The process of notifying affected populations in the event of a data breach is complex and littered with potential land mines – handled poorly, the notification can be a black eye for an organization and potentially open them up to regulatory fines or sanctions. Brian Lapidus and his team at Kroll have assembled the following advice for businesses to help them minimize their risk and simplify what has become a very challenging process.
- Keep an eye on the clock. Several states include a specific timeline for notification as part of their breach laws and, generally, the clock begins to tick as soon as the breach is recognized by the affected organization. The healthcare industry is notoriously bound by time requirements. For example, the Centers for Medicare and Medicaid Services (CMS) requires that entities report the breach to CMS as early as one hour, or as late as one week, after breach discovery. As for victim notification, CMS outlines specific notification timelines based on type of incident.
- Recognize the various constituencies for notification.Large scale breaches impact a diverse cross-demographic and special populations require unique considerations. For instance, minors will not be able to utilize the commoditized credit services that are ubiquitously offered in the wake of a breach, so alternate remedies will need to be provided. Further, certain governmental agencies, such as the state Attorney General’s office, require notification and some states require breached organizations to notify the national credit repositories
- Identify the requirements for notification letter contents.This one aspect of notification deserves an entire tome devoted to it. So much is made of the contents of notification letters, the phrasing used, the quality of the apology, etc., but rather than get bogged down in those details, let’s just stick to the basics. There are some items that your organization will be required by law to include in (or leave out of) your notification letter. Your organization may be obligated to comply with notification requirements dictated by state and/or federal laws pertaining to your industry, so be sure to familiarize yourself with both. For example, Massachusetts is known for its stringent notification law, which includes detailed instruction on what can/cannot be included in the letter, and HITECH mandates specific requirements for covered healthcare entities.
- Prepare for the logistical requirements of notification before the letters go out the door. There are certain logistical elements your organization will need to be prepared for regardless of the size of your breach population. For instance, do you have current addresses for everyone in your affected population? Will you require translation services for non-English populations? How will you handle returned mail? Your notification letter will most assuredly include a contact number – are you prepared to handle the volume of calls anticipated, or will a call center engagement be necessary?
- Control your message.Companies that are intent upon retaining loyalty, reputation and share value would do well to ensure that a spokesperson for the organization is identified and that they are equipped with approved messages and a timeline for the distribution of those messages. This is particularly true if the breach is a high-profile one, where a staying on message is critical. Information leaks, rumors and multiple channels speaking at once only serve to dilute and distort the organization’s original message and cause anger and frustration among affected individuals. Saying the wrong thing at the wrong time can also have legal ramifications.