If you are a B2B company [US], you may collect data on your clients as well as your clients’ customers. For example, let’s say the only thing you need to collect is your clients’ customers’ names.
In the case that your company has a data leak and the individuals’ names are shared with an unauthorized third party, (I believe) you have an obligation to inform someone.
What is the standard practice? Do you directly email the individual and say their information was leaked? Or do you give your client (a business) a list of the client’s whose data was impacted and let them reach out to the impacted clients.
In the case of emailing the impacted clients directly, what if you do not collect their contact information, and have no way to contact them?
Real world example: my personal data was leaked by a B2B software company that I had never heard of. I was contacted by the software company directly as well as their client who I had used the services of. Was it the responsibility of the B2B software company to collect my email in case they needed to contact me directly?