For Businesses For Consumers TRUSTe Blog About TRUSTe   
 
TRUSTe - Make Privacy Your Choice
Our Services  ::   Mission Statement  ::   Fact Sheet  ::   Press Room  ::   Sponsors  ::   Member List
Partner Services  ::   Management  ::   Newsletter Archive

Data Security Breach Notification

Cathy Bump, VP Policy & Legal, TRUSTe
and Barbara Berg, Policy Staff, TRUSTe

In response to a number of public reports of security breaches involving nonpublic personal information that could be used to commit identity theft, 18 states have already passed legislation requiring dataholders to notify those whose information has been involved in specific types of security breaches. In addition, Congress is currently considering several federal bills addressing breach notification. What can your company do to ensure that it is ready to deal with a data security breach, particularly when it comes to notifying consumers whose data was involved?

Because there are currently a number of state laws that differ somewhat from one another, you should first become familiar with any laws that might apply to your company. Security breach laws vary in the types of data that trigger a breach notice requirement, in the individuals who must be notified, and in the required timing for notices. After you become familiar with the applicable laws, consider designing a breach response plan specifically tailored to your company. You should also form an incident response team whose roles and responsibilities are clearly assigned -- before any breach occurs. Taking these steps will ensure a prompt, efficient response in the event of unauthorized access.

In establishing your incident response team, consider the following factors:

  • Who in your company has access to data?
  • Who would likely be in a position to discover a breach?
  • Who would a vendor contact should they discover a breach involving your customers’ data?
  • Who would generally be in the best position to investigate and establish the scope and details of any breach?
  • Who would best be able to effectively contain, control, and correct the source of the breach?
  • Who would have sufficient authority to approve a response to any breach, including potential public notification?

An important step in creating a breach response plan is determining under what circumstances individuals outside the company should be notified. There may be cases when law enforcement should be informed, as well as cases where notification of individuals whose data has been affected is legally required or otherwise appropriate. In cases where consumers must be notified, it is good practice to contact the major credit reporting agencies before notifying the affected individuals, which will allow the agencies to prepare for queries they will soon receive. Then, when informing customers about the breach, it is standard practice to advise them that they may wish to monitor their credit reports to mitigate potential harm from any resulting identity theft. You may also want to refer them to an identity theft resource such as the Privacy Rights Clearinghouse. Think also about what steps you are prepared to take to assist the individua ls affected. For example, some companies have responded to breaches by offering free credit monitoring, paid for by the company.

Another key step in preparing a breach response plan is to create a customer-notification form letter that can be easily modified for immediate use, avoiding unnecessary delays should a breach occur. Sample form letters can be found at the California Office of Privacy Protection’s website: Security Guidelines in early November 2005. The revised guidelines will incorporate best practices covering data security breaches.




 
Sponsor: Intuit
For Business | For Consumers | About TRUSTe | Careers | Site Map | Privacy Statement - UPDATED | TRUSTe Homepage | Terms & Conditions
© 1997 - 2008 TRUSTe. All Rights Reserved.