![]() ![]() Also, two security team members were fired for poor handling of the data breach. The breach was eventually exposed to the press and the end result was a regulatory non-compliance fine of $148 million, very bad publicity and a loss of trust in their data protection approach. For example, Uber attempted to cover up a data breach in 2016/2017. However, lessons can be learned from other organizations who decided to stay silent about a data breach. If you do notify customers even without a legal obligation to do so you should be prepared for negative as well as positive responses. Others argue that what you don’t know doesn’t hurt you. Some argue that transparency is vital to maintain good relations with customers: being open, even about a bad thing, builds trust. This is a decision a company makes based on its profile, customer base and ethical stance. There is no right and wrong when it comes to making a policy decision about reporting minor breaches or those that fall outside of the legal remit to report. Does your organization have a policy of transparency on data breaches, even if you don’t need to notify a professional body?īefore discussing legal requirements on breach notification, I’ll take a look at transparency.Do you have to report the breach under the given rules you work within?.The decisions about reporting a breach comes down to two things: Some examples of data breach notification requirements The industry it occurs in, i.e., industry-specific rules on data breach notification.The geography of the breach: Some data protection laws only apply to certain geographies or certain users in a given geography.The type of data, i.e., what type of data was exposed.The extent of the breach, i.e., how many data records were affected.The rules on data breach notification depend on a number of things: Official notification of a breach is not always mandatory. More importantly, you will have to inform affected individuals about what data has been exposed, particularly regarding Personally Identifiable Information (PII) or Protected Health Information (PHI)Īn important note on communication and breach notification Communication: You will need to communicate to staff and any affected individuals about the nature and extent of the breach.Clean-up operations: From the evidence you gather about the breach, you can work out what mitigation strategies to put in place.Knowing what has been breached and how: This may take some time, but you need an understanding of the root cause of the breach and what data was exposed.How to deal with a data breach should already be part of your security policy and the next steps set out as a guide to keeping your sanity under pressure.Įach organization will have its own set of guidelines on dealing with breached data, be that maliciously or accidentally exposed. ![]() ![]() You mean feel like you want to run around screaming when you hear about a data breach, but you shouldn’t. What should a company do after a data breach? ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |