Wednesday, December 28, 2011

Data Breach Response: A Year in Review



http://ow.ly/8c1Rf

An article by Theodore J. Kobus III posted on the Data Privacy Monitor website of the law firm Baker Hostetler.

This article discusses data breaches that occurred in 2011, and the responses to those incidents.

The article states, "...corporations facing data breaches need to navigate a maze of state laws that have varying requirements governing timeliness of notification, contents of notification, and what constitutes a data breach. The time and expense involved in responding to a data breach is significant, but the risks to a company’s reputation are far greater if the breach is not handled appropriately."

In addition, the article provides the following information about lessons learned:
  • Transparency is key to maintaining relationships with customers and regulators, be certain you understand the scope of the breach before making an announcement; 
  • An IT policy should be implemented to ensure that patches and updates are implemented in a timely fashion; 
  • Ensure that firewalls have been installed, configured and are tested on a regular basis; 
  • A breach of a large email database may trigger notification; 
  • Education of employees is critical to the success of any data breach prevention plan; 
  • Old data is dangerous data—make sure you need to keep it; 
  • Do not collect more data than you need to—e.g., do you need to request a social security number on the initial submission by an applicant for employment?; 
  • Social engineering tools are being used creatively to gain access to personal information; 
  • Social media policies need to be monitored, enforced, and updated regularly without encroaching on employee rights; 
  • It isn’t just personal information we are concerned about—disclosure of trade secrets and other confidential information puts organizations at risk; 
  • Encryption is not only a safe harbor, it is expected by customers and regulators. 

No comments:

Post a Comment