After a data breach: Outsourcing data breach response to a third-party
With PCI DSS, organizations are required to engage the services of an Approved Scanning Vendor (ASV) and/or a PCI auditor to make sure their organization is compliant as it relates to credit card transactions and the organization's systems and data storage.
Other organizations must follow HIPPA guidelines and guidelines set forth by the Sarbanes-Oxley Act, etc. If a data breach occurs, even after an organization follows and is compliant with the above rules, organizations have to follow all of the state laws concerning data breach notification.
With all of the guidelines and regulations, many organizations are turning to third-party vendors to handle data breach responses, as it takes so much effort and time on the behalf of the affected organization to make sure they are covering all legal and regulatory aspects when responding to a data breach.
As mentioned in a previous section, First Advantage's subsidiary, SIRN, is a company that works in conjunction with an organization's rapid response team, when a data breach occurs.
Developed in 2006, SIRN handles the research and notification duties for any organization, after they have suffered a data breach. Instead of an organization having to determine whether notification is needed, or what are the applicable notification laws that affect the organization, third-party companies like SIRN, control all responses after a data breach.
"We work with organizations in advance to prepare them for a data breach," explained Chris Ramos.
"Most organizations we do business with, actually have experience in data breach material…they understand that they need policies, but they don't know how to execute them."
He continued, "If a company has experienced a data breach, that doesn't mean that they will always follow their own procedures."
SIRN offers organizations a turnkey solution to the confusion and red tape, often experienced in the aftermath of a data breach. Once an organization is a SIRN member, it only takes a phone call to a toll-free phone number by a rapid response team member to get the ball rolling on putting out the fires of a data breach event.
Within a 48-hour period, SIRN begins the notification process, by researching the files that were compromised by the data breach. If it's a database with customer information, including names, addresses, Social Security numbers and credit card information, SIRN handles the verification of the names and current addresses of all of the affected customers.
From helping to draft a notification letter to the customers affected, to drafting call center scripts, setting up call centers to handle questions about the data breach and handling disputes between customers and credit bureaus, SIRN takes the stress off of your organization, in the confusing aftermath of a data breach.
"You want as many of your consumers to know what happened, before the evening news…in terms of liability, you don't want your clients leaving you," Ramos explained.
"We have interruption agreements with three local call centers, who have agreed to stop what they are doing, if we ask them to step in on a data breach case, and we have the same agreements with other fulfillment companies like printing companies, who will also stop their activities to get the letters out to the individuals as soon as possible."
SIRN can and will help draft a letter, or take over from your organization's response team. In addition, they will navigate the web of state and federal laws and guidelines for notification, including applicable state laws and FTC or SEC guidelines.
"Our services are very customizable. We are not trying to take over any organization, but work with them in any way that they need," commented Ramos.
"Our job is to help them to keep in compliance with state laws, help them with the consumers, and help them with identity theft."
 Print this page
 Send this page to a friend
|
