This “Data Breach Response – How To” article is part of our larger series by Heather Noonan.
So you find yourself in the debacle of a data breach? Where in the world do you begin? Your management team is sending you emails left and right, meetings have started to run amok, and you haven’t had lunch in the last two days.
Data breaches can be full of politics, high energy, and a lot of miscommunication. If you break it down to the basics, communicate, and make some smart decisions from the beginning, you are guaranteed to see some light at the end of the tunnel.
Data breaches are also highly regulated under State and Federal guidelines and the requirements can be rather confusing. Similar to a crisis communication strategy, there are some main things you need to consider before you pull the trigger.
- Affected Population - Were forensics completed? Do you know the true population of how many people were affected? It’s highly recommended that you complete digital forensics and have a final population before you begin mailing letters. It’s all too often that another 1,000 people will be found or in some cases, what you thought was your affected population, wasn’t even affected at all.
- Resources – Who will be the decision makers and who will be the administrators? Who will handle the mailing, the multitude of phone calls, the concerned and angry callers, and a possible investigation?
- State and Federal Requirements - Whether you fall under state guidelines or HITECH, you will run into many regulations with specific guidelines and timeframes. Pay close attention to these. They aren’t there just for a warning.
- Forms of Notification - Most state and federal laws require notification in writing and by first class mail. You also need to ask who will handle the mailing. Will you hire a third party vendor to manage it? Do you have the necessary resources available?
- Contents of Notification - What happened and when? What personal information was lost? What are you doing to protect personal information from further unauthorized access? Do you need to include information for the consumer credit reporting agencies? Instructions on how to place a fraud alert or a security freeze? Consider everything that needs to be in the notification letter and take into account state and federal requirements.
- Contact Information - A telephone number for callers if they need further information and assistance.
- Notification to Regulators – State attorney generals, enforcement agencies, and the consumer credit reporting agencies all have specific deadlines and requirements of when they require notice. Remember, you not only have to notify the affected population, but other state and federal regulating bodies too.
- Notification to Media - Will you be issuing a press release? Do you need a public relations or marketing firm to assist? What are you legally required to say and to whom will you submit the release to?
- Notification to Website - Do you fall under the requirement to post notification on your website? If you are, how much information is necessary?
- Document – Document everything. You never know when you will need to refer to certain specifics and the decisions that were made.
Okay, now that you have those 10 steps under control, move forward and good luck!