Step 4: Implement the Notification/Communications Plan
Your organization has suffered a data breach, and now it's time to put the teams and plans into action.
Once the rapid response team determines the type of breach, scope of breach and the customers affected by the breach, it's time to det
ermine when or if your organization needs to disclose the breach to the affected individuals or businesses.
When should an organization disclose a breach, or should an organization always send notification no matter the level of the breach?
Opinions vary, however the FTC offers some specific guidelines, including the fact that an organization does not have to provide notice if there is no realistic expectation that an actual crime happened.
In an opinion piece for CSO.com, A. Bryan Sartin, vice president of investigative response, Cybertrust, wrote the following.
"There are noble and valid reasons behind the proposed new laws. Addressing the "if"-to inform people in a proactive fashion that their data has been stolen when they may already be a victim of compromised information or identity theft-is the right thing to do," he wrote.
Continuing, "In terms of addressing the "when," however-and it's a big however-security breaches need to be qualified and should require an industry-established threshold standard before any disclosure takes place. Disclosing just for the sake of disclosing is not the answer."
In the case of GE Capital and J.C. Penney (see Pre data breach article), the data breach in question had to do with a lost backup tape. If it was determined that the backup tape was actually stolen, GE Capital has an obligation to notify those customers whose personal data may have been compromised because it was on the backup tape in question.
If the backup tape was just lost, and it was not determined that it was stolen, should the organization give notification to affected customers, business partners or third party vendors?
"Financial institutions, as well as other industries, commit a large amount of their budgets to ensure that security breaches are rapidly recognized and reacted to before they grow out of control," wrote Sartin.
"In the payments industry, for example, there are formal processes requiring investigations to ensure containment and verify the full extent of the exposure. From PCI (Payment Card Industry Data Security Standard) compliance requirements and industry watchdog groups, to government accounting standards and Wall Street analysts, disclosure is often not up to the compromised organization."
Sometimes, it's up to law enforcement agencies involved with the response team. If a criminal investigation is on going, or there is a pending law enforcement action, authorities may not want you sending out public notices while the initial investigation is underway.
This is where having representatives from an organization's legal team comes in very handy as it relates to data breaches.
Use the legal representatives on your rapid response team to help determine the following:
- State and federal laws and regulations that are applicable
- The probability that the information has been, or will be misused
- Contractual obligations of the organization to disclose the data breach
- Whether regulators and customers need to be informed about the data breach, and developing the content of those communications.
Disclosing the Breach
39 states have passed laws about data breach practices and disclosure, and through the Federal Trade Commission and the Securities and Exchange Commission, there are also guidelines for disclosure.
Unfortunately, there is no set standard for disclosure at the federal legislation level, though there are several bills up for consideration.
What this means for your organization, is that you must determine-especially if your organization conducts business across many or all states, or around the world-what disclosure policies to follow.
ChoicePoint, an Alpharetta, Ga.-based data aggregator and reseller of personal information, decided to send out notices to over 163,000 people affected by their much publicized data breach two years ago. According to Vice President for Compliance Christopher Cwalina, the company followed the only legislation available at the time-California's data breach notification laws-and sent the notices without any federal or state law requiring that they do so.
When considering how to respond to a data breach, remember the following tips:
- Identify data breach disclosure - Depending on the applicable state or federal data breach notification laws, your organization must follow a data disclosure plan. A rapid response team or an individual from the rapid response team-Legal counsel, PR representative, or third party-must disclose the breach via letter, email, or any mandated communication method to customers, legal organizations, third-party partners, the SEC, FTC, etc.
- Manage data breach disclosures - Research your organization's state data breach notification laws, first, and then follow any applicable data breach laws at the state level, and via organizations like the FTC, SEC, PCI DSS guidelines, etc.
- Understand magnitude of disclosure - When making the decision as to when or if your organization should disclose the data breach, remember that the bad press, negative exposure, not to mention the millions of dollars that could be lost in fines and judgments in class action law suits, far outweigh the fallout from notifying the affected parties about the breach. The quicker the notification, the easier damage control will be between the organization and the customer.
 Print this page
 Send this page to a friend
|
