Ten Things ...
(Continued from page 43)
plan that addresses the inherent gaps in BYOD while giving the mobile worker or user
simple, secure, swift access to enterprise apps and resources, is the challenge. The starting
place is a robust security strategy that focuses on multiple devices per user, which can
translate to hundreds or even thousands, of personal devices requesting access to your
Wi-Fi network daily. This creates gaps in your security. Policies need to correspond with
the ever-changing technology landscape and defend against evolving threats.
During the Breach
Discovering a breach is disconcerting. The reflexive response is to move with urgency to
report the situation to stakeholders. However, notification before appropriate analysis
can be costly and produce pointless worry, not to mention invite the unwanted attention
of regulators. Collect the facts and exercise judgment to respond proportionately to the
potential risks to those who may be affected.
5. Determine the nature and severity of a breach.
Employing a consultant to perform an analysis of the incident can help identify the types
of data that were compromised, how the breach occurred, how many people were affected
and many other variables. This due diligence could be used to defend yourself in case of a
potential investigation or litigation.
6. Analyze the facts.
Refer back to your assessment process, evaluate the incident to isolate the “harm
threshold” and record your conclusions. An experienced consultant can help you
understand how “risk of harm” is determined. Both state and federal laws address
data breach notification and an expert is best equipped to steer you through the
process properly.
7. If it’s a notifiable breach, your response must address the needs
of those affected.
Your breach response should hinge on two variables: the level of risk to affected
individuals and the sensitivity of the personal information disclosed. Breaches that expose
personal medical data and insurance information may compel you to provide solutions to
the individuals affected to address potential fraud and identity theft.
After a Data Breach
The shockwaves following a data breach are not always immediately apparent. Follow up
to confirm and guarantee the success of your response and to thwart future incidents.
Demonstrating your continuing commitment to the security of your organization’s data
can provide a logical response if you are ever the subject of a regulatory investigation.
8. Monitor the affected individuals’ status.
In the case of a breach, not every individual whose record was exposed will be victimized
by identity thieves. However, keeping track of their cases and ensuing outcomes can help
you determine whether to offer identity theft services to victims of medical identity theft,
rather than simple credit monitoring.
(See Ten Things on page 46)
leadingageny.org 44