Data Breach Response Plans Should be Developed Now.
In my previous post, “Data Privacy Brech Protection Laws Heat Map,” I highlighted the myriad US state regulations that govern what you need to do to comply in the event that your company experiences a data privacy breach. What would you do if this happens? The time to decide is before it happens.
With federal enforcement, noncompliance could have serious ramifications, and the FTC is known for not shying away from levying penalties whenever it considers them appropriate.
Data Security Needs a Response Plan, Before a Response Plan is Needed
What does this mean for you? You need an incident response plan in place, in case something goes awry, and should establish controls to do everything reasonably possible to avoid such a breach.
That would include securing those servers and databases that hold regulated information, for sure. And, such a tremendous amount of corporate data live on endpoints, do what you can to ensure those data are protected, too.
Encryption Is a Foundation
Encrypt hard drives and mobile storage devices. Having data encrypted at the time of the breach means, under most of these laws, (because the data is unreadable) that loss or theft of a device doesn’t require reporting. Also, keep security awareness campaigns active so workers stay alert to the risks. Avoidable and simple mistakes lead to way too many data breaches today.
By taking a few pragmatic precautions, the majority of risks can be greatly mitigated. So the next time an employee loses a notebook or a USB device that held protected data, if it’s been properly encrypted, it won’t matter to you if there are 50 separate state data breach notification laws, or a single federal one: you’ll have essentially endured a non-event.
Comments? Email firstname.lastname@example.org