Determine Maximum Time for Customer Notification following a Breach | Information Security Audit | CISA Exam

D.

In the event of a data breach, it is crucial to promptly notify affected customers that their personal information may have been compromised. The notification should include information on what data was accessed and the steps the company is taking to address the situation.

To determine the maximum amount of time before customers must be notified, the best source to refer to is industry regulations. Industry regulations provide specific guidelines on how quickly affected individuals must be notified after a data breach has occurred.

For example, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to notify individuals within 60 days of discovering a breach of unsecured protected health information. Similarly, the General Data Protection Regulation (GDPR) in the European Union requires organizations to notify affected individuals within 72 hours of discovering a data breach.

While industry standards, information security policies, and incident response plans are also important sources of guidance, they may not provide specific timelines for notifying affected individuals. Therefore, the best source to determine the maximum amount of time before customers must be notified after a data breach is industry regulations.