preparing appropriate notification language and other communications. The business should also be ready to respond to potential media inquiries. A public relations firm might also be engaged that has experience in handling data security breach incidents. Media notification may be required under HIPAA. Even if the data breach is handled with minimal legal risk, the mere reporting of such a breach by the media can be damaging to a business’s reputation. A good communications plan is an important step in reassuring consumers about containment of the breach and security going forward. How will all of this be communicated to individual consumers and the public? Who Is Notified? Depending upon the nature of the security incident and data breach, and the applicable federal, state, or international law, the business may need to notify individuals, regulators, credit reporting agencies, state attorneys general, the media or law enforcement. The business may also have a contractual obligation to report or notify another party or their insurance carrier of a security incident or data breach. A material data security breach may also need to be reported in SEC documents. In some cases, however, the incident may not need to be reported at all. It is critical that knowledgeable privacy professionals be engaged early in the initial determination of whether a breach has occurred and if a legal notification obligation is triggered by any laws. Mitigating Risk By Contract Commercial agreements frequently contain provisions that cover data privacy issues including data ownership, rights to use data, restrictions on use, limitations of liability, and indemnities. Specific language may be required in agreements to comply with HIPAA, GLBA, or other federal and state laws. If personal information or PII is involved, the contract should cover the relevant issues regarding the collection, use, and sharing of such information. If personal information of residents outside of the United States is involved the agreement may need to comply with the GDPR, and other international laws regarding the cross border transfer of data. Do Model Contracts, or Binding Corporate Rules apply? Is the vendor used to perform data processing compliant with international laws?
165
Made with FlippingBook - Online Brochure Maker