All businesses, however, should have adequate safeguards and security systems in place to protect personal data in their possession and a process to systematically handle any data breaches that might arise. Frequent and targeted compliance audits provide a way for a business to continually assess weaknesses and measure improvements in data privacy policies, procedures and security. These audits should be conducted at all levels. The key to success is to have involvement from the CEO down to the receptionist when assessing how a company collects and uses personal information and the data they are obligated to maintain for their customers and employees. Security Incident and Data Breach Plan Every business should prepare for a potential data breach by creating and implementing a company-wide data breach plan. Not all security incidents are a data breach. This is important because the response to a data breach requires a different set of considerations than a security incident. In the event of a security incident or data breach, a business should pursue the following simultaneous lines of inquiry: •Detail the chain of events including an initial determination as to whether an unauthorized disclosure or breach occurred. Note that not every unauthorized disclosure of data constitutes a breach and triggers compliance with notification and other legal obligations. • What data was obtained? • Was data encrypted? • Has the unauthorized disclosure been terminated or is it ongoing? If it is ongoing, how can it be stopped? •Identify the states where the individuals affected by any breach reside.
162
Made with FlippingBook - Online Brochure Maker