Any organization that creates, collects, stores, processes, transmits, archives, or deletes sensitive information about an individual, must prepare for a Data Breach before it occurs. To address Data Breach response planning after the breach occurs is costly and potentially a game-ender for some companies.
Data Breaches occur all the time, the public just does not understand the breadth and impact of the problem. Just taking a quick view of the State of California Department of Justice website published by the State Attorney General at http://oag.ca.gov/ecrime/databreach/list gives you an immediate feel for the size of the problem. Especially when one considers how few of the events listed here, just in 2012, have made it into the news!
All of these organizations had to comply with California’s far more strict data breach reporting and notification requirements under California State Law such as SB24. Sections of California State Law state:
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a))
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e)and California Civ. Code s. 1798.82(f)). If you happen to be included in this category and are required to submit a notice, you can do so here https://oag.ca.gov/ecrime/databreach/report-a-breach .
However, this is only California, and most states, other than Texas, do not have Data Breach reporting requirements anywhere near as stiff as these. As the public begins to hear about only small portions of the overall problem, from the news, by receiving a notification letter, from their affected family members or their neighbors, the attention paid to these events, and the real and significant penalties will only grow exponentially.
All organizations that interact with sensitive information about an individual in the ways we listed above, must:
- Identify the sensitive data in their possession
- Identify the location of that data throughout its entire lifecycle from creation or import, through to secure and permanent deletion
- Document the data flow, and tie access controls, auditing, and security techniques such as encryption, to every branch of that flow
- Review the data with Risk Management and In-house or external Counsel (See the Law.Com Blog entry below)
- Determine the best combination of Risk Management techniques (Eliminate, Transfer, Reduce, Accept)
- Develop a Data Breach Policy
- Develop a Data Breach Procedure (Steps and Personnel to support the Policy)
- Run a mock Data Breach event drill
- Improve your processes based upon the results of the drill
- Update all of the information collected in steps one through seven, above
Law.Com Blog entry: http://tinyurl.com/8xscvah
RISC Management assists organizations in creating and implementing Data Breach prevention, detection, investigation, response, and improvement projects. http://www.RISCsecurity.com
Written by Chris Heuman Chris @ RISCsecurity.com