For Whom the Data Breach Notice Tolls
added: 03.13.2014, by Mike Spinney
I want to return to our perusal of the Online Trust Alliance’s 2014 Data Protection & Breach Readiness Guide to take a look at what the OTA calls a Data Incident Plan (DIP), “a playbook that describes breach fundamentals that can be deployed at a moment’s notice.” Elsewhere—such as Massachusetts’ data protection regulation 201 CMR 17—this plan may be known as a Written Information Security Plan (WISP).
One thing the OTA makes clear from the outset while describing the elements of their DIP is that a data breach incident involves much more than consumer financial data, such as the recent incident at Target Corp., but one that involves:
- Consumer and Partner Data
- Intellectual Property
- Brand Reputation
- Regulatory Compliance
- Stockholder Impact
- Business Continuity
An incident response plan should be triggered by any event that compromises an organization’s data or IT systems, and describe conditions for appropriate response and escalation, which the OTA guide goes on to outline.
I want to take a closer look at some information on page 11 of the guide that deals with employee access to information as this is an area where many companies fall short in their efforts to protect sensitive information. The human element is often the weakest link in an organization’s security chain, and because there are so many ways for employees to maliciously or accidentally compromise data the daunting task of closing holes and tightening access can compound the problem.
The OTA guide lists a number of ways to address vulnerabilities like email, portable storage media, partner due diligence, device management, access validation and rights revocation.
Also included on that list is digital rights management (DRM), which may be regarded as problematic for some organizations, particularly large ones with a highly distributed workforce or those that rely on third party partners, contract employees or virtual teaming. In such environments sharing information and documents is a necessary part of getting the job done, so anything that makes document sharing even slightly more difficult can be considered an impediment to productivity. (I addressed the role of PDF protection in DRM in a recent Slideshare presentation.)
John Donne told us that No Man is an Island. That idea applies to companies as well, for if any clod of data is washed away into the sea, if any confidential document is compromised, all are diminished. We are all involved in data protection, so never send to know for whom the data breach notice tolls.
It tolls for thee.