|
Page 1 of 4
By Rebecca Herold
An important consideration with information security incidents is identifying if personally identifiable information (PII) is involved. If it is, then the privacy breach response team needs to be put into action to determine whether or not an actual privacy breach occurred.
Answering the question, "Has a privacy breach actually occurred?" is not as easy of a task as it may seem by this simple question. The definitions of a privacy breach vary greatly within the at least 48 U.S. state and territory level breach notice laws, in addition to the federal laws which require privacy breach activities.
I love talking with practitioners about their information security incident and privacy breach response plans and practices. I'm always interested in hearing the challenges and unique situations they run across as they not only create their plans, but also for how they execute them.
I often find that companies run across situations that they had not considered when they created the plans, but then have to deal with in real-life situations. These seemingly unique situations often turn out to be not so unique after all when they find many other companies are also addressing the same issues.
Here are three of these situations, often overlooked and not planned for, but experienced by organizations.
Electronic Messages Accidentally Going to the Wrong Internal Recipient
I've spoken with at least a couple dozen information security practitioners who have had the situation occur where someone on the internal corporate network has sent email messages containing PII accidentally to another person within the organization who was not already authorized to see the PII.
In one of the situations an organization described to me, an employee in the accounting department meant to send an email with a question, including an abundance of PII such as SSNs and medical information, about a group of employees to the corporate lawyer, but accidentally sent it to an IT employee with a similar name.
She realized the error when the IT employee called and asked if she really meant to send the email to a different employee. Embarrassed, she said yes, asked the recipient to delete the email immediately, and then, following the documented corporate breach response plans, she notified the information security department.
So, is this a privacy breach? It is a great question and good situation to discuss and debate. Certainly this is a recommended discussion between the information security, privacy and legal offices.
For each organization to determine the best answer that applies, consider the following questions:
- What breach response laws apply to your organization?
- Do the laws specifically address this issue? Do the definitions of a breach cover this situation?
- Did the errant recipient actually open the message? Do you have logs that can verify this?
- Have you interviewed the person who received the message to see if he or she read it?
- Based upon your discussion, and any other issues related to the individual's work history, do you have any reason to believe the recipient would do something bad with the information?
|
