This is one of the most serious and pressing questions to consider.
A data breach can damage commercial relationships with customers and suppliers and may give rise to breach of contract. As a result, it is crucial that all commercial contracts are assessed following a data breach to determine whether notification is required. If so, it is important to act fast and decisively to notify customers and suppliers of the breach, as this will help preserve any existing business relationships.
Important considerations are whether intellectual property has been lost, whether the data breach violated the contractual duty of confidentiality, and whether notification of a suspected or confirmed data breach is enshrined within the contract itself. Beyond data risk, you should consider whether the incident places any of your suppliers at risk of lateral attack against their systems and ensure that you advise them accordingly of what security steps need to be taken to prevent this from occurring (for example issuing a warning about phishing emails being propagated).
When considering whether notification to customers and suppliers is necessary, it is important to look at the circumstances of the breach holistically and decide whether it is in the best interests of all parties to advise them on what has occurred. Managing a multi-party data breach incident is complex and requires a well-considered strategy, to ensure that all affected parties’ interests are well-managed, and that third party B2B claims are minimised. The AICD recommendation mimics the above and recommends a consideration of the commercial relationship and what impact notification might have.