Breach notification goes beyond regulatory compliance. Its focus is on transparency, which has fundamentally altered how organizations approach privacy and data protection. Breach notification failures have resulted in reputational damage and attracted the attention of regulators.
Around the world, governments are getting on board with breach notification schemes
In Canada, an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) is making its way through the regulatory process and includes breach notification obligations.
- European Union
In the EU, a breach notification regulation for the telecommunications industry will come into effect in 2011.
In addition, the EU’s review of the Data Protection Directive is expected to result in notification requirements for all EU member countries. Some EU countries are adding their own breach notification provisions. In the UK, for example, regulators are working on a law that will force organizations to publicly acknowledge any data breaches to regulators and to inform those affected.
In Asia, Japan is leading the way with breach notification requirements that have been in place for several years. Much like in the US, the expense associated with such breaches can lead to a significant number of direct and indirect expenses for organizations operating there.
As WikiLeaks shows, the “insider threat” is very real
Breach notification cannot be discussed without raising the concern of the “insider threat.” Individuals who are authorized to access and use information are increasingly found at the center of high-profile incidents.
Such misuse of information may be due either to lack of awareness or to malicious intent.
Training and awareness are key to addressing the unintended disclosure of information. Technical controls, such as tools for monitoring information traffic, can be of great help when addressing more malicious cases.
Data loss prevention tools offer help in monitoring information traffic
Data loss prevention (DLP) tools can also help by monitoring unintentional or intentional data leaks from within the organization.
In 2011, we will continue to see the popularity of these tools increase as organizations look for a technical control to limit their breach exposure. However, it takes more than the purchase of a DLP tool to achieve effective monitoring of personal information to prevent loss.
Adopting these tools requires appropriate consideration of the policy that will guide the extent of the tool’s implementation (e.g., to stop a possible leak or just report it for a later investigation) as well as cross-functional leadership support and the necessary staf.ng to implement it.
|Three ways to stay on top of breach notification |
- Develop and implemented an incident response plan for handling breaches of personal information.
- Identify the relevant breach notification requirements in your industry and jurisdiction(s) of operation.
- Look into the adoption of a DLP tool or using DLP services to monitor your organization’s network for possible loss of personal information.
« Previous | Next »