Internal and external counsel, executives and technology managers are often faced with the unfortunate realization that the victim organization they represent or are a part of didn't retain the necessary forensic evidence to determine the root cause of an incident or the evidence needed to determine what personal identifiable information(PII) was at risk and require notification. In this situation, counsel and executives must provide a reasonable argument to support their analysis and conclusion on the requirement to notify. In some situations, it may be determined that all individuals that have PII data hosted by the organization should be notified. In other situations, decision makers would require direct evidence proving that the threat actor accessed and exfiltrated PII data. Therefore, to the extent that the "available" evidence does not prove exposure of PII data, then there is no requirement for notification.

Consider the following hypothetical situation, an organization is hosting a database containing 5 million records containing customer information, including PII. The organization experiences a cybersecurity incident, and the organization did not maintain the right evidence to identify specific database records that were accessed by the threat actor. There is circumstantial evidence indicating the threat actor was able to access approximately 100,000 records, but this access cannot be forensically confirmed nor is there any indication as to which 100,000 customers out of the 5 million potential customers were potentially affected. I would like you to post a discussion on your decision or advise that you would provide to your organization on their potential notification requirements.