5 Essential Steps To Effective Data Breach Notification6:00 PM EST Wed. Apr. 10, 2013
Notifying the appropriate parties following a data security breach is often a delicate process, according to the Ponemon Institute's 2012 Consumer Study on Data Breach Notification. More than half of the 2,800 consumers surveyed by the Ponemon Institute said they wanted to be informed only if the organization is certain that they are at risk. Fifty-eight percent said the notification is not helpful if it fails to explain all the facts and is "sugar coated." Effectively communicating breach information begins with developing and executing on an incident response plan, and here are five ways your organization can do just that.
Before an incident occurs, the incident response team should establish policy and procedures regarding information sharing, according to the National Institute of Standards and Technology's (NIST's) incident response guide. All communication should be documented for liability purposes, according to the guidance.
A single person should be in charge of incident response, according to the NIST recommendations. An alternate should also be selected. The leader should be the liaison with upper management and other teams, have technical knowledge and solid communication skills, and be adept at defusing crisis situations. Often the response team will have a technical leader, as well, to review the forensics team's work.
Identify other key personnel and groups that need to be part of incident response planning, according to the NIST guidance. Management establishes policy, budget and staffing. The legal counsel can help determine liability limitations on incident sharing. Human resources should be involved if employee discipline is required, and business continuity planners should be on board to help ensure the business continuity plan is also being followed.
In the U.S., there are 46 states, plus the District of Columbia, Puerto Rico and the Virgin Islands, that govern disclosure of PII or health-related information. Some state laws conflict with one another, so seeking a business relationship with legal counsel or a service provider well-versed in data breach reporting laws may be a good idea, according to the non-profit Online Trust Alliance.
Maintain contact with internal teams, including the board of directors and major investors. Notify key partners and customers. Identify and communicate with the appropriate regulators and reporting agencies. Law enforcement may also need to be contacted. Ensure that those impacted by the breach are appropriately notified. Answer questions from press and analysts. Maintaining a level of transparency is important at a time of crisis. A well-executed communications plan not only minimizes harm and potential legal liability but also can enhance a company's overall reputation, according to the Online Trust Alliance.