HGA will carry out all required external notifications in accordance with applicable laws and contractual obligations. External notification has several audiences: affected individuals (e.g. consultants, users, staff, or any persons whose data was breached), regulatory authorities, business clients/partners, and potentially law enforcement or public/media. Below, we outline the protocols for each:

Notification to Affected Individuals

If a data breach is likely to result in harm or risk to individuals’ personal data or privacy, HGA will notify those individuals without undue delay (once key facts are known and containment is in place). Under GDPR, if a breach poses a “high risk to the rights and freedoms” of data subjects, we are legally required to inform them directly and promptly[16]. Even outside GDPR, HGA’s policy is to notify individuals in a timely manner whenever their personal information is compromised in a way that could impact them (e.g., risk of identity theft or fraud).

Content of Individual Notices: Our communications to affected people will be clear, concise, and use non-technical language. We will include:

• What Happened: A description of the incident in general terms, including when we discovered it. (For security reasons, we might not describe the specific attack vector in detail, but we give enough context, e.g. “unauthorized access to our database between X date and Y date.”)
• What Information Was Involved: The types of personal data affected (e.g., names, contact info, dates of birth, account passwords, financial info, etc.). We will state if sensitive data like social security numbers or credit card numbers were exposed. If we’re unsure of specific data, we provide the categories likely involved.
• What We Are Doing: Steps HGA has taken to contain and remediate the breach and to protect individuals. This may include stating that we fixed the vulnerability, what security measures we’ve enhanced, and that we have notified law enforcement or regulators if applicable. If we are offering any support (like credit monitoring services or identity theft protection) at HGA’s cost, we will mention how to enroll.
• What You Can Do: Specific actions individuals should consider to protect themselves. We tailor this advice to the data involved[24][25]. For example, if passwords were exposed, we instruct them to reset passwords (and we may force a reset on our platform). If financial data was involved, we might advise monitoring bank statements or credit reports. For exposed SSNs or IDs, we would explain how to place fraud alerts or credit freezes[26][27]. We often attach or provide links to trusted guidance (such as an FTC or local authority identity theft resource) for additional steps[28]. The notice will include caution on avoiding phishing: e.g., we may tell individuals that we (HGA) will not call or ask for additional info by phone as a result of this incident, so any such contact claiming to be related could be fraudulent (this helps them avoid being re-victimized).
• Contact Information: How the individual can obtain more information from HGA. We give a dedicated contact point – typically an email address or hotline – and the name and contact of our Data Protection Officer or incident contact person[15][29]. We also indicate if and where we will provide further updates (e.g. “check our website’s incident FAQ page for updates” or that future communications will be via email or mail only to prevent confusion).
• Apology and Commitment: While keeping the tone factual, we usually express sincere regret for the inconvenience or concern caused and state that we take the matter seriously. We outline that we are committed to security and are taking steps to prevent such incidents in the future (to help rebuild trust).

The format may follow applicable law requirements. For instance, certain U.S. laws (like California) require the notice to have the title “Notice of Data Breach” and headings like “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” etc., with plain language and a certain font size[30]. HGA will comply with these formatting rules for notices sent to residents of those jurisdictions.

Delivery method: We will send individual notices via the most direct and secure method available. Typically, this is by email (if we have the individual’s email) or by physical mail if email is not available or appropriate. In some cases, other methods like SMS or a dedicated secure portal might be used if allowed and more effective. We follow any specific legal mandates – e.g., some laws allow substitute notice (posting on website or media) if contacting individuals directly is infeasible (e.g., lack contact info or too many affected). But our preference is direct notification whenever possible. Notices will be sent in the name of Humanics Global Advisors and include our contact details so recipients know it’s an official communication.

Timing: “Without undue delay” means we will not unnecessarily wait to notify individuals. We may take a short reasonable time to investigate and ascertain the scope of the breach and to implement initial containment (so that we can tell individuals accurate information and not compromise ongoing security efforts). However, any unjustified delay is to be avoided. As a rule of thumb, HGA aims to notify affected persons as soon as we have sufficient information to craft an informative notice and no later than when we notify regulators or as required by law. (For example, GDPR expects individual notices “as soon as possible” after determining high risk[16].) In practice, this often means within a few days of breach confirmation, subject to consultation with law enforcement (see below).

Law Enforcement Consultation: If a law enforcement agency is investigating the breach and requests that we delay notification to individuals (to avoid tipping off criminals or interfering with the investigation), we will document this request. Many laws allow for a reasonable delay in notification if law enforcement determines that immediate disclosure would impede a criminal investigation[31]. HGA’s Legal Counsel will obtain such request in writing and we will adhere to it, then notify individuals once the hold is lifted.

We maintain a sample breach notification letter (see Appendix C) as a template. Before sending notices, the DPO/Legal will ensure that the content meets any specific legal requirements for the jurisdictions of affected individuals. For instance, certain states require including information about credit bureaus if specific ID numbers were exposed[32], or offering identity theft services for free for a certain time if SSN or driver’s license is breached[33]. We will incorporate those elements as needed.

Once notifications are sent, we keep a record of when and how each individual was notified, in case we need to demonstrate compliance or follow up.

Notification to Regulatory Authorities

Where required by law, HGA will notify the appropriate government authorities or data protection regulators about the breach. The requirements vary by jurisdiction:

• EU/UK (GDPR): If the breach involves personal data of individuals in the EU (or UK) and is likely to result in a risk to those individuals’ rights and freedoms, HGA (as a data controller) must notify the relevant Data Protection Authority (DPA) within 72 hours of becoming aware of the breach[3][34]. We adhere to this strict timeline. The DPO or Legal Counsel will prepare the notification report for the DPA. If HGA cannot gather all details within 72 hours (which can happen if the incident is complex), we will send an initial notification with the information we have and indicate that further details will follow (“notification in phases” is permitted)[18]. The notification to the DPA will include at least: a summary of the nature of the breach (e.g. categories and approximate number of data subjects and records involved)[14], the contact point for HGA (DPO’s details)[15], the likely consequences of the breach, and what measures we have taken or plan to take to address it[15]. We document the timing of when we became aware and when we notified, to show we met the 72-hour requirement or explain any delay. If the breach is unlikely to pose any risk (truly low risk), GDPR does not require notifying the authority; however, we will still document our risk assessment internally in case of later scrutiny[35][18].
• United States (State Laws & Sectoral Laws): HGA operates globally, but for U.S. data, there is no single federal breach authority to notify (except in certain sectors like healthcare or finance). Instead, we must follow state breach notification laws. Almost all states require notifying the affected individuals (covered above) and many require notification to state regulators (often the state Attorney General or consumer protection office) if a certain number of residents are affected. For example, California law requires that if a breach affects more than 500 California residents, HGA must submit a sample copy of the breach notice to the California Attorney General’s Office[36]. We will comply with such state requirements: our Legal Counsel maintains a checklist of states with AG or other notifications and their thresholds (e.g., similarly, New York requires AG notification if >500 NY residents, etc.). We will send those regulator notifications either concurrently with or slightly before individual notices. Typically, these notices involve providing a copy of the letter we send to individuals and completing any online forms the state AG provides. Additionally, some states (like Massachusetts) require notifying a state agency and possibly credit bureaus if a large number of Social Security Numbers were involved. HGA will identify all relevant states based on the residency of affected persons and ensure we notify the required entities in each.
• CCPA/CPRA (California): The California Consumer Privacy Act (as amended by CPRA) doesn’t have a separate breach notification mandate beyond existing CA breach law (CCPA primarily provides a private right of action for data breaches). The key obligation remains to notify individuals without unreasonable delay[4] and the AG if >500 affected. We ensure those are met. If the breach triggers potential CCPA liability (e.g., due to failure to implement reasonable security), Legal will be prepared for possible follow-up (like consumer claims) once it’s public.
• Canada (PIPEDA): Under Canada’s PIPEDA, if the breach involves personal information under HGA’s control and it is reasonable to believe the breach creates a “real risk of significant harm” to individuals, we must report it to the Office of the Privacy Commissioner of Canada (OPC) and also notify affected individuals (unless prohibited by law)[37]. The timing under PIPEDA is “as soon as feasible” after determining the breach occurred[38]. We will make such report via the OPC’s reporting form, including details similar to GDPR (description, cause, data involved, number of people, steps taken, etc.), and we’ll notify individuals as discussed. Some Canadian provinces have their own laws (like Alberta’s PIPA requires reporting breaches to the Alberta commissioner without delay). HGA will comply as applicable.
• Other jurisdictions: We acknowledge that many other countries have breach notification laws – for example, Australia (Notifiable Data Breaches scheme, where if serious harm is likely, notify OAIC and individuals “as soon as practicable”), Singapore (PDPA breach notification within 3 days to PDPC if significant harm or large scale), etc. If HGA’s breach involves data of individuals in other jurisdictions, the DPO/Legal will assess those countries’ requirements and ensure compliance. The general principle is similar: notify the privacy/data authority promptly (often within 72 hours or a few days) if certain harm or scope thresholds are met, and notify individuals unless an exception applies.
• We will also check if any sector-specific regulators need notice. For instance, if the breach involves any credit card data, we may need to notify our payment processor and consider PCI-DSS obligations. If it involves health data (unlikely for HGA, but hypothetically), HIPAA/HITECH rules in the U.S. would require notifying HHS and possibly media if >500 people in a state. These are edge cases for HGA, but our legal team’s due diligence covers them.

Documenting regulatory contact: We keep copies of all notices sent to authorities and note the date/time of submission. If we miss a required notification inadvertently, we will rectify it as soon as discovered and explain the lapse to the authority transparently.

We also handle any follow-up inquiries from regulators. After notifying, a DPA or AG might have questions or require more info. The DPO/Legal will coordinate responses to such inquiries promptly. Our thorough incident documentation helps answer regulators’ questions about how the breach happened and what we’ve done.

Notification to Clients and Business Partners

Beyond individuals and government, HGA has obligations to notify certain partners, clients, or other organizations we work with, especially if the breach involves data we handle on their behalf or otherwise affects their interests:

• Client Notification (as Data Processor or Vendor): If HGA processes or stores data for a client (i.e., in some cases we might act as a data processor to a client’s data), and we suffer a breach of that data, we are required to inform the client (the data controller) without undue delay[39]. For example, if HGA’s platform holds a client’s project information or personal data and that is compromised, we will contact that client as soon as possible to provide details, so they can in turn fulfill any obligations they have (such as notifying their stakeholders or regulators). This is often contractually required and in line with GDPR Article 33(2)[40] (which mandates processors notify controllers). HGA’s standard practice, reflected in contracts, is to notify partner organizations of incidents affecting them or their data promptly. The notice to a business client will usually be made by the HGA account manager or executive sponsor, in writing (email or letter), and contain a summary of what happened, what data of theirs is affected, and what we are doing. It will also outline any immediate steps the client might need to take on their side.
• Upstream/Downstream Partners: If a third-party vendor or service provider of HGA was compromised and that led to our data being exposed, that vendor is expected to notify us (and we require in our contracts that they do). Once we receive such notice, our IRT treats it like an internal breach and we will then notify any impacted parties as if it were our own incident. Conversely, if HGA’s breach could impact another organization (for instance, if an HGA consultant’s credentials for a client system were stolen or if data we share with a partner was exposed), we will inform that organization. An example: if HGA and a partner share an integrated system and the partner’s data in our possession is breached, we notify the partner so they can take protective measures.
• Notification to Consultants: Our consultants are both individuals and part of our business network. If the breach involves consultant data (e.g., personal info consultants provided to HGA, or perhaps their CV or credentials database on DevTender), we will notify those consultants (as “affected individuals”). Additionally, if the breach could affect ongoing consulting engagements (say a project data was leaked), we may need to inform the client and possibly the team on that project. We coordinate such communication so that it’s clear and doesn’t cause undue alarm. The Consultant Contract explicitly requires mutual notification of breaches[2], which we honor through these protocols.
• Internal Cross-Notifications: If the breach originated with one of our offices or a subsidiary, HGA will notify the parent entity or any affiliated entities as needed. (This may not be applicable if HGA is a single entity, but if there are multiple legal entities or joint ventures, ensure all need-to-know entities are informed.)

All partner notifications should be made as soon as practical after initial containment and fact-finding – usually within a few days of the incident. They may happen even earlier than individual notifications if, for example, we need a client’s cooperation in the response.

We will usually designate a specific HGA representative (e.g. an Account Manager or senior exec) to be the liaison for each major client or partner being notified, to handle their concerns directly.

In the notifications to partners/clients, we will emphasize confidentiality if appropriate (many companies wouldn’t want it widely known they were affected). We may enter into a joint communication plan with them if the incident overlaps both organizations.

Law Enforcement and Other External Parties

Law Enforcement: HGA will consider involving law enforcement authorities especially when the breach involves criminal activity (such as theft of data by hackers, fraud, or an extortion attempt like ransomware). In many cases, notifying law enforcement is recommended or required. For instance, the U.S. Federal Trade Commission advises promptly reporting breaches involving identity theft risk to local police and possibly the FBI or Secret Service[41]. Our Legal Counsel will typically reach out to appropriate law enforcement early on – for example:

• If personal data theft or fraud is suspected, file a report with local police or national cybercrime units. This creates an official record.
• For cyber intrusions, contacting the FBI’s cybercrime unit or national cyber incident response (if in the US, or similar agencies in other countries) can be appropriate, especially for large breaches.
• If the incident involves mail theft or something physical, possibly the Postal Inspection Service (per FTC guide)[41].
• For breaches involving certain sectors (like if any government data were involved), notify relevant authorities as required by contract or law.

We balance this with any regulatory disclosures. Law enforcement notification does not replace regulatory notification – it’s an additional step. We also heed any guidance from law enforcement about what to communicate to the public or individuals. As noted, if they ask us to delay public/individual notice to avoid impeding investigation, we will comply (within legal allowances).

Insurance: If HGA carries cyber liability or data breach insurance, an early notification to our insurance carrier is necessary (often within a strict timeframe like 24-48 hours of discovery) to ensure coverage. The Incident Response Lead or Risk Manager will ensure the insurer is notified according to the policy requirements, and we may utilize any incident response services provided by the insurer.

Professional Bodies or Other Oversight: Depending on the nature of data, we may need to inform other parties. For example, if the breach involves personal data of EU citizens and we have appointed an EU representative under GDPR, we will inform the representative. If any certifications (like ISO 27001) are held that require reporting incidents, we handle that through our compliance team.

Media / Public Communication: In some cases, especially large-scale breaches, HGA might issue a press release or public statement. Sometimes laws even require media notification (for instance, U.S. healthcare breaches over 500 individuals in one state require notifying prominent media in that area). Even if not required, we may proactively do a press release if we expect the news to spread or if we want to assure the public of our actions. The Communications Lead, with management and legal approval, will craft any press release. It will contain similar information as individual notices, but tailored for public consumption. We will not divulge more personal detail than necessary, and we’ll express empathy and control of the situation. We also might publish a notice on our website and/or social media channels if appropriate.

If HGA posts breach updates on a web page, we will direct individuals to that page for ongoing status. This can help prevent misinformation and reduce direct inquiries.

Note on Timing of Public Disclosure: We generally will notify affected individuals and regulators before any broad public disclosure. This way, our direct stakeholders hear it from us first rather than the news. Only after those notifications are underway or completed would we release information publicly.

Cross-Border Considerations

Because HGA operates globally (with data subjects and clients in multiple jurisdictions, and data possibly stored in cloud servers across borders), we take special care to meet cross-border data transfer and notification requirements:

• As noted in our Consultant Agreement, HGA adheres to GDPR principles even if not strictly required, and consultants consent to cross-border data handling with appropriate safeguards[42]. In a breach scenario, this means if a breach occurs in one region but involves data of individuals from another (e.g., a breach in a U.S. system exposing EU personal data), we will coordinate notification with both regions’ laws (GDPR and relevant U.S. law).
• Lead Authority: Under GDPR, if we operate in multiple EU countries, we might deal with a lead supervisory authority. Our DPO will determine if a lead DPA is relevant and notify them, and they in turn share info with other concerned DPAs as needed (per GDPR cooperation mechanisms).
• Language: Notifications to individuals will be in an appropriate language for the recipient where feasible. (For example, if we have a large number of data subjects in France affected, we’d consider sending notices in French or providing translation, to ensure clarity.)
• Differing Thresholds: We keep track that different countries have different thresholds for notifying authorities (some have any risk, some have “real risk of significant harm” like Canada[37], etc.). Our policy is usually to err on the side of notification if in doubt. It’s better to over-inform than under, to maintain trust.
• Privacy Shield/Transfers (if applicable): Although not directly a notification issue, if the breach involves data transferred from the EU to the US under some transfer mechanism, we may have to communicate with those frameworks (e.g., inform the EU data exporter or adhere to commitments like those under Privacy Shield – though that framework is now defunct, similar concepts in new frameworks may exist). The key point: cross-border breaches often involve multiple regulators (like both the EU DPA and a US state AG). We will address each and ensure consistency in our disclosures.

In summary, HGA’s external notification strategy is comprehensive and compliant: we notify individuals quickly and helpfully, authorities within required timeframes, clients/partners proactively to manage shared risk, law enforcement to address crime, and the public/media if needed to maintain transparency. All communications will be professional, factual, and aimed at protecting our stakeholders and our organization’s integrity.