Management of information security incidents and improvements
6.13.1.1Responsibilities and procedures
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.1 and the following additional guidance applies: 6.13.1.2Reporting information security events
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.2 applies. 6.13.1.3Reporting information security weaknesses
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.3 applies. 6.13.1.4Assessment of and decisions on information security events
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.4 applies 6.13.1.5Response to information security incidents
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.5 and the following additional guidance applies: 6.13.1.6Learning from information security incidents
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.6 applies. 6.13.1.7Collection of evidence
The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.7 applies LGPD (BRA)
Art.48: The controller must inform the National
Data Protection Authority and the data subject of
the occurrence of security incidents that could entail
relevant risk or damage to the data subjects.
§ 1 This communication will be made in a reasonable
term, as defined by the National Data Protection
Authority, and must mention, at least:
I – A description of the nature of the personal data
affected;
II – Information on data subjects involved;
III – The technical and security measures used to
protect the data, respecting commercial and industry
secrecy;
IV – The risks related to the incident;
V – The motives for the delay, if the communication
was not immediate; and
VI – The measures that were or will be adopted to
reverse or mitigate the effects of the incident.
§ 2 The National Data Protection Authority will verify
the gravity of the incident and may, if necessary to
safeguard the rights of the data subjects, determine
the adoption of relevant measures by the controller,
such as:
I – Widespread disclosure of the incident via
communication channels; and
II – Measures to reverse or mitigate the effects of
the incident.
§ 3 In assessing the gravity of the incident, proof of the
adoption of suitable technical measures that transform
the affected personal data in unintelligible content for
third parties unauthorized to access them might be
evaluated, under the scope and technical limits of its
services. CCPA (US, CA)
S.1798.150.a: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
(B) Injunctive or declaratory relief.
(C) Any other relief the court deems proper.
(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth. APA (Australian Privacy Act)
PIPEDA (Personal Information Protection and Electronic Documents Act) - Canada
Personal Information Protection Act - South Korea
Turkish Data Protection Law numbered 6698