Posted by: SAS70ExPERT
Auditing, Compliance, Data Security, Risk management, SAS 70, Security, Third-party services
When a data breach occurs what are you required to do? You heard that you had to include notifications required by federal and state laws when a data breach occurs. Are these myths, truths or dares? You need to know the difference between the myths and the facts. For instance:
Myth 1 – When you loose critical financial or personal data, you must notify everyone and their mother. I call “Shenanigans!” Only if certain conditions are met, then 45 of the State laws require that you notify the consumer or credit card holder. If the conditions are not met, then notification laws are less strict. For example, if data is not considered critical, data is encrypted, or not accessible, then you may not have to report it.
Myth 2 – You must comply with only the law where the data breach occurred. I call “double Shenanigans!” You must take many factors into account when determining which law to apply to the disaster. First, consider what state your Company is incorporated; then, the residence of the individuals whose information lost.
Myth 3 – Your Company meets California requirements, and their standards are higher than all other states, so I must be in compliance. This is just “completely Shenanigans! Even though California was the first, their have been several states which have used California as a baseline and made improvements and additional requirements. For example, Ohio, Georgia, and Texas, have made stringent laws related to data privacy and require detailed notification and follow-up.
Make sure you have an attorney handy, your plan is detailed to enough so that you can start a plan of action, and begin the communication process when a data breach occurs. Get a plan in place and if required, you will be ready for a SAS70 audit and a data breach catastrophe. email@example.com