Define Notification Timeframes
Many regulatory requirements dictate that if a company loses consumer data (i.e., cardholder information, private transactions, social security numbers, etc.), the company is obligated under law to notify the affected customer. However, the CSP is the party that needs to be the first to recognize that information has been compromised and report it.
Unfortunately, CSPs tend to be cautious about notifying customers about lost PII (personally identifiable information), so it is vital that your company defines specific customer-notification timeframes and outlines exactly what should trigger these alerts. Warnings could include mishaps such as data found in a public space, unavailable systems, systems outside of trusted networks, and corrupted data. Notifications are critical, as virtually every type of data compromise companies experience today can lead to harrowing consequences for customers — fraud, identity theft, blackmail hacking, or worse. Additionally, it is important to explicitly dictate that the CSP must alert your company when there is even a suspicion of a breach or similar event. This can be an expensive and time-intensive, yet necessary process. Thus, the guidelines should be fair and state that this level of notification is only required when the CSP has a probable reason to believe data has been compromised.