The short answer is: It depends. The long answer is: When you communicate and how often you communicate will be...
different for each organization. This sort of communication process should be built in to your organization's business continuity/disaster recovery/incident response (BC/DR/IR) process. A data breach is no different from any other incident that may require executive notification. Timing will depend heavily on the size of the breach, when it was discovered, whether it's hit the media and any number of other particular business concerns.
If this sort of communication plan isn't already part of a larger BC/DR/IR program, sit down with the enterprise's legal team and HR department (at bare minimum) as well as with the CIO and corporate communications team to assemble a basic plan. The other members of the team will have had past experience communicating similar issues to the C-suite and should have great feedback on when and how to notify them. Once you have a rough plan that everyone is happy with, you or another member of the team can present this plan to the rest of the C-suite for their feedback. At this time, you'll get a much better feeling from the executives about when they want to be notified and how much detail they want. This will probably take a few iterations to get right. And don't be surprised when you have to make changes to the process after the first incident.
For more information:
Related Q&A from David Mortman, featured expert
Learn when Social Security numbers can be used for patient identification without violating HIPAA patient confidentiality requirements.continue reading
Many companies are moving to a system of paperless paystubs. Learn how to protect the information contained in these email paystubs with the use of ...continue reading
Congratulations, you've earned your CISSP certificate. Now, what are some ways to get CPE credits to keep it up? Find out in this security management...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.