST. If you’re interested in learning more about the benefits of SAT, what it can do for you, and how to implement training, click here.
That being said, you should get the information together and expect confirmation calls regarding the legitimacy of the emails. Have pre-made responses ready that say something along the lines of, “The email you received (is/it not) legitimate, and we have addressed it by (generic solution statement). We have confirmed (no deeper compromise, no network or data penetration, etc), and will continue to monitor outbound email for the next several days – recommend your IT team does as well.”
Nevertheless, whether there is a high degree of danger or not, it is important that you report any alleged cybercriminal activity to the IC3 right away – not only to notify authorities, but also to assist in the fight against cybercrime as a whole.