Breach notification in three easy steps

May 10, 2011 by ofonseca

In a recent report, Ernst and Young noted that stronger breach notification requirements are among the top privacy trends for 2011.  Governments around the world are enacting or tightening regulations around breach notification, and within the U.S., individual state laws around data breach notification have had a tremendous impact on data security.

The dramatic exposures engineered by Wikileaks have made it clear that insiders who have access to sensitive information are often at the center of devastating breach incidents and can – either intentionally or inadvertently – cause tremendous damage.  Training and awareness can be of significant help in preventing accidental employee misuse of information, while technical controls such as data loss prevention tools can combat more sinister efforts to steal information.  Ernst & Young believes that DLP tools will become increasingly popular in 2011, although tools alone won’t solve data breach exposure; they must be accompanied by strong policies and trained staff for effective implementation.

Here’s a quick checklist for how your company can responsibly manage its obligations around breach notification:

  1. Develop an incident response plan ahead of time so that it can be implemented immediately.  For some businesses, the absence of such a plan can turn a breach incident into a fight for the company’s mere survival, so make sure that your business isn’t caught by surprise.  Refer to expert considerations of all the factors that should be included in your detailed plan.
  2. Understand the breach requirements within your state and specific industry.  Until there is one national standard for all privacy regulations, your business must comply within regional laws or face stiff penalties.
  3. When breaches occur, execute upon your plan quickly and thoroughly.  Once your team determines the type of breach, scope of breach and the customers affected by the breach, you must determine which individuals or businesses need to be notified, if any. Guidelines from the Federal Trade Commission can help you quickly understand the specific requirements which your data breach demands.