Avoiding Breach Notification Blunders
What Can Be Learned From Hospice’s Mailing Mishap That Triggered ‘Corrective’ Notification?
… Tom Walsh, president of tw-Security, notes that “extreme caution” must be taken when an entity communicates about a breach to those whose data was exposed. “You cannot un-ring a bell,” he says.
Many organizations devote far more effort to the content of the notification letter than to the delivery of the message, he notes.
“For example, a privacy officer will draft the notification letter and run it by legal counsel,” he says. “The mailing of the notifications may be outsourced, so there may not be a formal review of a test batch of letters prior to sending all of the letters.”
… Susan Lucci, senior privacy and security consultant at tw-Security, notes that organizations -such as Aetna – that rely on vendors’ to help with breach notifications must be mindful of their partners’ practices.
“Oversight and careful management of a vendor to alert them to the differences in projects is essential to ensure missteps are not made,” she says. “The philosophy of ongoing, regular communication and maintaining a close working relationships with business associates is essential.”
Business associates essentially are an extension of the workforce of an organization. Lucci notes. “That means the same level of education, reminders, and alerts to changes in cybersecurity risks should be shared regularly with business associates if security incidents and breaches are to be avoided.”