There's been a data breach. It happened 268 times during 2006 (according to the Privacy Rights Clearinghouse). Now, it's happened to your organization. What do you do?
Well, you might want to obey the 33 or so state laws that govern when and how you should notify the people named in those exposed files, gently breaking it to them that, because of you, they're now naked to identity theft. The laws are hardly copies of each other, but the standard bearer is California SB 1386. The California Office of Privacy Protection has 30 pages of recommendations on how to comply with it.
If you're with a financial institution, specific federal laws apply, and the Federal Trade Commission has its own list of recommendations, including a model notification letter.Obviously, the situation is complex and fraught with legal hazards -- and the experts agree that your only hope of navigating them successfully is to have a contingency plan written in advance.
"You need practical things like a plan and committee, and a decision about who is going to be on that committee," said David Taylor, vice president at Protegrity Corp., a data security management firm in Stamford, Conn. Taylor, who writes data breach contingency plans, suggested that the committee include representatives from the organization's business units, plus the corporate attorney, the corporate compliance officer or equivalent, someone (such as a public-relations officer) who can address the issue of reputation damage, and someone who reports to the chief financial officer.
Having convened, there are four things the committee must do, explained John Pescatore, analyst at Gartner Inc.:
- Begin the customer notification process;
- Start the breach containment process;
- Decide whether to involve law enforcement; and
- Perform a post mortem.
When it comes to notification, the committee should act quickly. "Time is of the essence," noted Larry Ponemon, head of the Ponemon Institute, a research firm in Traverse City, Mich., covering privacy, data protection, and information security policies. "You want to make sure that you get your message out hours and hopefully days before it appears in the media."
"One of the primary causes of legal action is the accusation that you knew sooner than you told," added Rob Scott, managing partner at Scott & Scott LLP, a law and technology services firm in Dallas.
But while moving fast, "Be surgical when identifying who is at risk -- a big mistake we see many times is that they think that by casting a wide net they will be seen as a more responsible organization," Ponemon cautioned. "Don't send a notification letter to people who don't need it. Those who get the letter will either under-react and do nothing, or overreact and do things that are not required, like throwing away their credit cards or constantly calling credit bureaus. The letter is always seen as a negative issue."
