Guidelines for Responding to Data BreachesBy Guest Author | Posted 2014-07-16 Email Print
These practical suggestions will prepare your organization to respond quickly and effectively to what experts consider nearly inevitable: a data breach.
Put together inventory lists.
It is important to keep an inventory of sensitive data and physical equipment to identify which information and equipment may have been compromised. Even if physical equipment has not been lost or stolen, an up-to-date list can help determine if specific machines need to be examined.
Develop a notification plan.
Although your company may be one victim of a data breach, there are many others. What kind of a response will your company make—and to whom? In health care, for instance, the federal Breach Notification Rule requires that a covered entity “notify each individual whose unsecured personal health information has been, or is reasonably believed by the covered entity to have been accessed, acquired, used, or disclosed as a result of such breach” within 60 days of discovering the breach.
Breaches involving more than 500 individuals require the covered entity to notify prominent media outlets serving the area. Your company should also consider which other stakeholders should be notified, including investors and shareholders.
Prepare for specific adverse events.
The details of the response-and-recovery plan will follow a risk analysis individualized to your company. The risk analysis will identify areas of vulnerability within your company, which can then be addressed. Knowing your company’s weaknesses will help you take necessary corrective measures.
Test the plan.
Once your company develops a plan, it should be tested just as fire drills are held, so that people know what to do when the alarm rings. Your company's employees need to experience what they are expected to do when a data breach occurs. In addition to preparing each individual for a data breach, the drill tests the plan for unanticipated flaws that need to be ironed out.
Engage in assessment, periodic audits and updates.
Develop an assessment procedure to review the plan’s effectiveness. Additionally, your company should conduct periodic audits of the response-and-recovery plan to identify and address gaps and keep the plan up to date because your company, applicable regulations and technology change over time. This ensures the continuous improvement and ongoing relevance of the plan.
Data breaches are on the rise. That’s why it’s more important than ever to invest in data security measures to prevent data breaches and to have a well-established and tested response-and-recovery plan. Unless your company is willing to invest in data security, the money it appears to be saving may be nothing more than "unjust enrichment."
Thomas E. Zeno, a former assistant US Attorney for the District of Columbia, is now Of Counsel to Squire Patton Boggs. An AUSA for more than 25 years, Tom investigated and prosecuted economic crimes involving health care, financial institutions, credit cards, computers, identity theft and copyrighted materials. Tom practices in the firm’s white-collar, investigations and enforcement group, as well as in its health care group. Lindsay Holmes, an associate in Squire Patton Boggs’ Washington, D.C., office, focuses her practice on health care matters.