An organisation operating in a jurisdiction with a mandatory data breach notification regime has confirmed that personal data has been exfiltrated and that the breach is likely to result in serious harm to affected individuals. The information security manager is deciding what most strongly determines the deadline by which the supervisory authority must be notified. Which factor is the primary driver of that deadline?
- AThe date on which technical containment of the affected systems was fully completed by the response team.
- BThe point at which the organisation became aware, or reasonably should have become aware, that a notifiable breach had occurred. Correct
- CThe date on which the board of directors formally reviews and signs off the incident response report.
- DThe date on which the organisation finishes calculating the total financial cost of the incident for insurance purposes.
Why A is wrong: Tempting because containment is an important operational milestone, but notification obligations are tied to awareness of the breach rather than to completing technical remediation, which may come much later.
Why B is correct: Correct because mandatory breach regimes generally start the regulatory notification clock from the organisation's awareness of a notifiable breach, making the date of awareness the key driver of the statutory deadline.
Why C is wrong: Tempting because senior approval feels procedurally necessary, but a board review schedule is internal and cannot lawfully delay a statutory notification deadline driven by awareness.
Why D is wrong: Tempting because insurers and cost data matter for recovery, but financial quantification is unrelated to the regulatory deadline, which is anchored to awareness of a notifiable breach.