July 11, 2012
By Milton L. Petersen, published on July 11, 2012, in Business in Savannah.
As more and more personal information becomes available online, data security breaches and identity theft are becoming more frequent.
Nearly every organization stores some type of personal or individually-identifiable information electronically, whether on its employees, customers, members, constituents or other individuals. In addition, nearly every state in the U.S., including Georgia and South Carolina, has a statute regarding unauthorized access to personal information. Some federal laws and regulations regarding personal information also apply to specific industries.
Data security breaches can result in damage to your organization’s reputation and business, as well as significant direct and indirect costs. One of the best ways to prepare for a data security breach is to employ sound data security measures and practices to help prevent a security breach from occurring. Just as importantly, creating an incident response plan before a breach occurs can help your organization calmly and thoughtfully consider and address potential issues and risks without the pressure and trauma often associated with a security breach.
In creating an incident response plan, first assess your organization’s potential risks. It’s important to determine what personal information your organization stores and whether that information is encrypted (both in transit and at rest) or could be encrypted. Many security breach notification laws do not apply to encrypted information.
Which states’ laws your organization will need to comply with can be determined by understanding which states’ residents you collect and store information about. It’s also critical to determine whether any industry-specific laws or regulations apply to your organization, such as HIPAA regulations and the HITECH Act for healthcare organizations and the Gramm-Leach-Bliley Act for financial institutions. If your organization does business internationally, additional laws may apply.
As a wide variety of knowledge and skills will be needed in responding to a data security breach, your incident response plan should specify who the members of your incident response team will be. This list should include representatives from key business departments, IT department leaders and staff, communications personnel and legal counsel. External consultants, like electronic forensics experts or a public relations firm, may also need to be involved. Identifying competent prospective team members in advance can save valuable time after a security breach occurs.
An incident response plan should map out what steps may need to be taken, and the expected timeframes in which those steps will need to be completed, if a security breach occurs. Necessary steps will include evaluating the nature and extent of the breach, potentially involving and working with law enforcement personnel, notifying relevant authorities and affected individuals, mitigating the effects of the breach, identifying and implementing any appropriate corrective or preventative actions, and reviewing the effectiveness of your response.
While perhaps not quite as certain as death and taxes, data security breaches are nonetheless something for which every organization should be prepared. Besides the potential costs, the reputational damage suffered by an organization as a result of a data security breach can be dramatic. Carefully developing an incident response plan in advance can help your organization avoid, reduce and mitigate these costs and damages, should a security breach occur.
_______________________
Milton L. Petersen is a partner with HunterMaclean’s Information Technology Practice Group. He can be reached at 912-238-2629 or mpetersen@huntermaclean.com.