The need for effective and timely management of privacy events and incidents remains a critical issue for all organizations. Potential compromises occur frequently, even in the best-run organizations.
In the US, the need for effective incident management is made increasingly important by breach notification requirements that apply more broadly. It used to be that an incident resulted in notification if sensitive identifiers such as Social Security numbers or bank account information were lost or stolen.
With the HITECH Act, breach notification is triggered more readily, when protected health information, a far broader category of information, is potentially exposed.
Training of staff is critical… so that they know what might constitute an “incident” or “event” that warrants the attention of management.
In Europe, the regulatory changes will directly affect the telecommunications industry, but in France, for example, broader regulations affecting all industries are finding more solid ground and a regime of more general breach notification requirements are being put in place.
Data protection authorities in general are arguing for voluntary notification in the absence of strict rules. Organizations should plan their approaches to incident management carefully, even when the rules in some jurisdictions have not been precisely stated.
Incident management processes now require a greater level of sophistication in organizations not only to assess what information was potentially exposed, but also, in the case of protected health information, to assess the likely impact on individuals. Therefore, formal, effective and repeatable processes to determine the nature of an event and the steps to take in response are essential.
Training of staff is critical as well, so that they know what might constitute an “incident” or “event” that warrants the attention of management. In other cases, inappropriate reactions to events may open the organization up to more damage than is warranted by a situation. Deliberate processes managed by cognizant executives are a must.
Ask yourself
In establishing your organization’s incident preparedness, have you:
- Established a process to manage incidents and events involving personal information and to address applicable regulations?
- Addressed risks to information by implementing effective procedures and controls to prevent incidents from happening?
