This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » The 5 Top Ways to Carry Out a Successful Breach Notification
Cyber Security News

The 5 Top Ways to Carry Out a Successful Breach Notification

Generic Image for Cyber Security
October 11, 2011
KEYWORDS data breach / notification
Reprints
No Comments

 

The process of notifying affected populations in the event of a data breach is complex and littered with potential land mines – handled poorly, the notification can be a black eye for an organization and potentially open them up to regulatory fines or sanctions. Brian Lapidus and his team at Kroll have assembled the following advice for businesses to help them minimize their risk and simplify what has become a very challenging process.

  1. Keep an eye on the clock. Several states include a specific timeline for notification as part of their breach laws and, generally, the clock begins to tick as soon as the breach is recognized by the affected organization. The healthcare industry is notoriously bound by time requirements.  For example, the Centers for Medicare and Medicaid Services (CMS) requires that entities report the breach to CMS as early as one hour, or as late as one week, after breach discovery.  As for victim notification, CMS outlines specific notification timelines based on type of incident.
  2. Recognize the various constituencies for notification.Large scale breaches impact a diverse cross-demographic and special populations require unique considerations. For instance, minors will not be able to utilize the commoditized credit services that are ubiquitously offered in the wake of a breach, so alternate remedies will need to be provided. Further, certain governmental agencies, such as the state Attorney General’s office, require notification and some states require breached organizations to notify the national credit repositories
  3. Identify the requirements for notification letter contents.This one aspect of notification deserves an entire tome devoted to it.  So much is made of the contents of notification letters, the phrasing used, the quality of the apology, etc., but rather than get bogged down in those details, let’s just stick to the basics.  There are some items that your organization will be required by law to include in (or leave out of) your notification letter. Your organization may be obligated to comply with notification requirements dictated by state and/or federal laws pertaining to your industry, so be sure to familiarize yourself with both.  For example, Massachusetts is known for its stringent notification law, which includes detailed instruction on what can/cannot be included in the letter, and HITECH mandates specific requirements for covered healthcare entities.
  4. Prepare for the logistical requirements of notification before the letters go out the door.   There are certain logistical elements your organization will need to be prepared for regardless of the size of your breach population. For instance, do you have current addresses for everyone in your affected population? Will you require translation services for non-English populations? How will you handle returned mail? Your notification letter will most assuredly include a contact number – are you prepared to handle the volume of calls anticipated, or will a call center engagement be necessary?
  5. Control your message.Companies that are intent upon retaining loyalty, reputation and share value would do well to ensure that a spokesperson for the organization is identified and that they are equipped with approved messages and a timeline for the distribution of those messages. This is particularly true if the breach is a high-profile one, where a staying on message is critical. Information leaks, rumors and multiple channels speaking at once only serve to dilute and distort the organization’s original message and cause anger and frustration among affected individuals.  Saying the wrong thing at the wrong time can also have legal ramifications.  

Subscribe to Security Magazine

Related Articles

Top 5 Fails from Companies Preparing for and Responding to a Data Breach

The “check out a book, buy a burger, get in the dorm, catch a bus, go to the game” Omnipresent Student ID Credential

Related Products

School Security: How to Build and Strengthen a School Safety Program

Physical Security and Safety: A Field Guide for the Practitioner

The Facility Manager's Guide to Safety and Security

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

cybersecurity breach

The Top 12 Data Breaches of 2019

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

SEC1219-Cover-Feat-slide1_900px

Contracted vs. In-House Guarding: No Universal Right Answer

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe. Organizations need to be prepared through a unified and rapid response to these events.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing