New data breach notification laws are hitting the books in the US and elsewhere very quickly. Mississippi is the 46th state in the United States to enact such a law. These laws should help consumers retain their privacy and institute more transparency into corporate governance.
Today the question is not “What do you do if you have a data breach?” It’s more “What do you do WHEN?”
Many experts will tell you that it depends, but the laws are clear. You must notify affected parties immediately or within a reasonable time period, such as 30 or 45 days. But how you handle things internally is left up to you. Gone are the days when you can stick your head in the sand and hope everything fixes itself or goes away. As an employee, officer or board member of an organization, you have a legal and fiduciary responsibility to:
1. Notify
2. Assess
3. Fix.
The most crucial and most difficult can be the first one. Notify the proper people in your organization that a security breach occurred. There should be a process in place to do this. If not, you need to create one. Think of this like a disaster recovery process or any emergency situation. If there was a fire in the building or someone broke into your office, you wouldn’t hesitate to call the fire department or security. It’s the same with a data breach.
Many people, especially in IT, think that they will get into trouble because someone exploited a weakness. Just like in fire fighting, first put out the fire, then decide on the cause and actions to ensure that you minimize future risk. Your employees and customers privacy and finances may be at risk and you need to inform them as quickly as possible. With tools like Twitter and Facebook, bad news travels even faster than ever. Better that you control the message than have the rumor mill do it.
Internal notification should be to a security officer or similar position. That person or group should notify HR and Legal immediately. Next is to notify IT, if they didn’t discover the breach, and the executive committee or corporate officers. They should in turn notify the board and any audit or finance related vendors. The breach plan should contain a process to notify employees, customers and appropriate law enforcement agencies.
A data breach is a serious incident and getting everyone to acknowledge it and act internally is the first step. Getting legal and law enforcement involved will help minimize future risk and hopefully catch the culprits. This not only helps you, but other organizations too.