Management of information security incidents and improvements

6.13.1.1Responsibilities and procedures The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.1 and the following additional guidance applies:
6.13.1.2Reporting information security events The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.2 applies.
6.13.1.3Reporting information security weaknesses The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.3 applies.
6.13.1.4Assessment of and decisions on information security events The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.4 applies
6.13.1.5Response to information security incidents The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.5 and the following additional guidance applies:
6.13.1.6Learning from information security incidents The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.6 applies.
6.13.1.7Collection of evidence The control, implementation guidance and other information stated in ISO/IEC 27002:2013, 16.1.7 applies

LGPD (BRA)

Art.48: The controller must inform the National Data Protection Authority and the data subject of the occurrence of security incidents that could entail relevant risk or damage to the data subjects. § 1 This communication will be made in a reasonable term, as defined by the National Data Protection Authority, and must mention, at least: I – A description of the nature of the personal data affected; II – Information on data subjects involved; III – The technical and security measures used to protect the data, respecting commercial and industry secrecy; IV – The risks related to the incident; V – The motives for the delay, if the communication was not immediate; and VI – The measures that were or will be adopted to reverse or mitigate the effects of the incident. § 2 The National Data Protection Authority will verify the gravity of the incident and may, if necessary to safeguard the rights of the data subjects, determine the adoption of relevant measures by the controller, such as: I – Widespread disclosure of the incident via communication channels; and II – Measures to reverse or mitigate the effects of the incident. § 3 In assessing the gravity of the incident, proof of the adoption of suitable technical measures that transform the affected personal data in unintelligible content for third parties unauthorized to access them might be evaluated, under the scope and technical limits of its services.

CCPA (US, CA)

S.1798.150.a: (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following: (A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater. (B) Injunctive or declaratory relief. (C) Any other relief the court deems proper. (2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.