Breach Management Part II

A data breach refers to a security incident where sensitive, personal, or protected information is accidentally or unlawfully destroyed, lost, altered, disclosed, or accessed. After such an incident, the organization must respond quickly, and the most crucial step is ensuring compliance with data breach regulations at the federal, state, and international levels.

In Part I of our blog series, we discussed what not to do immediately after a data breach occurs. Part II dives into the critical actions an organization must take right after discovering the breach.

Data breach notification laws require organizations to inform affected individuals, employees, third parties, and law enforcement about the breach. These laws vary by jurisdiction, but they generally include strict timelines for notification. Failing to comply with these regulations can result in hefty fines, penalties, and potentially an investigation by authorities.

One of the most important steps in breach management is having a solid Breach Notification Policy and Procedures in place. The financial costs of a data breach can be significant, and small to mid-sized companies may even face bankruptcy due to the fallout.

Helpful resources, such as guidance from the Federal Trade Commission (FTC) and PC Business, provide best practices for breach response. While opinions may differ on the exact sequence of actions, organizations generally follow these steps after a breach:

1. Notify the Right Parties – This includes informing impacted individuals, employees, third parties, and relevant law enforcement agencies.
2. Secure Your Systems – Take immediate action to stop any additional data loss.
3. Fix Vulnerabilities – Address the root causes and avoid making rash decisions.
4. Enforce Policies – Ensure that breach management policies are followed.

When notifying the public about the breach, it's important to keep these key points in mind:

• Avoid making exaggerated statements or wild claims.
• Be transparent and honest in all communications.
• Educate employees on how to respond if asked about the breach.
• Do not sensationalize the breach as an act of terrorism or describe it as a highly sophisticated attack without factual evidence.
• Maintain open communication with customers, vendors, and employees.
• Share what actions the organization has taken to contain the breach and remediate the situation.
• Clearly communicate future steps to prevent similar breaches.
• Regularly update employees on the breach’s status and actions being taken during the recovery process.

Notification to Law Enforcement is also a crucial step. In the U.S., state laws define a security breach as any unauthorized access, acquisition, or suspicion of unauthorized access to sensitive electronic data that compromises its security or integrity.

Every state, along with the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, has specific data breach notification laws. These require organizations to notify affected individuals if their personal data has been compromised. Additionally, laws such as GDPR, GLBA, HITECH, HIPAA, and CCPA have sector-specific notification requirements that organizations must also comply with.

In Part III of this series, we will focus on the next critical step in breach management: Securing Your Operations. The actions you need to take after a breach will vary based on the type of organization, the industry you operate in, and the type of data that was compromised.

Finally, in Part IV, we will explore breach notification protocols specific to various sectors, including:

• Healthcare data breaches
• Financial data breaches
• Government data breaches
• Education data breaches
• Entertainment data breaches
• Other industry-specific breaches

Stay tuned for more detailed guidance on managing and mitigating data breach risks in different contexts!

Leave a comment