The head of IT calls the CEO at home at 2 in the morning. A breach has taken place in the company’s intranet, and the financial records and employee HR files have all been downloaded.
In a prepared business, the first thing the CEO will do is consult the Data Breach Policy to make sure all the right people and only the right people are alerted. The Data Breach Policy will tell her that there are two calls outside the company to at that point: The security audit company that the business already has on retainer, and the data protection lawyer.
While the security auditors trace the breach and track down the hacker, the lawyer will determine what notifications need to be made to individuals whose information was stolen, and when. Every state’s laws are different, a special challenge in an already stressful situation, but the company’s Data Breach Policy tells them exactly how to track down all the needed information as quickly as possible. It also protects them from a lot of extra liability in states like Florida.
Fortunately, the company heeded the advice of their counsel when setting up the intranet last year and encrypted all of the employee records. This cuts down the number of notifications that have to go out by about 90%. Which cuts down on the legal fees by about 90%, which makes the Board happy, which gets the CEO a nice bonus.
We’re here to help in a crisis. Better yet, we can be there on the front end to make sure the crisis is a lot less painful.
Planning and Drafting a Data Breach Policy for an HR Company
Preparing audit questions for an industry association reviewing their data security policies
Advising a client on 50-state survey of data breach notification laws