Real World Risk Management Practical HR Resources
Are you a new user?


Why Your Organization Needs A Security Breach Notification Plan

Facebook has stated that it will not notify the 533 million users who had their personal data accessed in a data breach occurring before August 2019.

Business Insider reported that the stolen data was recently made public in a database on an amateur hacking forum. The stolen user data includes phone numbers, full names, locations, some email addresses, and other profile information.

The data breach affected users in 106 countries.

Facebook stated in a blog post that hackers exploited a vulnerability in a feature that allowed users to find each other by phone number. The feature is no longer being used on the platform.

Facebook reported that it found and fixed the problem in August 2019 and that cybercriminals can no longer use the same method to steal data.

According to a spokesperson for Facebook, the organization decided not to notify users because it is not confident which users need to be notified and the stolen information did not include financial or health information or passwords. In addition, the information was publicly available and users could not fix the issue themselves.

However, according to security experts, the data leak still leaves Facebook users vulnerable. The founder of CyberScout said that phone numbers are a universal identifier and it creates danger for people when their phone number is public.

For example, two-factor authentication frequently relies on phone numbers to verify a person's identity. Emma Bowman "After Data Breach Exposes 530 Million, Facebook Says It Will Not Notify Users" (Apr. 09, 2021).


Organizations must follow all applicable security breach notification laws if hackers access personal data stored on your network belonging to employees, customers, or other third parties.

All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have security breach notification laws requiring private and governmental entities to notify individuals of security breaches involving personally identifiable information.

In general, security breach notification laws specify who must comply, what constitutes “personal information” and a “data breach,” how notifications must be made, and exemptions. NCLS “Security Breach Notification Laws” (Apr. 15, 2021).

Familiarize yourself now with the laws in any state in which you operate and create a security breach notification plan that adheres to all requirements. Being prepared ahead of time for a data breach is essential to react in a timely manner and avoid violating the law.

Moreover, certain industries, like healthcare, have additional compliance requirements regarding security breaches.

Visit the National Conference of State Legislatures’ website for the security breach notification laws in each state.

Finally, your opinion is important to us. Please complete the opinion survey:

Anti-virus Software: Ineffective Against Surging Zero-Day Malware

A malware report from the first quarter of 2021 shows how zero-day malware is a significant threat that many traditional security programs cannot detect. We examine.

read more

Limited Access Is The Centerpiece Of All Data Security Strategies

Employers must revoke account access when employees leave. Read about how continued access creates exposure.

read more

Why Is Trojan Malware So Effective?

The latest security report shows Trojan malware is a primary network security risk for users. Read about the dangers of this type of attack and how to avoid becoming a victim.

read more

Back Up Often And Off-Line To Help Address Ransomware Risks

Ransomware attacks are increasingly common, and all organizations must prepare now for an attack. We examine.

read more