by Luke Sackandy, Immersion
Recently, Immersion’s Larissa Crum participated in a panel discussion produced by HB Litigation Conferences LLC - NetDiligence Cyber Risk & Privacy Liability Forum, titled “Data Breach Preparedness: The Right Way to Survive 30 Days of Hell.” A more in-depth recap of the conversations can be found here but the following is a brief list Larissa provided of top 10 things organizations should know when a confirmed breach occurs.
1. Time is of the essence. Whether the breach falls under federal regulations (HITECH) or state regulations (47) there is always a time frame where notice needs to occur. Be cognizant of what those time frames are and plan accordingly.
2. Engage a data breach response vendor. Hopefully you have vetted vendors as part of the planning process but you want to work with a vendor that understands data breach response.
3. Credit Monitoring/Identity Theft—to use or not to use. This is dependent on the information that is compromised; for example if bank account information is compromised but not Social Security numbers, an argument can be made that no monitoring is required.
4. When crafting the data breach notice, you will want to remove the phone number from the cover letter—individuals will call whatever number they see.
5. Remember to communicate in the language most common to the individuals.
6. Think about the return address. This is often overlooked but can be very important if a large number of individuals need to be notified. There is an average of 13% return rate on mail.
7. Think about the response to the response—the call center. This is the first live interaction that an affected individual has with an organization.
8. Call center—FAQs. These are the questions and answers relative to the data breach incident. It is important to review these while giving thought to the individual affected. In the example above about credit monitoring, you want to have an FAQ that addresses why credit monitoring is not being offered.
9. Call center—escalations. Make sure that organizations have the appropriate team in place to respond to calls that get escalated from the call center.
10. Respond with the end in mind—class action or regulatory inquiry. It is critical to work with a vendor that has the ability to provide documentation on every step of the notification and call center process, whether it be the results and decisions made on the address scrub or the call information at the call center.
How many of these items are you prepared for?