The third article in my March e-journal issue of “IT Compliance in Realtime” is “What Business Leaders Need to Know About Privacy Breach Notifications.”
Here it is, unformatted:
There will come the inevitable day when your organization will need to make a privacy breach notice. Will you be prepared and know what to do when this day comes?
How to Give Notice
As applicable, you will need to notify impacted individuals in a number of ways. Possibilities include a combination of the following:
- Written notice
- Telephone notice
- Conspicuous posting of the notice on your Internet Web site
- “Substitute notice” as defined by the at-least 40 U.S. breach notice laws (including the District of Columbia) that are applicable to your organization
Providing notification using the first three of these methods (written notice, telephone notice, and Internet Web site notice) is a good idea. You should not depend upon using just one type of notification; you would likely miss many people whose addresses or telephone numbers are no longer what you have on file or who may not use the Internet.
The “Department of Commerce Data Breach Notification Response Plan” is available at http://ocio.os.doc.gov/s/groups/public/@doc/@os/@ocio/@oitpp/documents/content/prod01_004786.pdf.
Some Things to Know About Making Substitute Notice
Some organizations have chosen to give substitute notice instead of providing the required primary notifications without realizing it was not their choice to make! However, you need to know that making a substitute notification is typically not an either/or option. You must know the specifics for notification requirements within each of the breach notice laws for where the impacted individuals are from. For example, California (CA) SB1386 indicates that substitute notice can only be made if:
- The cost of notice exceeds $250,000
- The individuals to be notified exceeds 500,000
- You do not have sufficient contact information for the individuals
The substitute notice options for CA SB1386 include:
- Notice by electronic mail when you have an email address for affected individuals AND when you have their consent to be notified in this manner, and/or
- Notification to major state-wide and/or nation-wide media
It is typically more efficient, and most public relations friendly, to comply with the most stringent of all the applicable laws.
Notification Communications Content
Communications to individuals notifying them that your organization experienced an information security incident that may have resulted in a possible compromise of their personally identifiable information (PII) should be written in a way that the typical consumer can understand. Avoid using legal jargon. Write it simply, in straightforward and plain English or whatever language is applicable.
Do not use legal phrases, such as “alleged violations,” “freezing assets,” “deliberate concealment,” and so on that are commonly used by lawyers but rarely by the typical consumer. I have actually seen phrases such as these within notification communications. Using legal phrases just confuses most recipients and makes them think the organization trying to put something over on them.
And don’t try to pin the blame for the breach elsewhere; this comes over as completely disingenuous. Numerous studies show that individuals who are victims of privacy breaches appreciate communications from organizations that indicate the organization takes responsibility for the breach and provides useful information to the individuals to better deal with addressing the breach.
Do NOT use a breach notification letter as a marketing opportunity! The impacted individuals will quickly see this as the opportunistic action that it is.
Be sure to include information that describes the details of the privacy breach. You should list the types of PII that were breached but of course do NOT include actual Social Security numbers, credit card numbers, or other actual PII; you don’t want to have another breach occur through your breach notification letter!
Explain at a high level what happened but do not provide details about the breach that could jeopardize the investigation or potential prosecution. For example, you can indicate that an employee had a laptop containing PII stolen from his or her home but do not provide the employee’s name or home address.
Include a high-level description of the actions your organization is taking in response to the breach along with what you are doing to help the impacted individuals. It is also a very good idea when a comparatively large breach occurs to establish a call center with well-trained staff available to answer questions about the breach.
Be sure your public relations and legal counsel review all communications prior to sending them!
Here is a high-level outline of the information that you should include within your breach notification communication to individuals:
- Name of the individual whose information was the subject of the security breach
- Name of the organization where the breach occurred
- A description of the types of sensitive personal information of the individual that were the subject of the breach of security
- The specific dates between the breach of the individual’s PII and discovery of the breach
- The toll-free numbers the individuals may want to contact
What to Do for Impacted Individuals
It should be a no-brainer for organizations to provide the impacted individuals information about the steps they can take to protect themselves from being victims of identity theft as a result of the breach. It is becoming more and more common, and on the verge of being expected by the public, for organizations to provide certain types of services to impacted individuals. Although laws do not require these, most people expect them; thus, they are smart actions to take.
Some of the actions organizations are increasingly providing to impacted individuals include:
- Credit Monitoring–When sensitive PII (such as Social Security numbers, credit card numbers, or other types of PII that can be used to commit identity theft) are compromised, organizations are increasingly providing one, and often even two, years of free credit monitoring services to the impacted individuals.
- Credit Reports–Organizations should always inform the impacted individuals within the U.S. that the U.S. law entitles them to one free annual credit report from each of the three national credit reporting agencies: Equifax, Experian, and Trans Union.
- Fraud Alerts–Organizations should suggest within their communications for the impacted individuals to place a fraud alert on their credit files. This will not cost the individuals anything, and they can catch criminal use of the credit cards almost as soon as they occur, if the purchases are outside of what is normal or expected for the individuals. The downside to this is that the individuals may get their legitimate credit cards declined whenever the fraud alert is on, so you need to warn individuals about this possibility.
- Contact Law Enforcement–Urge the impacted individuals to call their local police or sheriff, or even the FBI, if they discover suspicious activity on their credit reports. Additionally, suggest to the impacted individuals that they should also consider contacting their applicable Department of Motor Vehicles (DMV) fraud hotline to place a fraud alert on their driver’s license when they see suspicious activities.
The three credit bureaus have set up one central Web site at https://www.annualcreditreport.com/crea/index.jsp.
Be Careful Using Email Notifications!
Email-only breach notification is a bad idea for many reasons:
- It is highly likely in today’s spam- heavy environment that many, if not most, recipients will view such email notifications as spam and never read them, or their spam filters will delete them before they ever get to the inbox.
- It is highly likely in today’s phish- abundant electronic waters that many, if not most, recipients will view such email notifications as phishing attempts without even reading them and will delete them.
- It is highly likely that a large percentage of customers within a large group of impacted individuals will either no longer use the email address the company has on file for them or they may not check that email regularly, if at all.
- Email is not a reliable form of communication. Just because you send an email, even to a valid email address, does not guarantee it will ever reach its recipient; businesses should not make the faulty assumption that just because you send an email it will be delivered.
- If the email is sent to a “family” or shared type of email address, it is very possible the person who would recognize the importance of the information may never get the message before it is deleted by someone else who may have seen it first.
- Only sending an email shows disregard for the customer and appears to just be a token action being done in a sorry attempt to appease regulators.
NIST SP800-61, the NIST Computer Security Incident Response Handling Guide, contains a very nice diagram on pages 2 to 4 that demonstrates some of the many different types of organizations and parties that may need to be notified when a security incident and privacy breach occurs. Find it at http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf.
Breach Notification Timeframe
Most state notification laws require notification to affected individuals within “the most expedient time possible and without unreasonable delay.” Some states, such as Ohio, Florida and Wisconsin, require notification within 45 days of discovering the breach. However, some states have a shorter notification timeframe. For example, Florida also requires that businesses that license data must notify within 10 days of the incident.
As a general rule of thumb, organizations should make notifications:
- As quickly as possible
- No later than 45 days after the date on which the breach of security was discovered
- Consistent with measures necessary to determine the scope of the breach and restore the security and integrity of the data system, if a system was compromised
- As appropriate to address law enforcement and homeland security related delays
Press Information
It important to think ahead and know the information you are going to release to the press about an information security and privacy breach. The basic information you should provide includes:
- The individuals who are affected and not affected
- The specific types of PII involved in the breach
- A brief description of the breach including high-level details
- Expression of regret and concrete steps the institution is taking to prevent this from happening again
- The steps the impacted individuals should take
- Who to contact for more information
- Next steps for the breach response activities
You want to ensure that you provide enough information to answer basic questions the press and the impacted individuals have about the incident, but you also want to ensure that you do not release information that could jeopardize any legal actions your organization may decide to take.
You also want to ensure you do not use statements that will come across as condescending, flippant, or disingenuous. Watch out if you are thinking about using “No evidence to indicate data has been misused…” types of statements; they usually make the organization seem disingenuous or trying to play down the incident. Be humble. And don’t push the blame onto someone else if the incident was a result of someone within your organization or a weakness in your organization’s systems or procedures.
Don’t forget to provide information for how the press and the impacted individuals can get more information on an ongoing basis.
Website Incident Information
If the breach is significant, it is usually a good idea to put up a Web site that provides information about the breach. This will help to cut down on calls directly into your organization. Plus, it shows goodwill effort on the behalf of your organization.
Here are some tips for what to put on your Web site page dedicated to the privacy breach:
- Put a “Most Recent Update About The Breach” section at the top of the Web page
- Provide a copy of the notification letter, with appropriate components modified for the generic audience
- Provide a link to the FTC’s Identity Theft Web site, credit agencies, and other sites useful to those impacted by the breach or interested in knowing more about the breach
- A frequently asked questions (FAQ) document about the breach
- Provide toll-free hotline contact information for your organization
On August 1, 2007, the Privacy Commissioner of Canada, Jennifer Stoddart, released guidelines to help organization respond to breaches, which include how to make notifications. You can find these guidelines at http://www.privcom.gc.ca/information/guide/2007/gl_070801_02_e.asp.
Create Your Notification Communications Carefully
It is likely that many organizations (in addition to the impacted individuals) will be closely reviewing your notification communications. A few of these include:
- Regulatory oversight agencies, such as the FTC and the FDIC in the U.S. and the Canadian provincial privacy commissioners
- Lawyers representing impacted individuals
- Privacy advocacy groups
- News media
- Competitors
Organizations need to be sure their communications come across as sincere, truthful, and sympathetic to those impacted while also providing meaningful information for the impacted individuals.
Have thoughts or feedback about this article? Please let me know!
Also, please let me know if there are other topics you would like to see me write about.
Tags: awareness and training, breach notification, Information Security, IT compliance, IT Compliance in Realtime, policies and procedures, privacy breach, risk management, security awareness, security training