When an organization is faced with the unfortunate circumstances of a data breach, all hands are on deck to resolve the problem. Once things are under control and things are back to “normal,” everyone wants to move forward and not look back. As a result, customer notification takes a back seat to more pressing matters.
Federal standards requiring that customers be notified within 30 days of a data breach was proposed by President Obama in January. Other standards exist regarding breach disclosure, but confusion still exists. In an effort to clarify the matter, TechCrunch’s Sam Curry gives the following advice in his latest article:
A breach notification law, taken in isolation of other digital and communications requirements, sets the right tone for what to do and what not to do.
In many situations, the conversation isn’t about the right thing to do for the victims (i.e. the end users or businesses whose data is lost) but is instead about the right thing to do for the breached company (e.g. how to avoid legal exposure, bad press, etc.).
It is important to also stress that investigations have to happen promptly, that documented and effective policies exist on calling an incident, and that investigators and executives don’t drag their heels to avoid having to call the time of breach. Once that’s done, setting the time frame to 30 days gives enough time to be sure a breach really has occurred and determine who the victims are and leaves no wiggle room for delaying the need to notify victims in a timely manner.
A well-written breach-notification law will make it clear that the risk decisions to be made at the top of an affected company are not just about the risk to those that have the privilege of holding data. The time to worry about a breached company’s risk is beforehand in building a cyber-security program and contingencies. Once an incident happens, the needs of the victims become the biggest priority.
Having data isn’t a right for corporations; it’s a privilege and one that must always be treated as such, before, during and after breaches.
For more information on data breach notification standards, see the full TechCrunch article.
IT SECURITY SUPPORT: Blue Mountain Data Systems provides IT Security Support Services for Federal Civilian Agencies. Looking to find Vulnerability Scanning and Testing, Penetration Testing, Risk Assessment & FISMA Reporting for your Federal Agency? Call Paul Vesely at 703-502-3416.