Every state in the U.S. has data breach notification laws. In Delaware, for example, if a breach requires a certain number of residents to be notified, the organization must also provide notice to the attorney general. Some states require organizations to provide credit monitoring services to those affected by a breach of financial data.
At the federal level, major regulations such as the Health Insurance Portability and Accountability (HIPAA) Act in the healthcare sector and the Gramm-Leach Bliley Act (GLBA) in the financial sector require organizations to report data breaches.
And the timeframe for reporting is getting shorter. FDIC-supervised banking organizations are now required to notify the FDIC within 36 hours of identifying data breaches that meet certain criteria.
Given the stringent laws and regulations involving data breach notification, the varying requirements from state to state, and an increasingly perilous threat climate, organizations need to be prepared to execute a reliable notification process.
What You Need to Know About A Data Breach
What laws and regulations apply to your organization? What is a reportable data breach? Are there exceptions that would make it unnecessary to report a data breach? Who needs to be notified and how quickly?
Where is your data? What is the origin of data that is subject to compliance? Where has this data travelled? Who is the custodian of this data?
Who has handled and has access to this data? Administrators? End-users? Third parties?
Is your IT security infrastructure capable of supporting data breach notification requirements? For example, if a data breach occurs, will you be able to identify all data that may have been exposed? Are there any security gaps that increase the risk of a data breach?
What is your communications plan? What questions should you anticipate? What data will provide transparent, easy-to-understand answers?
Have you tested your technology and process?
What You Need to Do About A Data Breach
Organizations need to be prepared to execute a reliable notification process in case of a data breach.
Once you’ve gathered all relevant information related to compliance, data and the current state of your IT security infrastructure, you’ll be able to implement your notification plan when you discover a data breach. Here are the steps an organization will typically follow:
- Secure the systems where the data breach occurred to minimize damage and data exposure. Find out if other systems could have been compromised. Take steps to protect evidence.
- Contact your legal counsel for guidance on laws and regulations.
- Report the incident to law enforcement. In some cases, you may need to contact the FBI.
- Gather evidence, using a combination of technical analysis and human-to-human interviewing.
- Mobilize your team to implement your notification strategy and contact all affected parties, using plain language they’ll understand. If Social Security numbers have been exposed, contact the three major credit bureaus.
- Be transparent about what happened, how it happened, what data was compromised, who the perpetrator was, how they used the data, what actions you’ve taken to address the situation and prevent reoccurrence. Educate people about what steps they should take if their data has been exposed and/or misused. Then keep them updated on your internal investigation and any law enforcement investigation.
- Identify the root cause of the data breach and address the problem at the source to minimize the risk of a similar incident happening again.
A data breach is a matter of “when,” not “if.” Being proactive about data breach notification is now a business necessity. Contact GDS to discuss how we can help you protect your systems, prepare for the inevitable breach and implement an effective incident response strategy.