Who Do You Notify When Things Go Wrong? (IR-6)
Your personal email account is sending spam to everyone in your contact list. Someone used your credit card to buy $800 worth of electronics online.
Your small business just discovered that a laptop with customer information was stolen from an employee’s car.
You handle the immediate crisis—change passwords, call your bank, file a police report. But weeks later, you missed a reporting deadline or forgot to notify someone important. The reporting failure becomes a bigger problem than the original incident.
IR-6: Incident Reporting
In IR-4, we covered what to DO when something goes wrong.
IR-6 is about who needs to KNOW.
IR-6 has two parts: internal and external reporting. Internal reporting (how things get reported to you) was covered in IR-4. This focuses on external reporting—who outside your immediate circle needs to know, and when.
Good incident response can still blow up on you if you miss required notifications.
For Individuals: Missing the Fraud Deadline
You notice unauthorized charges on your credit card. You’re busy, so you wait a few days. When you call your bank, they tell you that you had 48 hours to report for full protection. You waited too long, so now you’re liable for $50.
If you’d known the deadline and reported it the next day: zero liability.
For Small Businesses: The Unreported Data Breach
Your accounting firm discovers a stolen laptop with client information. You file a police report, improve security, notify affected clients.
A month later, your state tells you that you were required to notify a state agency within a specific timeframe. You didn’t know that. Now you’re facing questions and potential fines.
If you’d documented the requirements beforehand, you would have known.
What You Need to Know
Different incidents have different requirements. Some examples:
Financial incidents: Most credit cards require fraud reporting within 48-60 hours for full protection.
Data breaches: Requirements vary by state. Research yours.
Device theft: Carrier, employer (if work info was on it), police, banks.
Account compromises: Contacts who got suspicious messages, services that used that email for authentication, financial institutions.
Before something happens, figure out what applies to you. Write it down where you can find it.
For individuals: Check your bank and credit card fraud policies. Know your workplace’s reporting requirements.
For small businesses: Research your state’s data breach laws and industry-specific requirements. Your insurance agent or attorney probably has this information.
My Confession
I’ve been writing about these security controls and telling you to implement them. But I wasn’t doing them myself.
That’s changing. I’m working through each control with you and discussing what I’m doing.
For IR-6, I’m going to research the fraud policies for my bank and credit cards.
I’m using this very simple Google document I created and I’m going to fill this part out for this post.
What’s Next
You now know what to do during incidents (IR-4) and who to notify (IR-6). Coming up: IR-2 (Incident Response Training)—keeping these skills current.
P.S. If you’re finding this series useful, subscribe to get the remaining controls delivered to your inbox. We’re making enterprise-level security accessible to real people without the enterprise complexity.
