Eye on Privacy: Preparing for a Data Breach: Do You Have a Plan?
Since the first of the year, Privacy Rights Clearinghouse has logged over 300 breaches involving over 23 million sensitive records. Not every data breach is the result of a malicious act—either from an external hacker or internal fraudulent activity. Many breaches are the result of human error—lost or stolen devices, poor document or device destruction procedures or simply unintended disclosure.
What this means is the size of your company won't protect you from a data breach. Your company may not be large enough to attract hackers such as Anonymous or LulzSec, but every company is capable of human error.
Ponemon Institute's most recent "U.S. Cost of a Data Breach Report" (March 2011) estimates the average cost of a data breach to be more than $7 million. This cost doesn't include loss of customers or reputational impact. With so much at stake, you want to make sure you are doing everything you can to mitigate your risk.
So, do you have a plan? If you do, that's great. If you don't, here are eight ideas to help you get started.
• Appoint someone to be in charge of your plan. This person should have the knowledge and authority to facilitate system and procedural changes and to create communication and notification plans.
• Assess your ability to monitor and comply with existing state breach notification laws. All but four states in the U.S. have laws. You can find a list here. They differ on what constitutes a breach and on the notification requirements. In addition, there are several federal bills pending in the House and Senate that, if passed, will impact your plan. If your data goes beyond U.S. borders, you will need to expand your plan to include laws from all the countries you cover. If you are not comfortable that you have a firm grasp of these laws, identify a service now that you can call if needed.