As the security landscape continues to change – especially with fallout from Heartbleed still raining down upon businesses from coast to coast – your best first step in protecting yourself and your clients from damage is awareness. By that, I mean if you’re aware of a breach you can respond and at least make a plan. As with any disaster planning, communication is key if you want to protect the castle and your clientele.
But that’s where problems arise. You see, in an effort to protect businesses all across this great land of ours, the U.S. Government has made some information less accessible unless you know how to search and what rights you have. There are actually nine exemptions in the Freedom of Information Act that keep us safe, but also make it tougher to notify people in the event of a data catastrophe.
Essentially, it’s an ironic double-edged sword in that organizations are required to alert their clients, customers and partners in the case of a data breach, but can’t access the info necesary to do so. For instance, if customers at Target opted out of marketing from Target, what are the rules Target had to follow in reaching out to them? Was there liability if Target overstepped and phoned people to tell them of the security breach?
It might seem like common sense, but these days we’re all so sensitive about giving out our contact info and addresses that legislation has been written to ‘protect’ people from businesses.
Ultimately, the best way to prepare is to know the laws and what you’re required to do if your systems get hacked. Other than that, time will tell if new measures and methods for notification are approved and put into place.
“Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches of information involving personally identifiable information.”
See more laws about security breach notifications and if your state is on the list.
How do you plan to respond if Heartbleed or another event makes client data available to prying eyes?